nginx, serve static files with authentication

Question

I'm developping a web application with aiohttp where users authentication is implemented with aiohttp-security. I use nginx for the server deployement. The configuration is inspired by the aiohttp doc and looks like:

location /api {
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_redirect off;
  proxy_buffering off;
  proxy_pass http://127.0.0.1:8080/api;
}

A part of the web application is something like a photo album. I want the photos to be served by ngninx for performance. My configuration looks like for now, it works but bypass the authentication:

location /photos {
  root /srv/web/photos/;
  try_files $uri =404;
}

How can I make nginx serve the photos only to authenticated users? (the authentication mecanism being implemented by the python application, as describe above)

Just found https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ (don't know I why missed it before) — David Froger, Jan 05 '19 at 14:26

score 6 · Answer 1 · answered Dec 04 '21 at 17:22

This can be achieved by using Authentication based on sub-request results.

static/media location can be protected with help of subrequest authentication.

Considering static/media location: /media/

nginx.conf

....

location /media {
  auth_request /auth;
  #...
}

location = /auth {
    internal;
    proxy_pass              https://yourauthserver/is_authenticated;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
    #...
}
...

/is_authenticated This is the location where your web application check if user is authenticated or not.

Static/Media will be served only if is_authenticated returns status code 200.

nginx, serve static files with authentication

1 Answers1