A very simple standalone authentication server Express app.
It can be used for protecting web sites with NGINX subrequest authentication.
- Use
auth_request /authin NGINX conf. - When user requests protected area, NGINX makes an internal request to
/auth. If 201 is returned, protected contents are served. Anything else, NGINX responds with 401. /authis reverse proxied to Express app auth-server which handles authentication. Cookies are passed on as well, so the auth server can check for a JWT.- Auth server sets httpOnly cookie containing a JWT.
- JWT updated with new expiry each time a user visits protected area.
- Default rate limit of 15
/loginrequests every 15 minutes.
Refer to this tutorial on my blog:
https://gock.net/blog/2020/nginx-subrequest-authentication-server/
AUTH_PORT- Listening port of application (default: 3000)AUTH_PASSWORD- Authentication passwordAUTH_TOKEN_SECRET- JWT secretAUTH_COOKIE_SECURE- Secure attribute on authentication cookie sent from server. Set totrueto enable, or ifAUTH_COOKIE_SECUREis missing, defaults totrue.AUTH_COOKIE_OVERRIDES- Optional JSON string which is added to theauthTokencookie, in addition tohttpOnly,secureandmaxAge.AUTH_EXPIRY_DAYS- Optional number of days before JWT expires (default: 7)
Refer to dotenv documentation for formatting.
You can define a custom auth routine in auth.js. See auth.example.js for an example. If you don't configure a auth.js it will use default simple AUTH_PASSWORD password based authentication.
Install nodemon globally.
Install dependencies
npm install
Start dev server
npm watch
Be aware that the authentication cookie used by default uses the secure attribute thus the demo will only work when connecting via
- HTTPS to a non-local IP address, or
- HTTPS to a hostname other than "localhost", or
- HTTP/HTTPS to localhost.
Start with npm start, or use one of the strategies below
Install with pm2
pm2 start ./app.js --name auth
sudo docker build -t auth-server .
sudo docker run -it -p 3000:3000 -e AUTH_PASSWORD=test -e AUTH_TOKEN_SECRET=verysecret auth-serverUse the following in our NGINX server conf. You should change the port number (default of 3000) to match the port number you are running the auth server on.
# optional:
# internal redirect to /login if there is a auth failure, delete or comment this out if you don't want this behaviour and just show a generic 401 error
error_page 401 /login;
location / {
auth_request /auth;
# pass Set-Cookie headers from the subrequest response back to requestor
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_status $upstream_status;
try_files $uri $uri/ /index.html;
}
location = /auth {
# internaly only, /auth can not be accessed from outside
internal;
# internal proxy to auth-server running on port 3000, responses expected from proxy:
# 2xx response = access allowed via auth_request
# 401 or 403 response = access denied via auth_request
# anything else = error
proxy_pass http://localhost:3000;
# don't pass request body to proxied server, we only need the headers which are passed on by default
proxy_pass_request_body off;
# there is no content length since we stripped the request body
proxy_set_header Content-Length "";
# let proxy server know more details of request
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Remote-Addr $remote_addr;
proxy_set_header X-Original-Host $host;
}
# these are handled by the proxy as part of the auth routines
location ~ ^/(login|logged-in|logout)$ {
proxy_pass http://localhost:3000;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Remote-Addr $remote_addr;
proxy_set_header X-Original-Host $host;
}
# this CSS is used by the three requests above and is served by the proxy
location ~* ^/(auth_style\.css|auth_padlock\.svg)$ {
proxy_pass http://localhost:3000;
}
# optional location block
# if you have other location blocks, be sure to add auth_request there too otherwise these requests won't get protected, for example
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 90d;
log_not_found off;
auth_request /auth;
}