Emulate mod_auth_mysql in nginx?

teck · March 13, 2009, 8:07pm

Hi,

I was wondering if we could emulate mod_auth_mysql in nginx?

AuthName “Your Protected Area”
AuthType Basic
Auth_MySQL_Username mysqluser
Auth_MySQL_Password mysqlpass
Auth_MySQL_DB database
Auth_MySQL_Password_Table users
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Encrypted_Passwords Off
Auth_MySQL_Non_Persistent On
Auth_MYSQL On
Auth_MySQL_Empty_Passwords Off
require valid-user

INSERT INTO user VALUES (‘abc’, ‘123’);

±------------±----------+
| username | passwd |
±------------±----------+
| abc | 123 |
±------------±----------+

Thanks for your help.

Floren

teck · March 16, 2009, 9:01am

On Mar 13, 2009, at 2:00 PM, Floren M. wrote:

Auth_MySQL_Username_Field username
| username | passwd |
±------------±----------+
| abc | 123 |
±------------±----------+

Thanks for your help.

Try this nginx module:

http://code.svn.wordpress.org/nginx_auth_mysql/

Let us know how it goes

teck · March 16, 2009, 12:05pm

Barry A. ha scritto:

- Revision 625: /nginx_auth_mysql

This will ruin Nginx performances.

If you really want to use a database as a backend, you should use
PostgreSQL, since libpq offer an async interface; and you should use a
stored procedure for the authentication.

Regards Manlio

teck · March 16, 2009, 1:31pm

Igor S. ha scritto:

[…]

If you really want to use a database as a backend, you should use
PostgreSQL, since libpq offer an async interface; and you should use a
stored procedure for the authentication.

Yes, you right. However, I have almost ready async mysql interface for nginx,
that can be used here.

Written from scratch, implementing the MySQL wire protocol?

By the way, after having implemented a pure PostgreSQL client in Python,
I tried to do the same with MySQL; but protocol design is very bad,
compared to PostgreSQL, so I gave up; it does not make sense to waste
time with MySQL, IMHO,

Manlio

teck · March 16, 2009, 12:18pm

On Mon, Mar 16, 2009 at 11:55:28AM +0100, Manlio P. wrote:

Try this nginx module:

- Revision 625: /nginx_auth_mysql

This will ruin Nginx performances.

If you really want to use a database as a backend, you should use
PostgreSQL, since libpq offer an async interface; and you should use a
stored procedure for the authentication.

Yes, you right. However, I have almost ready async mysql interface for
nginx,
that can be used here.

teck · March 16, 2009, 5:38pm

Igor, you rock dude

2009/3/16 Igor S. [email protected]:

teck · March 16, 2009, 1:40pm

On Mon, Mar 16, 2009 at 01:19:20PM +0100, Manlio P. wrote:

Written from scratch, implementing the MySQL wire protocol?
Yes.

By the way, after having implemented a pure PostgreSQL client in Python,
I tried to do the same with MySQL; but protocol design is very bad,
compared to PostgreSQL, so I gave up; it does not make sense to waste
time with MySQL, IMHO,

It’s already wasted :). The reamining part is parsing mysql response.

teck · March 16, 2009, 11:37pm

Hi Igor,

-----Original Message-----
From: Igor S. [mailto:[email protected]]
Posted At: Monday, March 16, 2009 7:05 AM
Posted To: gmane.comp.web.nginx.english
Conversation: Emulate mod_auth_mysql in nginx?
Subject: Re: Emulate mod_auth_mysql in nginx?

I have almost ready async mysql interface for nginx,
that can be used here.

When do you think it will be available?

Thanks,

Floren

teck · March 20, 2009, 9:31pm

Written from scratch, implementing the MySQL wire protocol?

By the way, after having implemented a pure PostgreSQL client in
Python,
I tried to do the same with MySQL; but protocol design is very bad,
compared to PostgreSQL, so I gave up; it does not make sense to waste
time with MySQL, IMHO

My goal is to store into a database table the username/password for a
directory.
Then, to have a htaccess like popup show when someone will reach that
directory.

Right now I can do it easy with a htpasswd file, in nginx.
But I think it is much more convenient to have a web interface where you
can
manage the users, etc.
Let me know if there is a similar solution I could use, with all user
info
stored into a MySQL database instead of a file.

Thanks.

teck · March 20, 2009, 10:55pm

If what you really want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files.
Problem solved, no waiting for asynchronous mysql interface.

Merlin

teck · March 21, 2009, 4:32pm

Let’s not forget about HTTPS, and as far as calling out that a specific
HTTP
request method (POST) can you explain further your rationale?

teck · March 21, 2009, 12:10pm

If what you really want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files.
Problem solved, no waiting for asynchronous mysql interface.

That is not a viable solution, you know it. Managing sensitive files in
a
web environment is very unsecure, through a web interface. Ya, you can
create a htpasswd file into /etc/nginx dir for example and do a chmod
0700/chown nginx on it. Then, it is secure to stick in there your
usernames/passwords. But to use PHP or other language to manipulate
sensitive data through a POST that can get sniffed easy by anyone is
simply
insane, IMO. Not to mention that your file has to be editable by anyone
in
order to have your script write information into it…

teck · March 22, 2009, 12:35am

Floren M. ha scritto:

directory.
Then, to have a htaccess like popup show when someone will reach that
directory.

Right now I can do it easy with a htpasswd file, in nginx.
But I think it is much more convenient to have a web interface where you can
manage the users, etc.

You can write a web interface for htpasswd file, too.
And if you have a lot of users, maybe a more efficient solution is to
use a dbm database.

[…]

Regards Manlio

teck · March 22, 2009, 7:53am

On Sat, Mar 21, 2009 at 3:56 AM, Floren M. [email protected] wrote:

If what you really want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files.
Problem solved, no waiting for asynchronous mysql interface.

That is not a viable solution, you know it.

It is certainly a viable solution as Manilo indicates.

Managing sensitive files in a
web environment is very unsecure, through a web interface.

No more insecure than managing sensitive data through a web interface -
in
either case you’ll want SSL on top for any semblence of security.

Ya, you can
create a htpasswd file into /etc/nginx dir for example and do a chmod
0700/chown nginx on it. Then, it is secure to stick in there your
usernames/passwords. But to use PHP or other language to manipulate
sensitive data through a POST that can get sniffed easy by anyone is simply
insane, IMO.

They can monitor the same POST requests to manage users in the database

it’s no more secure. As I said above, you’ll want to place SSL on top,
for
starters.

Not to mention that your file has to be editable by anyone in

order to have your script write information into it…

Not really, it just needs to be editable by the user PHP is running as
(which I can control). Alternatively, the PHP could make requests to
some
other service listening on localhost for insertion/removal from the
file.

There’s a million ways to skin a cat; however, personally if I’m gonna
use
htpasswd authentication, I just manage it with htpasswd (sometimes
indirectly in bash scripts). Simple machines, for the win!

Merlin