Hey there! No worries at all about asking beginner-level questions—we all start somewhere with Nginx, so feel free to ask anything. Let's break down your authentication questions clearly and give you practical solutions.

First Method: Proxy Authentication to a Backend Auth Server #

This is exactly the workflow you described, and it’s fully supported by open source Nginx using the built-in auth_request module. Here’s how it works in practice:

• Your client sends a request with authentication data (like a private key in a header, e.g., X-API-Key)
• Nginx forwards this auth info to your dedicated authentication server
• If the auth server returns a 200 OK, Nginx lets the request pass to your backend; if it returns 401/403, access is blocked

Example Configuration #

server {
    listen 80;
    server_name your-domain.com;

    # Internal endpoint to forward auth requests (only accessible to Nginx itself)
    location = /auth-check {
        internal;
        proxy_pass http://your-auth-server:8080/verify-key; # Your auth server's validation endpoint
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        # Pass the client's private key from the request header to the auth server
        proxy_set_header X-API-Key $http_x_api_key;
    }

    # Protect your main application route
    location / {
        auth_request /auth-check; # Trigger the authentication check
        auth_request_set $auth_status $upstream_status;

        # Handle unauthorized requests
        error_page 401 = @unauthorized;

        proxy_pass http://your-backend-app;
    }

    location @unauthorized {
        return 401 "Unauthorized: Invalid or missing authentication key";
    }
}

Second Method: Open Source Alternatives to Nginx Plus #

Nginx Plus offers out-of-the-box support for standard auth protocols like JWT, OAuth 2.0, and OpenID Connect, but you don’t need to pay for these features—here are the best open source alternatives:

1. OpenResty (Enhanced Nginx with Lua Scripting) #

OpenResty is a free, extended Nginx distribution that integrates Lua, giving you full control over authentication logic directly in Nginx. It’s perfect for custom workflows or implementing standard protocols:

• Validate JWT tokens with libraries like lua-resty-jwt
• Build OAuth2/OpenID Connect flows from scratch or use pre-built Lua modules
• Pass authenticated user data to your backend via custom headers

Example JWT Validation with OpenResty #

server {
    listen 80;
    server_name your-domain.com;

    location / {
        access_by_lua_block {
            local jwt = require "resty.jwt"
            local auth_header = ngx.var.http_Authorization
            
            # Check if the Authorization header exists and has a Bearer token
            if not auth_header or not string.match(auth_header, "Bearer (.+)") then
                ngx.exit(ngx.HTTP_UNAUTHORIZED)
            end

            local token = string.match(auth_header, "Bearer (.+)")
            local secret = "your-jwt-signing-secret" # Use a public key for RS256 tokens
            local jwt_obj = jwt:verify(secret, token)

            # Reject invalid tokens
            if not jwt_obj.verified then
                ngx.exit(ngx.HTTP_UNAUTHORIZED)
            end

            # Pass user ID from JWT claims to the backend
            ngx.var.user_id = jwt_obj.payload.sub
        }

        proxy_pass http://your-backend-app;
        proxy_set_header X-User-ID $user_id;
    }
}

2. ngx_http_auth_jwt_module (Official Open Source Nginx Module) #

If you just need simple JWT validation, this official module (included in newer open source Nginx builds if compiled with --with-http_auth_jwt_module) handles it without extra scripting:

• Validates JWT signatures and optional claims (like issuer or expiration)
• Works with both HMAC (secret-based) and RSA (public key-based) tokens

Example JWT Validation Configuration #

server {
    listen 80;
    server_name your-domain.com;

    location / {
        auth_jwt "Protected Application";
        # Use a secret for HS256 tokens, or a public key file for RS256
        auth_jwt_key_file /path/to/your-jwt-secret-or-public-key.pem;
        # Optional: Validate the token issuer
        auth_jwt_claim_set iss "your-authorized-issuer";

        proxy_pass http://your-backend-app;
    }
}

3. ngx_openidc (OpenID Connect Support) #

This open source module adds full OpenID Connect (OIDC) support to Nginx, letting you integrate with identity providers like Keycloak, Google, or Okta. It handles the entire OIDC flow (authorization code, token validation, session management) out of the box.

Example OIDC Configuration #

server {
    listen 80;
    server_name your-domain.com;

    location / {
        auth_openidc on;
        # Fetch your IDP's metadata automatically
        auth_openidc_provider_metadata_url https://your-idp-domain/.well-known/openid-configuration;
        auth_openidc_client_id your-oidc-client-id;
        auth_openidc_client_secret your-oidc-client-secret;
        auth_openidc_redirect_uri http://your-domain.com/oidc-callback;

        proxy_pass http://your-backend-app;
    }

    # Handle the OIDC callback route
    location /oidc-callback {
        auth_openidc_callback on;
    }
}

Final Notes #

All these open source tools are robust alternatives to Nginx Plus’s authentication features. Choose the auth_request method if you already have a custom auth server, use ngx_http_auth_jwt_module or ngx_openidc for standard protocols, and go with OpenResty if you need full control over custom auth logic.

内容的提问来源于stack exchange，提问作者eylon levi