On Sun, Aug 19, 2012 at 06:37:39PM -0400, Bob S. wrote:
On Sun, Aug 19, 2012 at 6:24 PM, Jonathan M.
On 19 August 2012 22:32, Bob S. [email protected] wrote:
[rearranging for ease of reading.]
I want to find a secure but simple method for authenticating users in an
http basic authentication within ssl. As in every http-server
I have succeeded in figuring out the auth_basic mod but that does not meet
Which specific aspect of the nginx implementation of http basic
authentication is unsuitable for your use case?
Would http digest authentication avoid the problem you see?
Or would an alternative credential-checking method avoid the problem?
Does your own cookie-or-other authentication method avoid that problem?
(There are 3rd party modules that can help implement the first two
suggestions above, if you don’t want to write your own module from
I specifically want to supply my own form, get the username and PW, check it
against my DB with a CGI program, and then pass values back to Nginx.
What part of the form submission is better than the simple http
authentication that you rejected above?
(There can be some parts; but without knowing what exactly your needs
it is hard to suggest something that meets them.)
Use proxy_pass (http://nginx.org/r/proxy_pass) or fastcgi_pass
(http://nginx.org/r/fastcgi_pass) to communicate the Auth headers to
your daemon, which should then respond with whatever page you want
your users to see in the event of auth success or failure.
That information is correct for the mechanics of how nginx will know to
invoke your application. But I think you’ll want a very clear idea of
what your application will do, before needing that information.
I am not clear on how this would work in the nginx.conf file.
I suggest you first gain a clear picture of how your application will
work in the http world. After you determine that it can work, you can
worry about the nginx implementation.
(For what it’s worth: I think your plan involves sending a Set-Cookie
response header to the browser, expecting that the browser will send a
Cookie request header in future requests. But maybe I think wrong.)
Also, aren’t there security risks using the headers? Can’t someone spoof
the headers and gain access that way?
Yes. Anyone can send a request with http authentication headers or with
cookie headers. Or with username and password details in the request,
or in the request body.
But it’s not yet obvious to me how http basic authentication differs
from your alternative, in this respect.
Like I said, this is all rather unclear to me.
If you can explain why basic authentication doesn’t meet your needs,
perhaps a suitable alternative can be suggested.
(Quite possibly form-submission to set a cookie is the best solution
you. But maybe nginx-auth-request-module can let http basic
work for you and will be easier. Or maybe something else is best.)
Francis D. [email protected]