Sample Configuration for Cloudflare JWT Token validation

lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;

# cache for JWT verification results
lua_shared_dict introspection 10m;

server {
  server_name DOMAIN.com;

  listen 443 ssl http2;
  root /usr/share/nginx/www

      access_by_lua '
          local access_token = ngx.req.get_headers()["cf-Access-Jwt-Assertion"]

          if not access_token then
            ngx.log(ngx.STDERR, "No Cloudflare token found")
            ngx.status = 403
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end

          local openidc = require("resty.openidc")

          local opts = {
              client_id = "CLIENT_ID_AKA_Cloudflare_Application_Audience__Tag",
              discovery = {
                jwks_uri = "https://DOMAIN.com/cdn-cgi/access/certs"
              },
              token_signing_alg_values_expected = { "RS256" },
          }

          local json, err = openidc.jwt_verify(access_token, opts)

          if err or not json then
            ngx.status = 403
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
      ';
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Sample Configuration for Cloudflare JWT Token validation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally