Getting User and Password from Basic Authorization headers with Nginx

With Lua support in NGINX, each request is inspectable and modifiable. To get the user and password we access the request headers and decode one in particular: the *Authorization: Basic* one. This article showcases how you can achieve that.

Resulting code at https://github.com/beldpro-ci/sample-basic-to-bearer-nginx.

A long time ago GitHub introduced a way of performing git operations against an authenticated endpoint by providing a token to the remote (https://github.com/blog/1270-easier-builds-and-deployments-using-git-over-https-and-oauth). It’s pretty straightforward: add the token to the URL so that git performs basic authentication when connecting to GitHub servers.

The weird thing is that you’re using a Basic authorization for something that Bearer is suited for. Now, if we were GitHub and didn’t want to mess the semantics of out authentication code with a different rule, we could have our Nginx server (that could be acting as a reverse proxy) to do that.

A NGINX Server with Lua support

Makefile to run the container and reload its configuration

To get started we pick OpenResty’s Docker image. This allows us to have lua-nginx-module support. First, we create a Makefile that allows one to run a container with NGINX having the files from the current directory mounted as a volume inside it.

Having that, you can run the container with make run. You can then update nginx.conf and issue make reload to reload the configuration.

Now, in the nginx.conf file we set three locations:

• /bearer-to-basic: replaces bearer authorization by basic authorization and then forwards the request to /auth-dump .
• /basic-to-bearer: replaces ‘basic’ by ‘bearer’ authorization and forwards the request to /auth-dump .
• /auth-dump: just responds with a 200 OK having the headers in the body.

For each of these locations we attach a piece of Lua code for a given phase. These NGINX phases can be thought as steps in a pipeline that a request goes through.

Here we’re attaching to two of them: ‘rewrite’ and ‘content’. The first is used for rewriting variables and configurations of a request. The second, the content.

You can see more at http://www.nginxguts.com/2011/01/phases/ and https://openresty.org/download/agentzh-nginx-tutorials-en.html).

Nginx server configuration

Now, having that setup, time to write the Lua scripts. Let’s start with the first, ‘auth-dump’. It doesn’t do much: once a request comes, it prints its headers to the response stream. Having this location as the proxy_pass of other directives allows us to very easily see the results of what we want — modify some headers.

Dumps all the request headers to the HTTP client of the connection

Now, to the real thing.

We start by setting some variables that are local to the module.

After that, require utils, a file under /etc/nginx that contains some basic utilities like isEmpty (see the file contents in the GitHub repository).

Then, we export a function from the module (yeah, just like with Javascript, you can expose objects/functions/variables from modules).

In the end, set the header and we’re done :)

—

If you have any questions/comments, leave them bellow or just reach me at twitter.com/beld_pro ✌️ 🐦

The code can be found at https://github.com/beldpro-ci/sample-basic-to-bearer-nginx