Forum: NGINX Emulate mod_auth_mysql in nginx?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
7298531b208ee3b11ca67c735ee63dd8?d=identicon&s=25 Floren Munteanu (Guest)
on 2009-03-13 20:07
(Received via mailing list)
Hi,

I was wondering if we could emulate mod_auth_mysql in nginx?

AuthName "Your Protected Area"
AuthType Basic
Auth_MySQL_Username mysqluser
Auth_MySQL_Password mysqlpass
Auth_MySQL_DB database
Auth_MySQL_Password_Table users
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Encrypted_Passwords Off
Auth_MySQL_Non_Persistent On
Auth_MYSQL On
Auth_MySQL_Empty_Passwords Off
require valid-user

INSERT INTO user VALUES ('abc', '123');

+-------------+-----------+
| username    | passwd    |
+-------------+-----------+
| abc         | 123       |
+-------------+-----------+

Thanks for your help.

Floren
B0b357b291ac72bc7da81b4d74430fe6?d=identicon&s=25 Barry Abrahamson (Guest)
on 2009-03-16 09:01
(Received via mailing list)
On Mar 13, 2009, at 2:00 PM, Floren Munteanu wrote:

> Auth_MySQL_Username_Field username
> | username    | passwd    |
> +-------------+-----------+
> | abc         | 123       |
> +-------------+-----------+
>
> Thanks for your help.

Try this nginx module:

http://code.svn.wordpress.org/nginx_auth_mysql/

Let us know how it goes
4e1ae4b836a9cfe3945d8c661b37246b?d=identicon&s=25 Manlio Perillo (Guest)
on 2009-03-16 12:05
(Received via mailing list)
Barry Abrahamson ha scritto:
>
> http://code.svn.wordpress.org/nginx_auth_mysql/
>


This will ruin Nginx performances.

If you really want to use a database as a backend, you should use
PostgreSQL, since libpq offer an async interface; and you should use a
stored procedure for the authentication.


Regards  Manlio
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-16 12:18
(Received via mailing list)
On Mon, Mar 16, 2009 at 11:55:28AM +0100, Manlio Perillo wrote:

> >Try this nginx module:
> >
> >http://code.svn.wordpress.org/nginx_auth_mysql/
> >
>
> This will ruin Nginx performances.
>
> If you really want to use a database as a backend, you should use
> PostgreSQL, since libpq offer an async interface; and you should use a
> stored procedure for the authentication.

Yes, you right. However, I have almost ready async mysql interface for
nginx,
that can be used here.
4e1ae4b836a9cfe3945d8c661b37246b?d=identicon&s=25 Manlio Perillo (Guest)
on 2009-03-16 13:31
(Received via mailing list)
Igor Sysoev ha scritto:
> [...]
>> If you really want to use a database as a backend, you should use
>> PostgreSQL, since libpq offer an async interface; and you should use a
>> stored procedure for the authentication.
>
> Yes, you right. However, I have almost ready async mysql interface for nginx,
> that can be used here.
>

Written from scratch, implementing the MySQL wire protocol?

By the way, after having implemented a pure PostgreSQL client in Python,
I tried to do the same with MySQL; but protocol design is very bad,
compared to PostgreSQL, so I gave up; it does not make sense to waste
time with MySQL, IMHO,



Manlio
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-16 13:40
(Received via mailing list)
On Mon, Mar 16, 2009 at 01:19:20PM +0100, Manlio Perillo wrote:

> Written from scratch, implementing the MySQL wire protocol?
Yes.

> By the way, after having implemented a pure PostgreSQL client in Python,
> I tried to do the same with MySQL; but protocol design is very bad,
> compared to PostgreSQL, so I gave up; it does not make sense to waste
> time with MySQL, IMHO,

It's already wasted :). The reamining part is parsing mysql response.
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 mike (Guest)
on 2009-03-16 17:38
(Received via mailing list)
Igor, you rock dude :)


2009/3/16 Igor Sysoev <is@rambler-co.ru>:
7298531b208ee3b11ca67c735ee63dd8?d=identicon&s=25 Floren Munteanu (Guest)
on 2009-03-16 23:37
(Received via mailing list)
Hi Igor,

> -----Original Message-----
> From: Igor Sysoev [mailto:is-G97k7egY2jIKNkxEY4oc4w@public.gmane.org]
> Posted At: Monday, March 16, 2009 7:05 AM
> Posted To: gmane.comp.web.nginx.english
> Conversation: Emulate mod_auth_mysql in nginx?
> Subject: Re: Emulate mod_auth_mysql in nginx?
>
> I have almost ready async mysql interface for nginx,
> that can be used here.

