nginx-gists · November 11, 2022 00:11 · nginx-gists · Nov 11, 2022
diff --git a/hc_persistent.conf b/hc_persistent.conf
 stream {
    upstream backend {
        zone backend 64k;
        resolver 10.0.0.53;
        server time.example.com:37 resolve;
    }

    server {
        listen       37;
        proxy_pass   backend;
        health_check mandatory persistent;
    }
 }

 # vim: syntax=nginx
diff --git a/jwt_encrypted.conf b/jwt_encrypted.conf
 server {
    # ...
 
    auth_jwt "closed site";
    auth_jwt_type encrypted;
    auth_jwt_key_file /path/to/jwks;

    location / {# ...}
 }

 # vim: syntax=nginx
diff --git a/jwt_mtls_binding.conf b/jwt_mtls_binding.conf
 js_import /etc/nginx/ssl_jwt_thumbprint.js;
 js_set $thumbprint_match ssl_jwt_thumbprint.validate;
 auth_jwt_claim_set $jwt_x5t cnf 'x5t#S256'; # Client cert thumbprint from JWT

 server {
    listen 443 ssl;
    ssl_certificate        /etc/ssl/www.example.com.crt;
    ssl_certificate_key    /etc/ssl/www.example.com.key;
    ssl_client_certificate /etc/ssl/bundle.crt;
    ssl_verify_client      on; # Require client cert authentication (mTLS)

    auth_jwt '';                        # Require JWT as bearer token
    auth_jwt_key_file /path/to/jwks;
    auth_jwt_require $thumbprint_match; # Client cert JWT binding (RFC 7805 3.1)

    # ...
 }

 # vim: syntax=nginx
diff --git a/jwt_nested.conf b/jwt_nested.conf
 server {
    # ...
    
    auth_jwt "closed site";
    auth_jwt_type nested;
    auth_jwt_key_file /path/to/jwks;

    location / {# ...}
 }

 # vim: syntax=nginx
diff --git a/jwt_payload.conf b/jwt_payload.conf
 location / {
    proxy_set_header Authorization 'bearer $jwt_payload';
    proxy_pass http://my_backend;
 }

 # vim: syntax=nginx
diff --git a/jwt_require.conf b/jwt_require.conf
 location / {
    auth_jwt "closed site";
    auth_jwt_key_file /path/to/jwks;
    auth_jwt_require $jwt_claim_exp $jwt_claim_sub;

    #...
 }

 # vim: syntax=nginx
diff --git a/jwt_set_headers.conf b/jwt_set_headers.conf
 location / {
    proxy_set_header jwt-enc $jwt_header_enc; # enc from JWE header
    proxy_set_header jwt-sub $jwt_claim_sub;  # sub from JWS payload
    proxy_pass http://my_backend;
 }

 # vim: syntax=nginx
diff --git a/proxy_mtls.conf b/proxy_mtls.conf
 map $host $upstream {
    foo.example.com upstream_a;
    bar.example.com upstream_b;
    default         upstream_x;
 }

 server {
    listen 80;

    proxy_ssl_certificate      /etc/ssl/$upstream.crt;
    proxy_ssl_certificate_key  /etc/ssl/$upstream.key;

    location / {
        proxy_pass https://$upstream;
    }
 }

 # vim: syntax=nginx
diff --git a/ssl_jwt_thumbprint.js b/ssl_jwt_thumbprint.js
 function validate(r) {
    var clientThumbprint = require("crypto")
        .createHash("sha256")
        .update(r.variables.ssl_client_raw_cert.replace(/(\n|----|-BEGIN|-END| CERTIFICATE-)/g, ''), 'base64')
        .digest("base64url");
    return clientThumbprint === r.variables.jwt_x5t ? '1' : '0';
 }

 export default { validate }
diff --git a/upstream_zone.conf b/upstream_zone.conf
 upstream my_backend {
    zone my_backend 64k; # Memory size may need to be increased
    server 10.0.0.1:8080;
    # ...
 }

 # vim: syntax=nginx
	stream {
	upstream backend {
	zone backend 64k;
	resolver 10.0.0.53;
	server time.example.com:37 resolve;
	}

	server {
	listen 37;
	proxy_pass backend;
	health_check mandatory persistent;
	}
	}

	# vim: syntax=nginx
	server {
	# ...

	auth_jwt "closed site";
	auth_jwt_type encrypted;
	auth_jwt_key_file /path/to/jwks;

	location / {# ...}
	}

	# vim: syntax=nginx
	js_import /etc/nginx/ssl_jwt_thumbprint.js;
	js_set $thumbprint_match ssl_jwt_thumbprint.validate;
	auth_jwt_claim_set $jwt_x5t cnf 'x5t#S256'; # Client cert thumbprint from JWT

	server {
	listen 443 ssl;
	ssl_certificate /etc/ssl/www.example.com.crt;
	ssl_certificate_key /etc/ssl/www.example.com.key;
	ssl_client_certificate /etc/ssl/bundle.crt;
	ssl_verify_client on; # Require client cert authentication (mTLS)

	auth_jwt ''; # Require JWT as bearer token
	auth_jwt_key_file /path/to/jwks;
	auth_jwt_require $thumbprint_match; # Client cert JWT binding (RFC 7805 3.1)

	# ...
	}

	# vim: syntax=nginx
	location / {
	proxy_set_header Authorization 'bearer $jwt_payload';
	proxy_pass http://my_backend;
	}

	# vim: syntax=nginx
	location / {
	proxy_set_header jwt-enc $jwt_header_enc; # enc from JWE header
	proxy_set_header jwt-sub $jwt_claim_sub; # sub from JWS payload
	proxy_pass http://my_backend;
	}

	# vim: syntax=nginx
	map $host $upstream {
	foo.example.com upstream_a;
	bar.example.com upstream_b;
	default upstream_x;
	}

	server {
	listen 80;

	proxy_ssl_certificate /etc/ssl/$upstream.crt;
	proxy_ssl_certificate_key /etc/ssl/$upstream.key;

	location / {
	proxy_pass https://$upstream;
	}
	}

	# vim: syntax=nginx
	function validate(r) {
	var clientThumbprint = require("crypto")
	.createHash("sha256")
	.update(r.variables.ssl_client_raw_cert.replace(/(\n\|----\|-BEGIN\|-END\| CERTIFICATE-)/g, ''), 'base64')
	.digest("base64url");
	return clientThumbprint === r.variables.jwt_x5t ? '1' : '0';
	}

	export default { validate }
	upstream my_backend {
	zone my_backend 64k; # Memory size may need to be increased
	server 10.0.0.1:8080;
	# ...
	}

	# vim: syntax=nginx