sto/ngx_http_auth_pam_module sto/ngx_http_auth_pam_module

  • Stars
    star
    118
  • Rank 299,923 (Top 6 %)
  • Language
    C
  • License
    Other
  • Created almost 10 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sto/ngx_http_auth_pam_module
github

sto

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Nginx module to use PAM for simple http authentication

ngx_http_auth_pam_module

Nginx module to use PAM for simple http authentication

Compilation

When compiling from source build as usual adding the --add-module option:

./configure --add-module=$PATH_TO_MODULE

or if you want to build the module as dynamic use the --add-dynamic-module option.

If you are using a Debian GNU/Linux distribution install the nginx-full package; the module has been included in the debian package since version 1.1.6-1, so it is available on all stable distributions since the wheezy release.

Configuration

The module only has two directives:

  • auth_pam: This is the http authentication realm. If given the value off the module is disabled (needed when we want to override the value set on a lower-level directive).

  • auth_pam_service_name: this is the PAM service name and by default it is set to nginx.

Examples

To protect everything under /secure you will add the following to the nginx.conf file:

location /secure {
    auth_pam              "Secure Zone";
    auth_pam_service_name "nginx";
}

Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to autenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).

As an example, to authenticate users against an LDAP server (using the pam_ldap.so module) you will use an /etc/pam.d/nginx like the following:

auth    required     /lib/security/pam_ldap.so
account required     /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate you can use the pam_listfile.so module; to limit who can access resources under /restricted add the following to the nginx.conf file:

location /restricted {
    auth_pam              "Restricted Zone";
    auth_pam_service_name "nginx_restricted";
}

Use the following /etc/pam.d/nginx_restricted file:

auth    required     /lib/security/pam_listfile.so onerr=fail item=user \
                     sense=allow file=/etc/nginx/restricted_users
auth    required     /lib/security/pam_ldap.so
account required     /lib/security/pam_ldap.so

And add the users allowed to authenticate to the /etc/nginx/restricted_users (remember that the web server user has to be able to read this file).

PAM Environment

If you want use the pam_exec.so plugin for request based authentication the module can add to the PAM environment the HOST and REQUEST variables if you set the auth_pam_set_pam_env flag::

location /pam_exec_protected {
  auth_pam              "Exec Zone";
  auth_pam_service_name "nginx_exec";
  auth_pam_set_pam_env  on;
}

With this configuration if you access an URL like:

http://localhost:8000/pam_exec_protected/page?foo=yes&bar=too

the PAM environment will include the following variables:

HOST=localhost:8000
REQUEST=GET /pam_exec_protected/page?foo=yes&bar=too HTTP/1.1

You may use this information for request based authentication. You need a recent pam release (>= version 1.0.90) to expose environment variables to pam_exec.

More Repositories

1

ssft

Shell Scripts Frontend Tool. Function library useful to build shell script frontends
Shell
9
star
2

flask-formvalidatorjs

Simple flask application with JavaScript form fields validation
HTML
1
star