-
-
Notifications
You must be signed in to change notification settings - Fork 248
Sample Configuration for Cloudflare JWT Token validation
Dzinovic Gordan edited this page Apr 5, 2019
·
3 revisions
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for JWT verification results
lua_shared_dict introspection 10m;
server {
server_name DOMAIN.com;
listen 443 ssl http2;
root /usr/share/nginx/www
access_by_lua '
local access_token = ngx.req.get_headers()["cf-Access-Jwt-Assertion"]
if not access_token then
ngx.log(ngx.STDERR, "No Cloudflare token found")
ngx.status = 403
ngx.exit(ngx.HTTP_FORBIDDEN)
end
local openidc = require("resty.openidc")
local opts = {
client_id = "CLIENT_ID_AKA_Cloudflare_Application_Audience__Tag",
discovery = {
jwks_uri = "https://DOMAIN.com/cdn-cgi/access/certs"
},
token_signing_alg_values_expected = { "RS256" },
}
local json, err = openidc.jwt_verify(access_token, opts)
if err or not json then
ngx.status = 403
ngx.exit(ngx.HTTP_FORBIDDEN)
end
if json.aud ~= opts.client_id then
ngx.log(ngx.STDERR, "Client ID does not match")
ngx.status = 403
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';
}