Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Cookie-based authentication with nginx
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 8000;
listen content.nginx:8000;
server_name content.nginx;
if ($http_cookie ~* "AUTH_COOKIE=([a-z0-9]+)(?:/|$)") {
set $auth_cookie $1;
}
if (!-f /Users/username/nginx/cookies/$auth_cookie) {
rewrite ^ http://auth.nginx:8000 break;
}
location / {
root /Users/username/nginx/content_html;
index index.html index.htm;
}
}
server {
listen 8000;
listen auth.nginx:8000;
server_name auth.nginx;
location / {
root /Users/username/nginx/auth_html;
index index.html index.htm;
}
}
}
@NickSto

This comment has been minimized.

Copy link

@NickSto NickSto commented Oct 10, 2013

Hey thanks, this is a great workaround for the fact that I can't find a way to allow/deny access based on a cookie (that isn't hardcoded).

One note: couldn't you get the cookie value with just $cookie_AUTH_COOKIE and avoid the regex? Example: https://gist.github.com/NickSto/6920790

@cadorn

This comment has been minimized.

Copy link

@cadorn cadorn commented Nov 20, 2013

This "AUTH_COOKIE=([a-z0-9]+)(?:/|$)" should be "AUTH_COOKIE=([a-z0-9]+)(?:;|$)"

@ninjix

This comment has been minimized.

Copy link

@ninjix ninjix commented Nov 13, 2014

Very nice. Thanks for sharing.

@Octolus

This comment has been minimized.

Copy link

@Octolus Octolus commented May 8, 2015

Hey, what is ([a-z0-9]+)(?:/|$)?

if ($http_cookie ~ "TechPulse_Firewall=$SHA1Variable") {
set $l7_protect 1;
}

for some reason this wont work for me, any idea? apparantly i cant put a variable inside there lol

@timwelch

This comment has been minimized.

Copy link

@timwelch timwelch commented Sep 13, 2018

Thanks for the gist! I modified it a bit to ensure that there were no illegal characters in the filename. i.e. I'm not sure what it would do (from a hackers perspective) if the file contained some sort of bash script or what-not. So this eliminates 'special' characters from the mix before getting to the "file test" operation. No idea how nginx would handle a badly malformed file name, best to err on the side of security...

  • EDIT: Modified the path to look for the cookie/token file. If you leave it at /etc/nginx/ there is perhaps a way for someone to set their cookie to nginx.conf or some other file that would exist. :-)
# Validate first that AUTH_COOKIE does not have malicious characters in it...
# If we don't and then dip into the filesystem to test if the file exists, then
# we could be screwed / hacked. Safety first.
if ($cookie_AUTH_COOKIE ~ "([a-zA-Z0-9]+)") {
   set $auth_cookie_scrubbed 1;
}
if ($auth_cookie_scrubbed = false) {
   return 403;
}
if (!-f /etc/nginx/tokens/$cookie_AUTH_COOKIE) {
   return 403;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment