From 87a9bcdce0a0512045711fa707a4f940dbeb46a4 Mon Sep 17 00:00:00 2001 From: Robin Kofoot Date: Sun, 4 May 2025 11:27:39 -0700 Subject: [PATCH 1/2] edits to introduction, added new response codes section --- .../configuring-subrequest-authentication.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md b/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md index 9ad3fc418..9c586adeb 100644 --- a/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md +++ b/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md @@ -12,7 +12,18 @@ type: ## Introduction -NGINX and F5 NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified. If the subrequest returns a `2xx` response code, the access is allowed, if it returns `401` or `403`, the access is denied. Such type of authentication allows implementing various authentication schemes, such as multifactor authentication, or allows implementing LDAP or OAuth authentication. +NGINX and F5 NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where it is verified. + +HTTP authentication can use various authentication schemes: +- Multifactor authentication +- LDAP/OAuth authentication + +## Response Codes + +Subrequest Response Codes: +- 2xx - access is allowed +- 402 - access is denied +- 403 - access is denied ## Prerequisites @@ -30,7 +41,7 @@ NGINX and F5 NGINX Plus can authenticate each request to your website with an ex Skip this step for NGINX Plus as it already includes the auth_request module. -2. In the location that requires request authentication, specify the [auth_request](https://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request) directive in which specify an internal location where an authorization subrequest will be forwarded to: +2. In the location that requires request authentication, specify the [auth_request](https://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request) directive and specify an internal location where an authorization subrequest will be forwarded to: ```nginx location /private/ { @@ -51,7 +62,7 @@ NGINX and F5 NGINX Plus can authenticate each request to your website with an ex } ``` -4. As the request body is discarded for authentication subrequests, you will need to set the [proxy_pass_request_body](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_request_body) directive to `off` and also set the `Content-Length` header to a null string: +4. As the request body is discarded for authentication subrequests, set the [proxy_pass_request_body](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_request_body) directive to `off` and also set the `Content-Length` header to a null string: ```nginx location = /auth { From b10bef411ad006e3ea6372714a0e836e2f42a867 Mon Sep 17 00:00:00 2001 From: Mike Jang <3287976+mjang@users.noreply.github.com> Date: Mon, 5 May 2025 17:43:38 -0700 Subject: [PATCH 2/2] Apply suggestions from code review --- .../configuring-subrequest-authentication.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md b/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md index 9c586adeb..c023fee65 100644 --- a/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md +++ b/content/nginx/admin-guide/security-controls/configuring-subrequest-authentication.md @@ -12,18 +12,14 @@ type: ## Introduction -NGINX and F5 NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where it is verified. - -HTTP authentication can use various authentication schemes: -- Multifactor authentication -- LDAP/OAuth authentication +NGINX and F5 NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where it is verified. Such type of authentication allows implementing various authentication schemes, such as multifactor authentication, or allows implementing LDAP or OAuth authentication. ## Response Codes Subrequest Response Codes: + - 2xx - access is allowed -- 402 - access is denied -- 403 - access is denied +- 401, 403 - access is denied ## Prerequisites