Remote_user and remote_password for custom http authentication?

Hello,

I hope everyone is having a nice weekend.

Can anyone out there tell me whether it would be possible to access
the remote user name and password ($user and $password in
http://$user:[email protected]/) so that I can roll my own basic
HTTP authentication?

It seems to me that remote_user is only available when the Auth Basic
module is enabled, but am I missing something?

Jed

On Sun, Oct 14, 2007 at 02:53:13PM +0800, Jed Schmidt wrote:

Can anyone out there tell me whether it would be possible to access
the remote user name and password ($user and $password in
http://$user:[email protected]/) so that I can roll my own basic
HTTP authentication?

It seems to me that remote_user is only available when the Auth Basic
module is enabled, but am I missing something?

No, The $remote_user variable is available without
ngx_http_auth_basic_module,
however, currently there is no $remote_password variable, althogh, it
could
be easy added.

Igor,

It would be awesome if you could add that, unless there is a way to
access it already. Is there some header, for example, from which I can
access it already?

Jed

Jed Schmidt ha scritto:

Igor,

It would be awesome if you could add that, unless there is a way to
access it already. Is there some header, for example, from which I can
access it already?

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8
http://www.ietf.org/rfc/rfc2617.txt

Regards Manlio P.

Manilo,

Thanks for that reference. Maybe I’m doing something wrong, but when I
access a URL in the $user:[email protected]/ format, and then try
to access the $http_authorization variable in an SSI or in a rewrite
rule, it returns nothing. In other words, let’s say I have the
following rule:

location = /auth {
rewrite (.*) http://google.com/search?q=$http_authorization;
}

and then access http://user:[email protected]/auth. If the username and
password were accessible, wouldn’t I be forwarded to
http://google.com/search?q=user:pass? Right now I’m being forwarded to
http://google.com/search?q= instead.

Thanks again for your help,

Jed

A little more information to shed some light on this problem. I have
an SSI-enabled html file at

http://72.44.41.145/beta/authcheck.html

which contains the following:

http_authorization:

When I execute the following in curl:

curl http://user:[email protected]/beta/authcheck.html

I get

http_authorization: Basic dXNlcjpwYXNz

But when I use Firefox or Safari to get the_same_URL, I get

http_authorization:

I am totally at a loss. Would someone mind giving this URL a try and
tell me what I’m doing wrong?

Thanks again,

Jed

On Sunday 14 October 2007, Jed Schmidt wrote:

I am totally at a loss. Would someone mind giving this URL a try and
tell me what I’m doing wrong?

you url does not require an authorization, that why some browsers don’t
auth

Roxis,

Thanks for pointing that out. I didn’t realize that browsers actually
check first to see whether authorization is required. I’ve added this
rule to my location:

location / {
if ($http_authorization !~ ^Basic) {
add_header ‘WWW-Authenticate’ ‘Basic realm=“Restricted”’;
return 401;
}
perl mymodule::auth;
}

and it returns the 401 correctly if there is no Authorization header,
but fails to add the WWW-Authenticate header. According to the
documentation, the add_header directive “adds headers to the HTTP
response when the response code is equal to 200, 204, 301, 302 or
304.” Is the header being left off because it’s a 401?

Thanks again for your help, guys.

Jed

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs