I was attempting to configure a few apps with APIs. Unfortunately securely passing key with something like a .env variable is problematic from a security standpoint. It seems to me that perhaps using a proxy server to pass the keys might be a better idea. I am currently running a Debian NGINX ISPconfig server and was wondering what is the best way to handle API keys and how to do it. NGINX proxy? php proxy? and will this work on a basic ISPconfig site?
I'm trying to set up a reverse proxy for WeatherAPI.com to hide the API key and bypass CORS on my subdomain weather.Mydomain.com (ISPConfig + NGINX on Debian)." My current NGINX directive block: location ^~ /api/weather/ { proxy_pass https://api.weatherapi.com; proxy_set_header Host api.weatherapi.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_verify off; proxy_buffering off; proxy_cache off; } Accessing /api/weather/v1/forecast.json?... gives 404 or 502. Direct curl to api.weatherapi.com works. My Goal is to get a Simple, reliable proxy to hide the key.
Made some progress by setting up: Sites > Redirect Redirect Type: Proxy Redirect Path: https://api.weatherapi.com set $weather_key My_API_Key; proxy_set_header key $weather_key; proxy_set_header Host api.weatherapi.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_verify off; But can not properly pass API key. API is returning: code 1002 message "API key is invalid or not provided."