Nginx_auth_mysql

Hello all,
I’m new to nginx (and first post on this mailing list),I have read the
wiki
and scoured the web in order to find a nginx_mysql_auth or
nginx_ldap_auth
module for nginx.
I am migrating my servers from apache to nginx + nginx-php-fpm now this
is
included with php-5.3.0 and in all of theses servers I am using a
centralized directory to manage access to phpmyadmin, SVN repositories
and
much more.
Now my question is this: I haven’t been able to find anything that
answer my
needs, I want nginx to talk directly with mysql or ldap and the only
think
I’ve found is this:
http://code.svn.wordpress.org/nginx_auth_mysql/README

Apparently the folks at wordpress have developed something based on the
PAM
auth module by sergio Talens-Oliag but I keep hearing that this module
isn’t
non-blocking and therefore might ruin my nginx performance (although on
my
production server, I’ll need this only to limit access to phpmyadmin and
this will be accesses only few times a week apparently).

Does anyone know another modules? Are new modules in the work? Can
someone
enlighten me if using this module will indeed ruin my nginx performance?
Should I hold with switching from apache to nginx? Because managing
htpasswd
across more than 10 servers isn’t something I’m willing to do at this
stage.

Thanks a lot!

Hello!

On Mon, Aug 09, 2010 at 02:20:44PM +0300, Adam Benayoun wrote:

I’ve found is this:
http://code.svn.wordpress.org/nginx_auth_mysql/README

Apparently the folks at wordpress have developed something based on the PAM
auth module by sergio Talens-Oliag but I keep hearing that this module isn’t
non-blocking and therefore might ruin my nginx performance (although on my
production server, I’ll need this only to limit access to phpmyadmin and
this will be accesses only few times a week apparently).

Yes, it’s blocking (as well as auth pam and auth ldap modules
flying around).

Does anyone know another modules? Are new modules in the work? Can someone
enlighten me if using this module will indeed ruin my nginx performance?
Should I hold with switching from apache to nginx? Because managing htpasswd
across more than 10 servers isn’t something I’m willing to do at this stage.

You may want to try this one:

http://mdounin.ru/hg/ngx_http_auth_request_module/

It’s non-blocking and you are free to code any
authentication/authorization backend.

Maxim D.

Maxim
Thanks for your answer.

What I am trying to do is basically this:

When a user navigate to a certain domain, a http authentication box will
open and he will need to enter his username and password.
Then nginx will send the following information in a header to a php
script:

  • $username entered in auth
  • $password entered in auth
  • group provided in nginx location block

The php script will in turn do the authentication against ldap and will
return either 201 (success!) or 401 (try again and auth will re-open).
What I don’t really get yet, and pardon me but I’m still new to nginx
(and
i’ve tried reading the wiki and your documentation for the module) is
how to
make the user go through authentication box and use the information
provided
in it to pass it to my php script.

Basically if you could point me to a wiki or a code, that would be
awesome.
I also think it could be nice to open a wiki page explaining how your
module
can be used this way since whoever who will migrate his
apache+mod_auth_dbm
or apache+mod_auth_ldap configuration will mostly need that information.

This question is of course addressed to anyone on this mailing list, if
anyone can help, I’d be grateful.
Thanks a lot!


Adam Benayoun | CEO / http://www.lionite.com
Gtalk/MSN: [email protected] | Skype: adam.benayoun
Cell: +(972)544835975 | Twitter: @adambn

On Mon, Aug 9, 2010 at 8:23 PM, Maxim D. [email protected] wrote:

You may want to try this one:

http://mdounin.ru/hg/ngx_http_auth_request_module/

It’s non-blocking and you are free to code any
authentication/authorization backend.

This auth_request module can now be combined with our ngx_lua module
and thus can be further combined with our ngx_drizzle module to access
mysql to do the actual lookup.

See the TEST 4 and TEST 5 cases in the ngx_lua module’s test suite for
sample configurations to combine ngx_http_auth_request with ngx_lua:

http://github.com/chaoslawful/lua-nginx-module/blob/master/t/5-throw.t#L55

And see the following example (TEST 14) to capture subrequests’
responses in Lua:

 http://github.com/chaoslawful/lua-nginx-module/blob/master/t/2-content.t#L233

Cheers,
-agentzh

The php script will in turn do the authentication against ldap and will
return either 201 (success!) or 401 (try again and auth will re-open).

If you are using just php you don’t even need to change anything (at
least
it works with my generic setup) within nginx configuration (unless you
want
to protect static content which php has no control over).

The examples in http://php.net/manual/en/features.http-auth.php work
just
fine.

I’ll need this only to limit access to phpmyadmin and this will be
accesses only few times a week apparently).

phpMyAdmin provides http authentification itself (
http://wiki.phpmyadmin.net/pma/Auth_types ):
$cfg[‘Servers’][$i][‘auth_type’] = ‘http’;

(it is still good to at least restrict IP access to the path as http
auth is
plain text (especially if the DB server is accessible through public
networks) and the phpma has experienced some nasty exploitable bugs in
past)

rr

On Tue, Aug 10, 2010 at 10:58 AM, agentzh [email protected] wrote:

This auth_request module can now be combined with our ngx_lua module
and thus can be further combined with our ngx_drizzle module to access
mysql to do the actual lookup.

Forgot to mention that the mysql result set returned by ngx_drizzle
can be even further cached by ngx_srcache + ngx_memc + memcached
(cluster!) :slight_smile: And…ngx_memc can also be combined with Maxim’s
ngx_http_upstream_keepalive to provide memcached connection pooling :wink:

Everything is non-blocking here and can be at least an order of
magnitude faster than traditional solutions like PHP or Python for
real world settings :slight_smile:

Cheers,
-agentzh

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs