Skip to content

Instantly share code, notes, and snippets.

@c33s
Forked from abbaspour/nginx.conf
Created February 8, 2022 14:22
Show Gist options
  • Save c33s/63b5d997f437d15c8678194786a67998 to your computer and use it in GitHub Desktop.
Save c33s/63b5d997f437d15c8678194786a67998 to your computer and use it in GitHub Desktop.
Guide how to enable JWT validation on open source nginx server using ngx-http-auth-jwt-module
brew install openssl jansson libjwt

wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxvf nginx-1.18.0.tar.gz

git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module

cd nginx-1.18.0/

brew link openssl # if running on Darwin, check for LDFLAGS and CPPFLAGS 

./configure --add-module=../ngx-http-auth-jwt-module \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-ld-opt="-L/usr/local/opt/openssl/lib" \
    --with-cc-opt="-I/usr/local/opt/openssl/include"

make

Use jwks.sh to extrat x509 public key.

daemon off;
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
# use https://github.com/abbaspour/auth0-bash/blob/master/discovery/jwks.sh to convert jwks.json to x509 PEM
auth_jwt_key "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6b54f+d2tINbpTwi1Hxw
1DlNagPwgfKsqBnCdqlXt40s5hyu/8SJieAiw2wlxLyX+nrxIV510ED1vyTr/ctC
nak8ZvtBfEYPRCfqT9kRYHaVA8MlRGLNURR/nk5u75LebEdtvcS4nu817xjaG2dO
rMZ5urlKQhgRzct1+IEmLMRhdBy6PfQCxXgbxh42Q2YxIXcIXK8UkQLZQ1MLG5Ji
EowVwp64dJuC7NF8IkywtbJoOfGVxRuRHqXxKOXEs9kthODNaMqVIgEqsSfFXlFN
GI6wKjEAcbXPCSEA+h50kz08aNIVvgNhPKK0+C/VKnYiYSV8HAo05XOOdbCo71dj
NQIDAQAB
-----END PUBLIC KEY-----";
auth_jwt_loginurl "https://app.localtest.me/login";
auth_jwt_enabled off;
auth_jwt_redirect on;
listen 3443 ssl http2;
server_name app.localtest.me;
access_log logs/access.log;
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
location / {
proxy_pass http://127.0.0.1:3000;
}
location /api {
auth_jwt_enabled on;
auth_jwt_validation_type AUTHORIZATION;
#auth_jwt_validation_type COOKIE=x_auth_token;
auth_jwt_algorithm RS256;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
#proxy_set_header Authorization "Bearer $cookie_x_auth_token";
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment