http-auth-internal #

This Nginx module provides internal request authentication by validating a custom HTTP header (default is X-Fingerprint) against a set of predefined secrets. The module is highly configurable and allows flexible integration into existing systems for enhanced security.

Source: upstream source

Directives

auth_internal #

syntax: auth_internal on | off;  ·  default: auth_internal off;  ·  context: http, server

Enable or disable the internal authentication.

auth_internal_empty_deny #

syntax: auth_internal_empty_deny on | off;  ·  default: auth_internal_empty_deny off;  ·  context: http, server

Determines whether to deny requests missing the header. If set to on, missing headers result in a deny status.

auth_internal_failure_deny #

syntax: auth_internal_failure_deny on | off;  ·  default: auth_internal_failure_deny on;  ·  context: http, server

Determines whether to deny requests when fingerprint validation fails. If set to `on, invalid fingerprints result in a deny status.

auth_internal_header #

syntax: auth_internal_header 1 arg (string);  ·  context: http, server

Stores a single string value.

auth_internal_proxy_secret #

syntax: auth_internal_proxy_secrets secret;  ·  default: -;  ·  context: http, server

Specifies the secret used to gerenate a new value of fingerprint validation header. The fingerprint value will be appended to the variable $auth_internal_proxy_fingerprint, which can be used to append to upstream request headers to enable auth by upstream server. For example, with the following configuration

auth_internal_request_secrets #

syntax: auth_internal_request_secrets secret1 [secret2 ...];  ·  default: -;  ·  context: http, server

Specifies one or more secrets used to validate the header. A maximum of three secrets are allowed.

auth_internal_timeout #

syntax: auth_internal_timeout 1 arg (duration in seconds);  ·  context: http, server

Duration in seconds; accepts s / m / h / d suffixes.

Example

http {
    auth_internal on;
    auth_internal_request_secret secret1 secret2;
    auth_internal_timeout 600;
    auth_internal_header X-Fingerprint;
    auth_internal_empty_deny off;
    auth_internal_failure_deny on;
    auth_internal_proxy_secret secret1;

    server {
        listen 80;

        location / {
            proxy_set_header X-Fingerprint $auth_internal_proxy_fingerprint;
            proxy_pass http://upstream_server;
        }
    }
}

↑ back to index