Septiembre 24

Nginx with PAM Authentication

Nginx is a lightweight Web and reversed proxy server that is gaining momentum. If you have URLs to be accessed only by authenticated users, you can have many options. In this article, I just introduce a very easy way for the Nginx to leverage the PAM (Pluggable Authentication Module) for user authentication. We will use OS user for authentication (there are many more methods supported by PAM). If you have a valid user with the Linux on which Nginx runs, your request will pass through; otherwise, it would be blocked.

Better than authenticating in Web applications, using Nginx allows multiple Web applications to share same set of user credentials. In some sense, you can think of this as single sign on (SSO).

Before moving forward, make sure you have nginx-extras installed on your system. The command is listed in last article.

Open Access to Nginx User

Because we will use the OS user name and password for user authentication, we need to open the access of the related password file to the user that runs Nginx server which is www-data. One simple Linux command can achieve it as follows:

 

# usermod -a -G shadow www-data
# apt-get install  libpam-radius-auth

 

Change configurations

Within the /etc/pam.d create a new file called nginx. You can change the file name as long as you reference the new name in later configuration file.

# more /etc/pam.d/nginx
@include common-auth

Then, we need to modify the Nginx configuration file: /etc/nginx/nginx.conf

http
{
    server
    {
        listen          443;
        ssl             on;
 
        ### SSL log files ###
        access_log      /var/log/nginx/ssl-access.log;
        error_log       /var/log/nginx/ssl-error.log;
 
        ### SSL cert files ###
        ssl_certificate      ssl/server.crt;
        ssl_certificate_key  ssl/server.key;
 
        ### Add SSL specific settings here ###
        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout    60;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
 
        location /
        {
            auth_pam    "Secure Zone";
            auth_pam_service_name   "nginx";
            proxy_pass  http://localhost:8080;
 
            ### force timeouts if one of backend is died ##
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
 
            ### Set headers ####
            proxy_headers_hash_max_size 51200;
            proxy_headers_hash_bucket_size 6400;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
 
            proxy_redirect     off;
        }
    }
}

Exclude certain URLs

If you, most likely you would, have certain resources to be excluded from user authentication, you can do as the follows. It would open up overview.html and /help/helps.zip without user authentication.

    location ~ (/overview\.html|/help/helps\.zip)
    {
        auth_basic off;
        proxy_pass  http://localhost:8000;
        allow all; # Allow all to see content
    }

Nginx is really powerful and flexible. We just scratched the surface in last post and this one.

Category: NGINGX | Los comentarios están deshabilitados en Nginx with PAM Authentication