Getting User and Password from Basic Authorization headers with Nginx
With Lua support in NGINX, each request is inspectable and modifiable. To get the user and password we access the request headers and decode one in particular: the *Authorization: Basic* one. This article showcases how you can achieve that.
Resulting code at https://github.com/beldpro-ci/sample-basic-to-bearer-nginx.
A long time ago GitHub introduced a way of performing git
operations against an authenticated endpoint by providing a token to the remote (https://github.com/blog/1270-easier-builds-and-deployments-using-git-over-https-and-oauth). Itās pretty straightforward: add the token to the URL so that git
performs basic authentication when connecting to GitHub servers.
The weird thing is that youāre using a Basic
authorization for something that Bearer
is suited for. Now, if we were GitHub and didnāt want to mess the semantics of out authentication code with a different rule, we could have our Nginx server (that could be acting as a reverse proxy) to do that.
A NGINX Server with Lua support
To get started we pick OpenRestyās Docker image. This allows us to have lua-nginx-module
support. First, we create a Makefile
that allows one to run a container with NGINX having the files from the current directory mounted as a volume inside it.
Having that, you can run the container with make run
. You can then update nginx.conf
and issue make reload
to reload the configuration.
Now, in the nginx.conf
file we set three locations:
/bearer-to-basic
: replaces bearer authorization by basic authorization and then forwards the request to/auth-dump
./basic-to-bearer
: replaces ābasicā by ābearerā authorization and forwards the request to/auth-dump
./auth-dump
: just responds with a200 OK
having the headers in the body.
For each of these locations we attach a piece of Lua code for a given phase. These NGINX phases can be thought as steps in a pipeline that a request goes through.
Here weāre attaching to two of them: ārewriteā and ācontentā. The first is used for rewriting variables and configurations of a request. The second, the content.
You can see more at http://www.nginxguts.com/2011/01/phases/ and https://openresty.org/download/agentzh-nginx-tutorials-en.html).
Now, having that setup, time to write the Lua scripts. Letās start with the first, āauth-dumpā. It doesnāt do much: once a request comes, it prints its headers to the response stream. Having this location as the proxy_pass
of other directives allows us to very easily see the results of what we want ā modify some headers.
Now, to the real thing.
We start by setting some variables that are local to the module.
After that, require utils
, a file under /etc/nginx
that contains some basic utilities like isEmpty
(see the file contents in the GitHub repository).
Then, we export a function from the module (yeah, just like with Javascript, you can expose objects/functions/variables from modules).
In the end, set the header and weāre done :)
ā
If you have any questions/comments, leave them bellow or just reach me at twitter.com/beld_pro āļø š¦
The code can be found at https://github.com/beldpro-ci/sample-basic-to-bearer-nginx