Created March 13, 2012 21:14
Cookie-based authentication with nginx
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 8000;
listen content.nginx:8000;
server_name content.nginx;
if ($http_cookie ~* "AUTH_COOKIE=([a-z0-9]+)(?:/|$)") {
set $auth_cookie $1;
if (!-f /Users/username/nginx/cookies/$auth_cookie) {
rewrite ^ http://auth.nginx:8000 break;
location / {
root /Users/username/nginx/content_html;
index index.html index.htm;
server {
listen 8000;
listen auth.nginx:8000;
server_name auth.nginx;
location / {
root /Users/username/nginx/auth_html;
index index.html index.htm;
cadorn commented Nov 20, 2013

This "AUTH_COOKIE=([a-z0-9]+)(?:/|$)" should be "AUTH_COOKIE=([a-z0-9]+)(?:;|$)"

ninjix commented Nov 13, 2014

Very nice. Thanks for sharing.

Octolus commented May 8, 2015

Hey, what is ([a-z0-9]+)(?:/|$)?

if ($http_cookie ~ "TechPulse_Firewall=$SHA1Variable") {
set $l7_protect 1;

for some reason this wont work for me, any idea? apparantly i cant put a variable inside there lol

timwelch commented Sep 13, 2018

Thanks for the gist! I modified it a bit to ensure that there were no illegal characters in the filename. i.e. I'm not sure what it would do (from a hackers perspective) if the file contained some sort of bash script or what-not. So this eliminates 'special' characters from the mix before getting to the "file test" operation. No idea how nginx would handle a badly malformed file name, best to err on the side of security...

  • EDIT: Modified the path to look for the cookie/token file. If you leave it at /etc/nginx/ there is perhaps a way for someone to set their cookie to nginx.conf or some other file that would exist. :-)
# Validate first that AUTH_COOKIE does not have malicious characters in it...
# If we don't and then dip into the filesystem to test if the file exists, then
# we could be screwed / hacked. Safety first.
if ($cookie_AUTH_COOKIE ~ "([a-zA-Z0-9]+)") {
   set $auth_cookie_scrubbed 1;
if ($auth_cookie_scrubbed = false) {
   return 403;
if (!-f /etc/nginx/tokens/$cookie_AUTH_COOKIE) {
   return 403;

