Nginx module to use PAM for simple http authentication

Hello everybody,

I just wrote my first nginx module and thought it was not a bad idea to
share
it with the people on this list.

The module is used to do HTTP Basic Authentication agains PAM instead of
using an
htpasswd file.

You can get the source from:

http://web.iti.upv.es/~sto/nginx/

It works well for my setup, but if someone tries it and finds a bug I’ld
be
happy to know about it (and try to fix it, of course).

Greetings,

Sergio.

How to use it?
Could you please make a example?

2008/9/17 Sergio Talens-Oliag [email protected]:

El Wed, Sep 17, 2008 at 10:21:08PM +0800, lhmwzy va escriure:

How to use it?
Could you please make a example?

There are examples on the README file included on the tarball:

To protect everything under /secure you will add the following to
the
nginx.conf file:

location /secure {
  auth_pam              "Secure Zone";
  auth_pam_service_name "nginx";
}

Note that the module runs as the web server user, so the PAM modules
used
must be able to authenticate the users without being root.

For example, to authenticate users against an LDAP server (using the
pam_ldap.so module) you will use an /etc/pam.d/nginx like the
following:

auth    required  /lib/security/pam_ldap.so
account required  /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate
you can
use the pam_listfile.so module; to limit who can access resources
under
/restricted add the following to the nginx.conf file:

location /restricted {
  auth_pam              "Restricted Zone";
  auth_pam_service_name "nginx_restricted";
}

Use the following /etc/pam.d/nginx_restricted file:

auth    required  /lib/security/pam_listfile.so onerr=fail item=user 


sense=allow file=/etc/nginx/restricted_users
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so

And add the users allowed to authenticate to
/etc/nginx/restricted_users
(the web server user has to be able to read this file).

I hope this helps,

Sergio.

Sergio, you’re a hero! Sometimes simple things are the best. Compiling
your module with nginx 0.7.23 throw me an error, something like
debuglog3 need 8 parameters instead of 5. I don’t care about debug so I
simply removed those lines in your code and it compiled fine and works
perfectly.

It’s bloody brilliant because it allowed me to setup quickly a
mysqldb-pam backed auth, for my cpanel & awstats. Long live Sysoev! Long
live Sergio!

Talens-Oliag wrote:

El Wed, Sep 17, 2008 at 10:21:08PM +0800, lhmwzy va escriure:

How to use it?
Could you please make a example?

There are examples on the README file included on the tarball:

To protect everything under /secure you will add the following to
the
nginx.conf file:

location /secure {
  auth_pam              "Secure Zone";
  auth_pam_service_name "nginx";
}

Note that the module runs as the web server user, so the PAM modules
used
must be able to authenticate the users without being root.

For example, to authenticate users against an LDAP server (using the
pam_ldap.so module) you will use an /etc/pam.d/nginx like the
following:

auth    required  /lib/security/pam_ldap.so
account required  /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate
you can
use the pam_listfile.so module; to limit who can access resources
under
/restricted add the following to the nginx.conf file:

location /restricted {
  auth_pam              "Restricted Zone";
  auth_pam_service_name "nginx_restricted";
}

Use the following /etc/pam.d/nginx_restricted file:

auth    required  /lib/security/pam_listfile.so onerr=fail item=user 


sense=allow file=/etc/nginx/restricted_users
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so

And add the users allowed to authenticate to
/etc/nginx/restricted_users
(the web server user has to be able to read this file).

I hope this helps,

Sergio.

mike wrote:

On Wed, Sep 17, 2008 at 6:55 AM, Sergio Talens-Oliag [email protected]
wrote:

Hello everybody,

I just wrote my first nginx module and thought it was not a bad idea to share
it with the people on this list.

The module is used to do HTTP Basic Authentication agains PAM instead of using an
htpasswd file.

Code an NTLM/Windows Integrated Authentication auth plugin for nginx
and I will pay :slight_smile:

Just for fun I tried out this one. Easy cake takes no time to
authenticate users against Active Directory/NTLM using samba & pam_smb.

what version of windows are the AD servers using?

can you share any config details (feel free to reply off list)

On Wed, Sep 17, 2008 at 6:55 AM, Sergio Talens-Oliag [email protected]
wrote:

Hello everybody,

I just wrote my first nginx module and thought it was not a bad idea to share
it with the people on this list.

The module is used to do HTTP Basic Authentication agains PAM instead of using an
htpasswd file.

Code an NTLM/Windows Integrated Authentication auth plugin for nginx
and I will pay :slight_smile:

El Fri, Dec 05, 2008 at 12:28:59AM +0100, Noel Lublovary va escriure:

Sergio, you’re a hero! Sometimes simple things are the best. Compiling
your module with nginx 0.7.23 throw me an error, something like
debuglog3 need 8 parameters instead of 5. I don’t care about debug so I
simply removed those lines in your code and it compiled fine and works
perfectly.

Good to know, we are using the stable nginx series, I’ll review the code
when
0.8.x goes out.

It’s bloody brilliant because it allowed me to setup quickly a
mysqldb-pam backed auth, for my cpanel & awstats. Long live Sysoev! Long
live Sergio!

That was my idea, PAM is able to do a lot of things right now, using it
was a
simple and powerful option and it makes me happy to know that someone
else
finds my aproach useful… :wink:

Greetings,

Sergio.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs