NGINX API Auth via URL Param or String

Is this possible? I'm looking to serve an API as a service to around \~100 developers. Many of their existing applications authenticate to an API like mine with a unique URL, something like this:****

I've read through the docs (auth\_jwt module) but I'm getting lost and haven't found a way to easily do this. I'd like to be able to:

* Authenticate them as an authorized user of the API via a file outside of the .conf file for the site (ie: apiKeys.json, the extension/format doesn't matter that much to me)
* Use their apiKey to assign them to a group or zone, which may or may not be rate limited.

Is this possible using the Open source version of NGINX? I've explored:

* apiUmbrella - no longer maintained
* Kong - opensource version is lacking many desired features

Any help, examples of conf files, really anything would be awesome.

2 thoughts on “NGINX API Auth via URL Param or String”

  1. this is something your application should handle.
    idk if possible in nginx, maybe yes, but that’s not something i would do on nginx.

  2. You could try one of these options:

    1) Use the [map module]( to convert the API keys to some variable (default 0 = not authorized, or 1 = authorized for known keys). You would then check this variable to decide whether to allow or deny the request. You could store the map in a separate config file, but the downside is that you would have to maintain two maps, if you also want to map the api key to a rate limit zone.

    2) Write a simple backend service, which would do the check and then use the [X-Accel]( directives to ‘return’ the request back to nginx for further processing. The way this works is you `proxy_pass` the request to the service, and if the response from that service has the `X-Accel-Redirect` header, nginx will then re-process the request again in a new location matching the URL specified in the value of that header. There’s also a `X-Accel-Rate-Limit` header which you could set in the response.

    EDIT: There is also a 3rd option: the [auth_request]( module. It is fairly similar to 2) and depending on your setup (i.e. where the API keys come from), it may be a better fit.


Leave a Comment