Enforcer frameworksNGINX - C Module

Module Configuration

Required NGINX Configuration

The following NGINX configurations are required to support the HUMAN NGINX C-Core module:

Resolver

The Resolver directive must be configured in the HTTP section of your NGINX configuration.

  • Set the resolver, resolver A.B.C.D;, to an external DNS resolver, such as Google (resolver 8.8.8.8;),

or

  • Set the resolver, resolver A.B.C.D;, to the internal IP address of your DNS resolver (resolver 10.1.1.1;).

This is required for NGINX to resolve the HUMAN API.

Required HUMAN Module Configuration

The following parameters are mandatory:

  • px_enabled
  • px_appId
  • px_cookie_secret
  • px_auth_token
$-- ## Required Parameters ##
$px_enabled true;
$px_appId "<PX_APP_ID>";
$px_auth_token "<PX_AUTH_TOKEN>";
$px_cookie_secret "<COOKIE_ENCRYPTION_KEY>";

  • px_appId - The HUMAN custom application id in the format of HUMAN**__** .
  • px_cookie_secret - The key used by the cookie signing page. The Cookie Key is generated in the HUMAN PortalPolicy page.
  • px_auth_token - The JWT token for REST API. The Authentication Token is generated in HUMAN PortalApplication page.

nginx.conf Example

The following nginx.conf example contains the minimum required configuration for the HUMAN NGINX C-Core module:

$worker_processes  auto;
$
$load_module /usr/lib/nginx/modules/ngx_http_pxnginx_module.so;
$thread_pool px_pool threads=10;
$
$error_log /var/log/nginx/error.log info;
$events {
$    worker_connections 1024;
$}
$
$http {
$    real_ip_header X-Forwarded-For;
$    resolver 8.8.8.8;
$
$    server {
$        listen 80;
$        listen [::]:80;
$
$        px_enabled true;
$        px_appId "<PX_APP_ID>";
$        px_auth_token "<PX_AUTH_TOKEN>";
$        px_cookie_secret "<COOKIE_ENCRYPTION_KEY>";
$
$        location / {
$            root   /nginx/www;
$            index  index.html;
$        }
$    }
$}

Using ’$’ character in Nginx configuration.

$ (dollar) character has a special meaning in Nginx configuration (it serves as the variable name prefix). 

In order to use ’$’ character in Enforcer configuration (such as RegEx values), this character must be escaped using the following workaround:

1geo $dollar {
2    default "$";
3}
4
5http {
6    ...
7    server {
8       ...
9       px_filter_by_domain "img\.example\.com$dollar|docs\.example\.com$dollar";
10       ...

In this example we want to add attheendofeachitem(img.example.com at the end of each item (**img\\.example\\.com), but as we need to escape ,thentheescapedstringwilllooklikethis:img.example.com, then the escaped string will look like this: **img\\.example\\.comdollar