User authentication with nginx

I want to find a secure but simple method for authenticating users in an
Nginx environment.

I have succeeded in figuring out the auth_basic mod but that does not
meet
my needs.

I specifically want to supply my own form, get the username and PW,
check
it against my DB with a CGI program, and then pass values back to Nginx.

I need explained examples for nginx.conf. I can write my own backend in
C
for authentication, that is not part of my question.

1. What should nginx.conf look like?
2. How are values passed back to nginx? signals? function return codes?

On 19 August 2012 22:32, Bob S. [email protected] wrote:

I want to find a secure but simple method for authenticating users in an
Nginx environment.

I have succeeded in figuring out the auth_basic mod but that does not meet
my needs.

I specifically want to supply my own form, get the username and PW, check it
against my DB with a CGI program, and then pass values back to Nginx.

Use proxy_pass (Module ngx_http_proxy_module) or fastcgi_pass
(Module ngx_http_fastcgi_module) to communicate the Auth headers to
your daemon, which should then respond with whatever page you want
your users to see in the event of auth success or failure.

There are many configuration examples for these on the interwebs.

Jonathan

Jonathan M.
Oxford, London, UK
http://www.jpluscplusm.com/contact.html

I am not clear on how this would work in the nginx.conf file.

Also, aren’t there security risks using the headers? Can’t someone
spoof
the headers and gain access that way?

Like I said, this is all rather unclear to me.

On Sun, Aug 19, 2012 at 6:24 PM, Jonathan M.

On Aug 19, 2012, at 5:48 PM, Francis D. [email protected] wrote:

Why not?

Which specific aspect of the nginx implementation of http basic
authentication is unsuitable for your use case?

Would http digest authentication avoid the problem you see?

I would like to see digest auth supported personally. For proper spnego
situations if the Kerberos/gssapi stuff fails it is supposed to fall
back to digest.

I still have my “not sure if it works at all” nginx+spnego module and
someone else posted another one (may or may not have been based on the
one I funded, I still want to sync up with them) that I’d really love to
get more action on. I would really like to use nginx inside of my
company’s intranet and be able to provide my users with the
“transparent” recognition that it would provide.

Anyone reading this please feel free to contact me off-list if
interested in development, testing, funding, using or discussing this
module (or if you are the guy who made his own port too!)

On Sun, Aug 19, 2012 at 06:37:39PM -0400, Bob S. wrote:

On Sun, Aug 19, 2012 at 6:24 PM, Jonathan M.
[email protected]wrote:

On 19 August 2012 22:32, Bob S. [email protected] wrote:

Hi there,

[rearranging for ease of reading.]

I want to find a secure but simple method for authenticating users in an
Nginx environment.

http basic authentication within ssl. As in every http-server
environment.

I have succeeded in figuring out the auth_basic mod but that does not meet
my needs.

Why not?

Which specific aspect of the nginx implementation of http basic
authentication is unsuitable for your use case?

Would http digest authentication avoid the problem you see?

Or would an alternative credential-checking method avoid the problem?

Does your own cookie-or-other authentication method avoid that problem?

(There are 3rd party modules that can help implement the first two
suggestions above, if you don’t want to write your own module from
scratch.)

I specifically want to supply my own form, get the username and PW, check it
against my DB with a CGI program, and then pass values back to Nginx.

What part of the form submission is better than the simple http
authentication that you rejected above?

(There can be some parts; but without knowing what exactly your needs
are,
it is hard to suggest something that meets them.)

Use proxy_pass (Module ngx_http_proxy_module) or fastcgi_pass
(Module ngx_http_fastcgi_module) to communicate the Auth headers to
your daemon, which should then respond with whatever page you want
your users to see in the event of auth success or failure.

That information is correct for the mechanics of how nginx will know to
invoke your application. But I think you’ll want a very clear idea of
what your application will do, before needing that information.

I am not clear on how this would work in the nginx.conf file.

I suggest you first gain a clear picture of how your application will
work in the http world. After you determine that it can work, you can
worry about the nginx implementation.

(For what it’s worth: I think your plan involves sending a Set-Cookie
response header to the browser, expecting that the browser will send a
Cookie request header in future requests. But maybe I think wrong.)

Also, aren’t there security risks using the headers? Can’t someone spoof
the headers and gain access that way?

Yes. Anyone can send a request with http authentication headers or with
cookie headers. Or with username and password details in the request,
or in the request body.

But it’s not yet obvious to me how http basic authentication differs
from your alternative, in this respect.

Like I said, this is all rather unclear to me.

Me too.

If you can explain why basic authentication doesn’t meet your needs,
perhaps a suitable alternative can be suggested.

(Quite possibly form-submission to set a cookie is the best solution
for
you. But maybe nginx-auth-request-module can let http basic
authentication
work for you and will be easier. Or maybe something else is best.)

f

Francis D. [email protected]

Sorry for my lack of precision. I know how to do all the below, I just
don’t know how to tell nginx whether or not user authentication was
successful.

Hello,

On 2012/08/20, at 6:32, Bob S. [email protected] wrote:

I specifically want to supply my own form, get the username and PW, check it
against my DB with a CGI program, and then pass values back to Nginx.

Do you mean that you want to know how to create an HTML form, pass the
parameters to a CGI, and then return an HTML output to the user?

Regards,

–
Javi Lavandeira

Twitter: @javilm
Blog: lavandeira.net – Blog

How else would you do it?

I don’t want to use basic_auth because I want to be able to style my own
form.

Make your CGI/PHP/Python/Perl script return a “Status: xxx” header.

I’m curious, why do you need to do it this way?

–
Javi Lavandeira

Twitter: @javilm
Blog: lavandeira.net – Blog

From what you’ve told us so far, it looks like you just want an HTML
form and a CGI to process it and then send some HTML back to the user.

You don’t need to complicate things too much. Just set up FastCGI with
your scripting language of choice, and don’t worry about sending back an
HTTP status code to NGINX. The web server needs to know the code only if
you’re going to implement error pages for common HTTP errors. Most of
the time you just send a human-readable error message with your HTML.

–
Javi Lavandeira

Twitter: @javilm
Blog: lavandeira.net – Blog

You don’t need to talk back to NGINX for that. Just make your script
return a “Location:” header redirecting the user’s web browser to his
profile directory.

I think this is already outside of the scope of this list. Feel free to
contact me in private.

–
Javier Lavandeira
http://www.lavandeira.net

try use ngx_lua module, in lua code check the db password etc.
example http 401 auth (simple chinse version):
smallfish weblog

blog: http://chenxiaoyu.org

I want to send status back to nginx because of the map directive
combined
with the alias directive:

events {
}
http {
map $remote_user $profile_directory {
default $remote_user;
}
server {
root /var/www/sites/dyvn/http;
location / {
auth_request /auth.html;
alias /var/www/sites/mysite.com/http/$profile_directory/;
}
}
}