http-auth-internal #
This Nginx module provides internal request authentication by validating a custom HTTP header (default is X-Fingerprint) against a set of predefined secrets. The module is highly configurable and allows flexible integration into existing systems for enhanced security.
Source: upstream source
Directives
auth_internal #
syntax: auth_internal on | off; · default: auth_internal off; · context: http, server
Enable or disable the internal authentication.
auth_internal_empty_deny #
syntax: auth_internal_empty_deny on | off; · default: auth_internal_empty_deny off; · context: http, server
Determines whether to deny requests missing the header. If set to on, missing headers result in a deny status.
auth_internal_failure_deny #
syntax: auth_internal_failure_deny on | off; · default: auth_internal_failure_deny on; · context: http, server
Determines whether to deny requests when fingerprint validation fails. If set to `on, invalid fingerprints result in a deny status.
auth_internal_header #
syntax: auth_internal_header 1 arg (string); · context: http, server
Stores a single string value.
auth_internal_proxy_secret #
syntax: auth_internal_proxy_secrets secret; · default: -; · context: http, server
Specifies the secret used to gerenate a new value of fingerprint validation header. The fingerprint value will be appended to the variable $auth_internal_proxy_fingerprint, which can be used to append to upstream request headers to enable auth by upstream server. For example, with the following configuration
auth_internal_request_secrets #
syntax: auth_internal_request_secrets secret1 [secret2 ...]; · default: -; · context: http, server
Specifies one or more secrets used to validate the header. A maximum of three secrets are allowed.
auth_internal_timeout #
syntax: auth_internal_timeout 1 arg (duration in seconds); · context: http, server
Duration in seconds; accepts s / m / h / d suffixes.
Example
http {
auth_internal on;
auth_internal_request_secret secret1 secret2;
auth_internal_timeout 600;
auth_internal_header X-Fingerprint;
auth_internal_empty_deny off;
auth_internal_failure_deny on;
auth_internal_proxy_secret secret1;
server {
listen 80;
location / {
proxy_set_header X-Fingerprint $auth_internal_proxy_fingerprint;
proxy_pass http://upstream_server;
}
}
}