WebAuthn auth proxy for NGINX. Fork of github.com/newhouseb/nginxwebauthn with multi user capabilities and HTTP header user identification.
If you run some small services on a public-facing server that you would like to protect (i.e. Jupyter of VS code-server) and have a Yubikey or similar, you can use this repository to add secure, public-key authentication to them without modifying the original service itself.
Run nginx -V and check it is compiled with auth_request_module otherwise recompile it with --with-http_auth_request_module configuration parameter. Then set up NGINX to proxy your service, note that you will also need SSL because WebAuthn only works over HTTPS.
server {
server_name myserver.bennewhouse.com; # managed by Certbot
# Redirect everything that begins with /auth to the authorization server
location /nginx_fido_auth {
proxy_pass http://127.0.0.1:8000;
}
# If the authorization server returns 401 Unauthorized, redirect to /atuh/login
error_page 401 = @error401;
location @error401 {
return 302 /nginx_fido_auth/login$request_uri;
}
root /var/www/html;
index index.html;
location / {
auth_request /nginx_fido_auth/check; # Ping /auth/check for every request, and if it returns 200 OK grant access
# The next two lines are ptional config for authentication header needed by your application.
# Replace X-SSL-CERT with any header your application expects to carry the user ID.
auth_request_set $fido $upstream_http_fido_user;
passenger_set_header 'X-SSL-CERT' $fido;
# Here is where you would put other proxy_pass info to forward to Jupyter, etc. In this example I'm just serving raw HTML
}
# Override the application logout url with the fido auth logout url. Replace /users/logout with url where your application logout button points to.
location /users/logout {
return 302 /nginx_fido_auth/logout
}
listen [::]:443 ssl ; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/myserver.bennewhouse.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myserver.bennewhouse.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Reload NGINX with the aforementioned configuration. Next install the nginxwebauthn Python package as root -- dependencies needs to be installed globally to be able to add user credentials later. Other option is to change privileges to /opt/nginxwebauthn to be able to write there by regular user which may be a security flaw. Install script takes two arguments -- user and group for the script to be started as.
sudo su
pip3 install nginxwebauthn-jv
nginxwebauthn-ubuntu-install.py user group
If nginxwebauthn-ubuntu-install.py fails for any reason you can try to replicate steps in cat `which nginxwebauthn-install.py` . Basically it creates a directory structure in /opt/nginxwebauthn and configures systemd service to run the nginxwebauthn.py script as a daemon.
Browse to your site with appended /nginx_fido_auth/register in a browser that supports WebAuthn. Insert your security key when requested, and the page will tell you to run a command that looks like:
sudo python3 nginx-webauthn.py save-client myserver.bennewhouse.com *big long base64 string* *big long base64 string* auth_name
Replace auth_name with something unique that will help you identify the credential and run that on the server. You only need to do this once per key. The credentials are stored in /opt/nginxwebauthn/credentials/auth_name. If you set up your NGINX to expect the HTTP header to distinguish the authenticated user put the header contents to /opt/nginxwebauthn/headers/auth_name. The header file is paired with credential file by file name. \n characters in headers are replaced with \t and sent back to the NGINX server.
That's it! Navigating back to your website will now authenticate you using the key you just saved.
sudo python3 -m pip install --upgrade pip setuptools wheel
sudo -H pip3 install keyring
git clone https://github.com/jan-vitek/nginxwebauthn
cd nginxwebauthn
python3 setup.py bdist_wheel
Then you can distribute the .whl file from dist to your server and install it with pip3 install nginxwebauthn_jv-*.whl. Or if you are registered to PyPI.org you can upload the package this way:
cat << EOF > ~/.pypirc
[distutils]
index-servers=pypi
[pypi]
repository = https://upload.pypi.org/legacy/
username = your_pypi_username
EOF
python -m twine upload dist/*
#/etc/nginxwebauthn.conf
[Global]
# after succesful token registration a form is displayed where user can fill in the token name and their personal information
# the token is then stored in /opt/nginxwebauthn/registrations
AllowPreregistration = false
# if FromEmail and AdminEmail are configured the user personal information is sent to the AdminEmail
#FromEmail = root@localhost
#AdminEmail = root@localhost
# SMTP server defaults to localhost
#SMTPServer = localhost
If enabled users can identify themselves during the registration process. The token data are then stored in /opt/nginxwebauthn/registrations and user information is sent to the admin email. The admin can later finish the registration process by moving the file to /opt/nginxwebauthn/credentials
The registration form can preload data for the inputs from the url params. The selected inputs can be hidden using the hiddenElements param. To later pair the registration data with your user there is a hidden field externalId.
The credential file is stored in /opt/nginxwebauthn/registrations with externalId as a prefix.
Fields:
Example URL: https://example.com/nginx_fido_auth/register?email=john.doe@example.com&externalId=1234uniqueToken&name=John Doe&phone=555123456&username=john.doe&hiddenElements=["username", "name", "phone", "email"]
Why do I need to run the save-client command?
This seemed easier than setting up a potentially insecure password so that you could authorize your key. Instead it asserts that you have shell access by requiring that you run a command.
FAQs
WebAuthn auth proxy for NGINX. Fork of github.com/newhouseb/nginxwebauthn with multi user capabilities and HTTP header user identification.
We found that nginxwebauthn-jv demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.
Research
Security News
Socket researchers uncovered a malicious PyPI package exploiting Deezer’s API to enable coordinated music piracy through API abuse and C2 server control.
Research
The Socket Research Team discovered a malicious npm package, '@ton-wallet/create', stealing cryptocurrency wallet keys from developers and users in the TON ecosystem.