7

Is there a way I could allow access to a directory only if certain custom header is present and the value matches? With apache, I've been doing it with SetEnvIf. How could I do it with nginx?

Basically I have a dev server that should be accessed only by me, but I have dynamic ip and have to change config file everyday. With apache, I just set my browser to send a custom header that acted like an access password and apache would allow access if that header value was correct.

Maciej Krawczyk
  • 177
  • 1
  • 1
  • 8

2 Answers2

7

I researched a lot to solve a simple problem: Only allow proxy_pass if request have a specific token in the header. I tried all the answers here and nothing worked how I liked. My final solution is:

location /api {
    proxy_http_version 1.1;

    if ($http_authorization != "Bearer 1234") {
        return 401;
    }

    proxy_pass http://app:3000/;
}

References:

https://stackoverflow.com/questions/45734332/nginx-not-equal-to

https://stackoverflow.com/questions/12431496/nginx-read-custom-header-from-upstream-server

Nginx location exact match matches beyond arguement

https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

Ângelo Polotto
  • 171
  • 1
  • 4
  • if you want to use the `Authorization` header, you can use then `auth_basic` that uses it as built in directive without reinventing the wheel. See https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html – Pier A Oct 21 '22 at 12:28
  • For my case, the infrastructure team allowed only tokens to make the authentication. – Ângelo Polotto Oct 25 '22 at 21:10
  • Well then, it was not easy. I know well that some setups are very limiting. – Pier A Oct 26 '22 at 18:24
2

Your actual question is answered here:

https://stackoverflow.com/questions/18970620/nginx-reject-request-if-header-is-not-present-or-wrong

Having said that, why not use Basic Auth? That makes it a password, instead of acting like one.

http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

JayMcTee
  • 3,923
  • 1
  • 13
  • 22