2

I am running a set of NGINX proxies using basic browser authentication with the htpasswd file for users.

I have built a small application with Laravel that authenticates the user and presents them a list of links to these nginx proxies.

I am looking to update the nginx authentication to something like JWT tokens, however I am not sure that would be secure enough without an API behind it to validate the actual token itself?

The other option I was thinking was LDAP solution and having both Laravel and the NGINX proxies using the ldap authentication.

The apps that site behind the nginx proxy do not have any authentication and we have 0 intention of adding any to them at this time

womble
  • 95,029
  • 29
  • 173
  • 228
PHELMS
  • 92
  • 1
  • 9
  • 1
    Could you include "LDAP" more prominent, ideally, in the title? – gxx Oct 15 '17 at 22:33
  • I actually just implemented a JWT token and passed it for the first attempt to the proxy. From there the proxy session is authenticated as that user in the token for any subsequent requests. – PHELMS Oct 16 '17 at 04:08

2 Answers2

2

Nginx includes the request auth module, which

implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.

For the 401 error, the client also receives the “WWW-Authenticate” header from the subrequest response.

Two possibilities come to my mind:

  • You could extend your existing Laravel application so that it would be possible to "link to it" from Nginx, which would take the user to a "Login" page, and, if authenticated, sends a "200 OK" response to Nginx.
  • You could check out first existing solutions, leveraging this technique, for example Nginx LDAP Auth.

Elaborating on the second answer:

  • If the account data is indeed stored in LDAP, you could write a script which is executed regularly via cron for example, which pulls the data out of LDAP and writes it into a htpasswd file to be read by Nginx.
Community
  • 1
gxx
  • 5,483
  • 2
  • 21
  • 42
  • Perfect! Exactly what I was looking for, didn't realize that was included in the free version of Nginx. – PHELMS Oct 15 '17 at 22:26
  • @PatrickHelms Great, glad to help! If you do implement this, and in case you write (additional) code, and it's not under a NDA or something similar: Could you send me a note with a small explanation, in case it's not obvious? My email is in my profile, and I'm curious every time how people use this module, because it's not widely known! Any way: Good luck! – gxx Oct 15 '17 at 22:30
  • Haha it is actually for my seedbox! To aggregate the different software tools I use and make them linkable from one page. Currently using iframes and nginx proxy to the different localhost URLs to the outside world and linking them in a static site. But this will allow me to add a database to add new tool items (running with Docker) dynamically. – PHELMS Oct 15 '17 at 22:34
0

Nginx doesn't have a built-in way to do this. It can only do htpasswd authentication and per-IP allow/deny rules.

Nginx Plus has a way to do this, and it's described in detail on the Nginx blog

user439837
  • 1
  • 1