Introduction

Welcome to Access on NGINX Plus - Authentication for Web Access. In this course we will learn the following:

• How to install the Nginx Plus module njs, required for Authentication Proxy
• How to navigate and utilize the Nginx Plus configuration for OIDC authentication use cases
• How to configure Keycloak for use with NGINX Plus
• How to create a synchronized Instance Group of NGINX Plus servers for load balancing

Please follow the instructions provided by the instructor to start your lab.

Attention

All work for this lab will be performed exclusively from the UDF session. No installation and only minimal interaction with your local system is required

Lab Topology

The following components have been included in your lab environment:

• 1x Infa Server running the below Docker Containers (Ubuntu 22.04)

  • firefox
  • keycloak
  • nginxhello (origin server)

• 1x Linux Server (Ubuntu 22.04) running Nginx Instance Manager (2.15.0)
• 3x Linux Servers (Ubuntu 22.04) running NGINX Plus (nginx-plus-r30-p1)
• 1x F5 BIG-IP DNS virtual appliance (v17.1.0.1)

Lab Components

The following table lists IP Addresses, Ports and Credentials for all components:

Lab Setup

Hostname	IP/PORT	Credentials
idp.f5lab.com (infra)	10.1.1.4
container/keycloak	10.1.1.4:8080	admin/admin
container/nginxhello	10.1.1.4:8081
container/firefox	10.1.1.4:5180
nginx-1	10.1.1.6
nginx-2	10.1.1.7
nginx-3	10.1.1.8
bigip.f5lab.com	10.1.1.9:443	admin/f5r0x!
nim.f5lab.com	10.1.1.11:443	<cached>

High-Level View of auth flow for the lab environment

This implementation assumes the following environment:

• The identity provider (IdP) supports OpenID Connect 1.0
• The authorization code flow is in use
• NGINX Plus is configured as a relying party
• The IdP knows NGINX Plus as a confidential client or a public client using PKCE

With this environment, both the client and NGINX Plus communicate directly with the IdP at different stages during the initial authentication event.