When do you think it will be available?

Thanks,

Floren
7298531b208ee3b11ca67c735ee63dd8?d=identicon&s=25 Floren Munteanu (Guest)
on 2009-03-20 21:31
(Received via mailing list)
> Written from scratch, implementing the MySQL wire protocol?
>
> By the way, after having implemented a pure PostgreSQL client in
> Python,
> I tried to do the same with MySQL; but protocol design is very bad,
> compared to PostgreSQL, so I gave up; it does not make sense to waste
> time with MySQL, IMHO

My goal is to store into a database table the username/password for a
directory.
Then, to have a htaccess like popup show when someone will reach that
directory.

Right now I can do it easy with a htpasswd file, in nginx.
But I think it is much more convenient to have a web interface where you
can
manage the users, etc.
Let me know if there is a similar solution I could use, with all user
info
stored into a MySQL database instead of a file.

Thanks.
561c2fb6d0c72e0c7bc52b263c7d56c3?d=identicon&s=25 Merlin (Guest)
on 2009-03-20 22:55
(Received via mailing list)
If what you *really* want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files.
Problem solved, no waiting for asynchronous mysql interface.

- Merlin
7298531b208ee3b11ca67c735ee63dd8?d=identicon&s=25 Floren Munteanu (Guest)
on 2009-03-21 12:10
(Received via mailing list)
> If what you *really* want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files. 
Problem solved, no waiting for asynchronous mysql interface.

That is not a viable solution, you know it. Managing sensitive files in
a
web environment is very unsecure, through a web interface. Ya, you can
create a htpasswd file into /etc/nginx dir for example and do a chmod
0700/chown nginx on it. Then, it is secure to stick in there your
usernames/passwords. But to use PHP or other language to manipulate
sensitive data through a POST that can get sniffed easy by anyone is
simply
insane, IMO. Not to mention that your file has to be editable by anyone
in
order to have your script write information into it...
1f63dadb857637a35df3fa553f67a5a7?d=identicon&s=25 Josh Turmel (Guest)
on 2009-03-21 16:32
(Received via mailing list)
Let's not forget about HTTPS, and as far as calling out that a specific
HTTP
request method (POST) can you explain further your rationale?
4e1ae4b836a9cfe3945d8c661b37246b?d=identicon&s=25 Manlio Perillo (Guest)
on 2009-03-22 00:35
(Received via mailing list)
Floren Munteanu ha scritto:
> directory.
> Then, to have a htaccess like popup show when someone will reach that
> directory.
>
> Right now I can do it easy with a htpasswd file, in nginx.
> But I think it is much more convenient to have a web interface where you can
> manage the users, etc.

You can write a web interface for htpasswd file, too.
And if you have a lot of users, maybe a more efficient solution is to
use a dbm database.

 > [...]


Regards  Manlio
561c2fb6d0c72e0c7bc52b263c7d56c3?d=identicon&s=25 Merlin (Guest)
on 2009-03-22 07:53
(Received via mailing list)
On Sat, Mar 21, 2009 at 3:56 AM, Floren Munteanu <nginx@yqed.com> wrote:

>
>
> > If what you *really* want is a web interface to manage the users, simply
> make (or pay someone to make) a web interface to manage the password
> files.
> Problem solved, no waiting for asynchronous mysql interface.
>
> That is not a viable solution, you know it.


It is certainly a viable solution as Manilo indicates.


> Managing sensitive files in a
> web environment is very unsecure, through a web interface.


No more insecure than managing sensitive data through a web interface -
in
either case you'll want SSL on top for any semblence of security.


> Ya, you can
> create a htpasswd file into /etc/nginx dir for example and do a chmod
> 0700/chown nginx on it. Then, it is secure to stick in there your
> usernames/passwords. But to use PHP or other language to manipulate
> sensitive data through a POST that can get sniffed easy by anyone is simply
> insane, IMO.


They can monitor the same POST requests to manage users in the database
-
it's no more secure.  As I said above,  you'll want to place SSL on top,
for
starters.

Not to mention that your file has to be editable by anyone in
> order to have your script write information into it...


Not really, it just needs to be editable by the user PHP is running as
(which I can control).  Alternatively, the PHP could make requests to
some
other service listening on localhost for insertion/removal from the
file.

There's a million ways to skin a cat; however, personally if I'm gonna
use
htpasswd authentication, I just manage it with htpasswd (sometimes
indirectly in bash scripts).  Simple machines, for the win!

- Merlin
This topic is locked and can not be replied to.