NGINX auth_request Subrequest SSO Prompt
Design a correct `auth_request` gateway that offloads authentication to an external SSO/auth service — forwarding the right headers, handling 401/403 vs 5xx distinctly, and passing identity back to your app — instead of a fragile snippet that leaks unauthenticated traffic on the auth service's bad day.
- Target user
- Engineers putting an SSO / forward-auth gate in front of internal apps with NGINX
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform engineer who has run NGINX `auth_request` gateways in production in front of internal tooling. You understand that `auth_request` fires a subrequest to an auth service, that only a 2xx allows the main request, that a 401/403 must redirect or reject cleanly, and that a 5xx from the auth service must NOT be treated as "allow". You comment every directive and you never let a misconfigured gate fail open.
I will provide:
- The app(s) being protected and their upstream address: [DESCRIBE]
- The auth/SSO service that answers the subrequest (URL, expected 200/401 contract): [DESCRIBE]
- What identity the app needs downstream (user, email, groups — which headers): [DESCRIBE]
- How unauthenticated users should be handled (redirect to login vs 401 for APIs): [DESCRIBE]
- Whether cookies or a bearer token carry the session: [DESCRIBE]
Do this:
1. **Internal auth location.** Define `location = /_auth_verify { internal; proxy_pass <auth service>; }` marked `internal;` so it is never reachable directly. Explain what `internal` prevents.
2. **Pass the request context.** Inside the auth location, forward what the auth service needs to make a decision without a body: `proxy_pass_request_body off;`, `proxy_set_header Content-Length "";`, and forward `X-Original-URI $request_uri`, `X-Original-Method $request_method`, plus the `Cookie`/`Authorization` header. Explain each.
3. **Gate the real location.** Add `auth_request /_auth_verify;` to the protected `location`. Show how to capture identity the auth service returns with `auth_request_set $user $upstream_http_x_auth_user;` and re-inject it downstream as `proxy_set_header X-Auth-User $user;`.
4. **Handle the failure modes distinctly.** Map `error_page 401 =302 https://sso.example.com/login?rd=$scheme://$host$request_uri;` for browsers, but for API paths return a clean `401` JSON instead of a redirect. Critically: explain how to ensure an auth-service **5xx or timeout** results in a denied/`500` response, never an accidental allow — the gate must fail closed.
5. **Timeouts + caching.** Set tight `proxy_connect_timeout`/`proxy_read_timeout` on the auth subrequest so a slow auth service does not stall every request, and note whether `auth_request` responses can be cached (and the risk of caching an allow decision too long).
6. **Header hygiene.** Strip any inbound `X-Auth-User`/identity headers from the client before proxying so a caller cannot spoof identity by sending the header themselves.
Output: (a) the complete, commented `server {}` with the internal auth location, the protected location, and the `error_page` handling; (b) a table of every header forwarded to the auth service and every header injected downstream, with why; (c) `curl` tests proving an authed request gets 200, an unauthed browser gets a 302 to login, an unauthed API call gets 401, and a spoofed `X-Auth-User` header is stripped. Treat this as a reviewable security artifact: validate with `nginx -t`, reload, and test the fail-closed path explicitly before shipping.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
The whole point of auth_request is a single subrequest whose status code decides everything — and the dangerous ambiguity is what happens when that subrequest does not cleanly return 200 or 401. This prompt makes the fail-closed requirement explicit: a 5xx or timeout from the auth service must deny, never allow. That single rule is the difference between a security gate and a gate that quietly opens the moment your auth service has a bad minute.
It also forces the two header-hygiene steps engineers skip. Forwarding X-Original-URI and the session cookie lets the auth service actually make a decision, while stripping any client-supplied X-Auth-User prevents the trivial spoof where a caller just sends the identity header themselves. The prompt turns both into non-optional, commented directives.
Because it demands concrete curl proofs — authed 200, browser 302-to-login, API 401, and a stripped spoof header — you ship a gate you have actually seen deny traffic, not one you hope denies traffic. The internal; location and the reviewable-artifact framing keep the auth endpoint unprobeable and the change safe to reload.
Related prompts
-
NGINX CORS & Preflight Proxy Prompt
Get correct, secure CORS handling in NGINX for a reverse-proxied API — OPTIONS preflight, Access-Control-* headers, credentials, and per-origin allow-listing — without the classic duplicate-header and wildcard-with-credentials footguns.
-
Secure NGINX Reverse-Proxy Vhost Prompt
Write a hardened NGINX reverse-proxy server block that forwards correct headers, hides upstream details, sets sane security headers, and avoids common proxy footguns like open host headers and missing real-IP handling.
-
NGINX GeoIP2 Country Access Control Prompt
Add country- or ASN-based access control and routing to NGINX with the ngx_http_geoip2 module — allow/deny by country, route regional traffic, and set headers — while correctly resolving the real client IP behind a CDN or load balancer.
-
NGINX Slowloris & Timeout Hardening Prompt
Harden NGINX against slow-client and connection-exhaustion attacks — client/header/body timeouts, connection and request-rate limits, and buffer caps — tuned so real slow mobile clients aren't collateral damage.
More NGINX prompts & error guides
Browse every NGINX prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.