NGINX "auth-request" feature?

dantappin · January 21, 2022, 7:20pm

There is a 2 year old closed question on this same topic that does not look to be resolved:

https://nginx.org/en/docs/http/ngx_http_auth_request_module.html

I am migrating from NGINX and I had a very simple setup to authenticate the static support pages I had via my existing Rails Devise authentication:

  location /support {

    auth_request /auth;
    auth_request_set $auth_status $upstream_status;
    error_page 403 https://$host;

  }

/auth from my site returns :ok if logged in. The static files are then only served to authenticated users.

Looking to do the same thing with Caddy.

francislavoie · January 21, 2022, 7:40pm

There’s no built-in support for that in Caddy (yet). None of the maintainers have needed the feature and nobody has contributed it yet.

It’s possible that @greenpau’s auth plugins might support this, but I haven’t played around with them to know if it would support this exact usecase or not.

dantappin · January 21, 2022, 7:46pm

Hmmm… it might - here is the example:

{
  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html
  file_server
}

Is it as simple as this (for my case):

{
  security {
    authorization policy mypolicy {
      set auth url https://myfiosgateway.com/auth
      allow roles authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/support
  file_server
}

matt · January 21, 2022, 7:52pm

I wonder if reverse_proxy with handle_response could be used to wrangle a solution…

francislavoie · January 21, 2022, 10:25pm

@matt Unfortunately not because the original request body can’t be reused for the new attempt in handle_response.

greenpau · January 21, 2022, 10:42pm

@dantappin , basically you need exactly that authorize with policy. Here is an example config caddy_security_local.Caddyfile · GitHub

You just need to change respond to the file_server.

If running into problems, open Sign in to GitHub · GitHub

greenpau · January 21, 2022, 11:46pm

@dantappin , I personally prefer more control over routes. So, I use route in this way.

When I browse to fileserver.myfiosgateway.com/app, I get the stuff in /var/lib/gatekeeper directory.

fileserver.myfiosgateway.com {
        route /app/* {
                authorize with app_policy
                uri strip_prefix /app
                file_server {
                        root /var/lib/gatekeeper
                        browse
                }
        }
}

francislavoie · January 22, 2022, 12:37am

Thanks @greenpau !

IMO configs are cleaner without route, so I recommend using the order global option instead to set the order of the plugin’s directives.

In this case it also means you can use handle_path instead to avoid the uri strip_prefix line.

system · February 20, 2022, 7:20pm

This topic was automatically closed after 30 days. New replies are no longer allowed.