evsinev/nginx-auth

Add user authentication for nginx location

Download

Step 1. Add the JitPack repository to your build file

Add it in your root settings.gradle at the end of repositories:

	dependencyResolutionManagement {
		repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
		repositories {
			mavenCentral()
			maven { url 'https://jitpack.io' }
		}
	}

Add it in your settings.gradle.kts at the end of repositories:

	dependencyResolutionManagement {
		repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
		repositories {
			mavenCentral()
			maven { url = uri("https://jitpack.io") }
		}
	}

Add to pom.xml

	<repositories>
		<repository>
		    <id>jitpack.io</id>
		    <url>https://jitpack.io</url>
		</repository>
	</repositories>

Add it in your build.sbt at the end of resolvers:

 
    resolvers += "jitpack" at "https://jitpack.io"

Add it in your project.clj at the end of repositories:

 
    :repositories [["jitpack" "https://jitpack.io"]]

Step 2. Add the dependency

	dependencies {
		implementation 'com.github.evsinev:nginx-auth:'
	}
	dependencies {
		implementation("com.github.evsinev:nginx-auth:")
	}
	<dependency>
	    <groupId>com.github.evsinev</groupId>
	    <artifactId>nginx-auth</artifactId>
	    <version></version>
	</dependency>

                            
    libraryDependencies += "com.github.evsinev" % "nginx-auth" % ""
        
        

                            
    :dependencies [[com.github.evsinev/nginx-auth ""]]

Readme

nginx-auth

Overview

nginx-auth is a Java-based authentication service designed to add user authentication capabilities to nginx locations. This service provides a secure way to protect your nginx-hosted web applications with username/password/otp authentication.

Features

  • User authentication for nginx locations
  • Integration with LDAP for user management
  • Web server implementation using Jetty
  • Support for password change functionality
  • OTP

Nginx Configuration Examples

nginx using internal section

    location /auth {
        proxy_set_header Host              $host:$server_port;
        proxy_set_header x-Forwarded-proto $scheme;
        proxy_pass http://127.0.0.1:9091;
    }
    
    location /srvlog {
        proxy_set_header Host              $host:$server_port;
        proxy_set_header x-Forwarded-proto $scheme;
        proxy_pass http://127.0.0.1:9091;
    }
    
    location /internal-srvlog {
        proxy_set_header Host              $host:$server_port;
        proxy_set_header x-Forwarded-proto $scheme;
        
        internal;
        proxy_set_header nginx_location "/internal-srvlog";
        
        proxy_pass http://127.0.0.1:9091/srvlog;
    }

nginx using auth_request

    location /srvlog {
        proxy_pass http://127.0.0.1:9091;

        auth_request            http://127.0.0.1:9091/nginx-auth-request-check;
        proxy_pass_request_body off;
        error_page              401 @error401;
    }
    
    location @error401 {
      # In place of a 401 error, we rewrite to a 302 that shows the login page
      return 302 https://auth.example.com/?url=$scheme://$http_host$request_uri;
    }

Environment variables

| Name | Default value | Description | |----------------------------|----------------------------|----------------------------------| | TOKEN_COOKIE_NAME | AUTH_TOKEN | | | TOKEN_COOKIE_ASSIGNED_NAME | AUTH_TOKEN_ASSIGNED | | | BACK_URL_NAME | back | | | AUTH_URL | /auth | | | INTERNAL_PREFIX | /internal- | | | X_ACCEL_REDIRECT | X-Accel-Redirect | | | CONNECTOR_PORT | 9091 | Web server port | | LDAP_URL | ldaps://localhost:636 | LDAP server url | | LDAP_USERS_DN | ou=users,dc=example,dc=com | LDAP Users DN | | OTP_ENABLED | true | Enable OTP | | SECURE_COOKIE | true | Enable secure cookies | | API_CHECK_ENABLED | false | Enable /nginx-auth/api/check | | API_CHECK_TOKENS | | Access tokens delimited by comma |