Good fit for coarse auth at the edge (who is this? what tenant? basic scopes, and so on). I’d still keep object-level/domain rules in-app. Fail-closed for auth, fail-open for observability is the right mental model. Biggest multi-tenant footguns are header spoofing + tenant-unaware caching. The proxy should own identity headers and include tenant in any cache key.
Appreciate that! That exact failure mode is why I went with out-of-process agents. A bit like Envoy's ext_proc filter. Sentinel treats agents like separate services (timeouts, circuit-break-ish behavior, w/ explicit fail-open/fail-closed choice), so a crash/hang in WAF/auth shouldn’t take the data plane with it.
Out of curiosity: when the nginx module bit you, was it mainly crashes, memory leaks, or latency spikes under load?