http-auth-totp #

Time-based one-time password (TOTP) authentication for Nginx

Source: upstream source

Directives

auth_totp_expiry #

syntax: auth_totp_expiry <interval>  ·  default: 0s  ·  context: http, server, location, limit_except

Specifies the expiry time for the HTTP cookie to be used for tracking authenticated clients.

auth_totp_file #

syntax: auth_totp_file <filename>  ·  default: -  ·  context: http, server, location, limit_except

Specifies the file that contains usernames and shared secrets for Time-based One-Time Password (TOTP) authentication. This configuration file has the format:

auth_totp_length #

syntax: auth_totp_length <number>  ·  default: 6  ·  context: http, server, location, limit_except

Specifies the truncation length of the Time-based One-Time Password (TOTP) code. This truncation length may be between 1 and 8 digits inclusively. If the supplied TOTP is of a different length to this value, the authentication request will fail.

auth_totp_realm #

syntax: auth_totp_realm <string>|off  ·  default: off  ·  context: http, server, location, limit_except

Enables validation of user name and Time-based One-Time Password (TOTP) using the "HTTP Basic Authentication" protocol. The specified parameter is used as the realm for this authentication. This parameter value can contain variables. The special value of off cancels the application of any auth_totp_realm directive inherited from a higher configuration level.

auth_totp_reuse #

syntax: auth_totp_reuse <on>|<off>  ·  default: off  ·  context: http, server, location, limit_except

Enables the reuse of a Time-based One-Time Password (TOTP) within a validity window. While this is non-standard behaviour per RFC 6238, it provides a convenient manner to ensure a minimum window of validity for generated TOTP codes, even if the TOTP has already been presented to the validating system.

auth_totp_secret #

syntax: auth_totp_secret <string>  ·  default: -  ·  context: http, server, location, limit_except

A server-side secret used when generating session cookies and then when validating session cookies. If an attacker knows this secret, they will be able to forge session cookies that grant access, so it is vital that it be difficult to guess.

auth_totp_skew #

syntax: auth_totp_skew <number>  ·  default: 1  ·  context: http, server, location, limit_except

Specifies the number of time steps by which the time base between the issuing and validating TOTP systems. It is important to note that larger acceptable delay windows represent a larger window for attacks and a balance must be struck between the security and usability of OTPs.

auth_totp_start #

syntax: auth_totp_start <time>  ·  default: 0  ·  context: http, server, location, limit_except

Specifies the UNIX time from which to start counting time steps as part of Time-based One-Time Password (TOTP) algorithm operations. The default value is 0, the UNIX epoch at 1970/01/01.

auth_totp_step #

syntax: auth_totp_step <interval>  ·  default: 30s  ·  context: http, server, location, limit_except

Specifies the time step as part of Time-based One-Time Password (TOTP) algorithm operations.

Example

server {
    listen 80;

    location /protected {
        auth_totp_realm "Protected";
        auth_totp_secret "Secret";
        auth_totp_file /etc/nginx/totp.conf;
        auth_totp_length 8;
        auth_totp_reuse off;
        auth_totp_skew 1;
        auth_totp_step 1m;
        auth_totp_cookie "totp-session";
        auth_totp_expiry 1d;
    }
}

↑ back to index