auth-server

A very simple standalone authentication server Express app.

It can be used for protecting web sites with NGINX subrequest authentication.

• Use auth_request /auth in NGINX conf.
• When user requests protected area, NGINX makes an internal request to /auth. If 201 is returned, protected contents are served. Anything else, NGINX responds with 401.
• /auth is reverse proxied to Express app auth-server which handles authentication. Cookies are passed on as well, so the auth server can check for a JWT.
• Auth server sets httpOnly cookie containing a JWT.
• JWT updated with new expiry each time a user visits protected area.
• Default rate limit of 15 /login requests every 15 minutes.

How to use

Refer to this tutorial on my blog:

https://gock.net/blog/2020/nginx-subrequest-authentication-server/

Configure .env

• AUTH_PORT - Listening port of application (default: 3000)
• AUTH_PASSWORD - Authentication password
• AUTH_TOKEN_SECRET - JWT secret
• AUTH_COOKIE_SECURE - Secure attribute on authentication cookie sent from server. Set to true to enable, or if AUTH_COOKIE_SECURE is missing, defaults to true.

Refer to dotenv documentation for formatting.

You can define a custom auth routine in auth.js. See auth.example.js for an example. If you don't configure a auth.js it will use default simgple AUTH_PASSWORD password based authentication.

Development

Install nodemon globally.

Install dependencies

yarn

Start dev server

yarn start

Be aware that the authentication cookie used by default uses the secure attribute thus the demo will only work when connecting via

• HTTPS to a non-local IP address, or
• HTTPS to a hostname other than "localhost", or
• HTTP/HTTPS to localhost.

Production

Install with pm2

pm2 start ./app.js --name auth

Example NGINX conf

Use the following in our NGINX server conf.

# optional:
# internal redirect to /login if there is a auth failure, delete or comment this out if you don't want this behaviour and just show a generic 401 error
error_page 401 /login;

location / {
    auth_request /auth;

    # pass Set-Cookie headers from the subrequest response back to requestor
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    auth_request_set $auth_status $upstream_status;

    try_files $uri $uri/ /index.html;
}

location = /auth {
    # internaly only, /auth can not be accessed from outside
    internal;

    # internal proxy to auth-server running on port 3000, responses expected from proxy:
    #   2xx response = access allowed via auth_request
    #   401 or 403 response = access denied via auth_request
    #   anything else = error
    proxy_pass http://localhost:3000;

    # don't pass request body to proxied server, we only need the headers which are passed on by default
    proxy_pass_request_body off;

    # there is no content length since we stripped the request body
    proxy_set_header Content-Length "";

    # let proxy server know more details of request
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Original-Remote-Addr $remote_addr;
    proxy_set_header X-Original-Host $host;
}

# these are handled by the proxy as part of the auth routines
location ~ ^/(login|logged-in|logout)$ {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Original-Remote-Addr $remote_addr;
    proxy_set_header X-Original-Host $host;
}

# this CSS is used by the three requests above and is served by the proxy
location = /css/skeleton.css {
    proxy_pass http://localhost:3000;
}

# optional location block
# if you have other location blocks, be sure to add auth_request there too otherwise these requests won't get protected, for example
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires 90d;
    log_not_found off;
    auth_request /auth;
}

References

• Skeleton CSS
• NGINX sub request authentication
• Using JWTs with NodeJS tutorial
• jsonwebtoken node module

MERCX Guide

ssh into server

ssh -i "SuprSketch.pem" ec2-user@ec2-54-151-114-224.us-west-1.compute.amazonaws.com

Go to the html directory

cd /usr/share/nginx/

The foulder ./suprsketch is where the application lives. It hold the html and js files of the main application that nginx servers.

Go to the nginx conf

cd /etc/nginx

This is where the nginx conf files live

Edit files if neccesary

vim nginx.conf

Run the nginx service

Check the status of nginx

sudo systemctrl status nginx

If it is dead. Restart it

sudo systemctl restart nginx.service

sometimes you need to kill

sudo killall nginx

and for good measure reload the change of the nginx file

sudo nginx -s reload

Go to the nodejs authenticator

cd /home/ec2-user/token-gate-auth-server-ep-moralis-basic-nft-gating

Run the node app without any holdup

nohup node app.js &

Sometimes you need to kill any background running processes

SSL issues

Remember to renew your SSL stuff

Certs live here

/etc/pki/tls/certs

And private key lives here

/etc/pki/tls/private

Remember to merge the CA_bundle and your CRT

merge the cabundle and certificate into one file

cat cert.pem cabundle.pem >> combined.pem

and set ssl_certificate to 'combined.pem'

Configure OSCP Stapling

configure OCSP Stapling on your server,

! It actually need a huge lift to support OSCP It seems firefox is only erroring out because of lack of OSCP support https://stackoverflow.com/questions/12142907/error-sec-error-revoked-certificate-when-viewed-in-firefox-only

Just follow the tutorial and users will be able to bypass this extra features