Created
March 13, 2012 21:14
-
-
Save rnorth/2031652 to your computer and use it in GitHub Desktop.
Cookie-based authentication with nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| worker_processes 1; | |
| error_log logs/error.log; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| include mime.types; | |
| default_type application/octet-stream; | |
| #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| # '$status $body_bytes_sent "$http_referer" ' | |
| # '"$http_user_agent" "$http_x_forwarded_for"'; | |
| access_log logs/access.log main; | |
| sendfile on; | |
| keepalive_timeout 65; | |
| server { | |
| listen 8000; | |
| listen content.nginx:8000; | |
| server_name content.nginx; | |
| if ($http_cookie ~* "AUTH_COOKIE=([a-z0-9]+)(?:/|$)") { | |
| set $auth_cookie $1; | |
| } | |
| if (!-f /Users/username/nginx/cookies/$auth_cookie) { | |
| rewrite ^ http://auth.nginx:8000 break; | |
| } | |
| location / { | |
| root /Users/username/nginx/content_html; | |
| index index.html index.htm; | |
| } | |
| } | |
| server { | |
| listen 8000; | |
| listen auth.nginx:8000; | |
| server_name auth.nginx; | |
| location / { | |
| root /Users/username/nginx/auth_html; | |
| index index.html index.htm; | |
| } | |
| } | |
| } |
This "AUTH_COOKIE=([a-z0-9]+)(?:/|$)" should be "AUTH_COOKIE=([a-z0-9]+)(?:;|$)"
Very nice. Thanks for sharing.
Hey, what is ([a-z0-9]+)(?:/|$)?
if ($http_cookie ~ "TechPulse_Firewall=$SHA1Variable") {
set $l7_protect 1;
}
for some reason this wont work for me, any idea? apparantly i cant put a variable inside there lol
Thanks for the gist! I modified it a bit to ensure that there were no illegal characters in the filename. i.e. I'm not sure what it would do (from a hackers perspective) if the file contained some sort of bash script or what-not. So this eliminates 'special' characters from the mix before getting to the "file test" operation. No idea how nginx would handle a badly malformed file name, best to err on the side of security...
- EDIT: Modified the path to look for the cookie/token file. If you leave it at /etc/nginx/ there is perhaps a way for someone to set their cookie to nginx.conf or some other file that would exist. :-)
# Validate first that AUTH_COOKIE does not have malicious characters in it...
# If we don't and then dip into the filesystem to test if the file exists, then
# we could be screwed / hacked. Safety first.
if ($cookie_AUTH_COOKIE ~ "([a-zA-Z0-9]+)") {
set $auth_cookie_scrubbed 1;
}
if ($auth_cookie_scrubbed = false) {
return 403;
}
if (!-f /etc/nginx/tokens/$cookie_AUTH_COOKIE) {
return 403;
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey thanks, this is a great workaround for the fact that I can't find a way to allow/deny access based on a cookie (that isn't hardcoded).
One note: couldn't you get the cookie value with just $cookie_AUTH_COOKIE and avoid the regex? Example: https://gist.github.com/NickSto/6920790