Here we extend our Multiple Static Upstreams example with middleware. Now Shield is more than just a simple proxy, it adds authentication enforcement to incoming requests so that neither example.com nor example.net need to implement their own authentication.
If any incoming request does not have the Auth-Key: secret_key
header, the client will receive a 403 Forbidden
response
or the 401 Unauthorized
response as appropriate, and Shield won’t forward the request to either upstream service.
For security purposes, you should limit connections to the upstream service to only incoming connections from Shield. Otherwise there’s nothing preventing an unauthenticated request being made directly against the upstream service.