With NginX Proxy Manager I am trying to bypass JWT authentication. In this example I will use NginX Proxy Manager web GUI as it users JWT Authentication.
From my device I can successfully fetch a new token (valid for a day or less) from remote server but sadly longlive tokens are no longer supported:
curl 'http://localhost:81/api/tokens' \
-H 'Content-Type: application/json; charset=UTF-8' \
--data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \
--compressed
I tried creating a JWT token of the values {"identity":"[Your Email]","secret":"[Your Secret]"}
and pass them in NginX as follows
proxy_set_header Authorization "Bearer jwt-token";
proxy_pass_header Authorization;
Sadly that was unsuccessful. Is there a method to use NginX to fetch a JWT token and authenticate?
here I used NPM Web UI as an example since it uses JWT Authentication. This can be applied on most Web Aplications that use similar Authentication.
In this case i created A group with special permition to log into several services but you can do this on user level. In the group/user add the following Attributes with the correct user/pass
. Leave the Token as Null
nginx_password: pass
nginx_username: user
additionalHeaders:
X-Nginx-Token: null
Under Property Mappings create a new Scoop Maping. Name is NginX Token and Scoop Name must be ak_proxy otherwise NginX cannot call the apropeate headers. Adjust the Expression from group_attributes() to attributes for user based authentication. The Expression should be as following:
import json
from urllib.parse import urlencode
from urllib.request import Request, urlopen
nginxuser = request.user.group_attributes().get("nginx_username", "")
nginxpass = request.user.group_attributes().get("nginx_password", "")
base_url = "http://nginx:81"
end_point = "/api/tokens"
json_data = {'identity': nginxuser,'secret': nginxpass}
postdata = json.dumps(json_data).encode()
headers = {"Content-Type": "application/json; charset=UTF-8"}
httprequest = Request(base_url + end_point, data=postdata, method="POST", headers=headers)
with urlopen(httprequest) as response:
responddata = json.loads(response.read().decode())
return {
"ak_proxy": {
"user_attributes": {
"additionalHeaders": {
"X-Nginx-Token": responddata['token']
}
}
}
}
The Expression will fetch a new Autherization Token which can be accessed through the X-Nginx-Token Header. Create a Proxy Provider and make sure the Scoop we just created is included. In NPM I added this configuration. Dnt forget to change the Authentik Server address
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
proxy_pass $forward_scheme://$server:$port;
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = u/goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# Here we call the Header we created and use the Token that Authentik fetched for us
auth_request_set $authentik_auth $upstream_http_x_nginx_token;
proxy_set_header Authorization "Bearer ${authentik_auth}";
proxy_pass_header Authorization;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
# When using the embedded outpost, use:
proxy_pass https://authentik-server:9443/outpost.goauthentik.io;
# Note: ensure the Host header matches your external authentik URL:
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location u/goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
That should be it. I tried it and it works perfectly