Ngx_http_auth_pam_module is a project mainly written in C, based on the View license.
Fork of nginx pam authentication module. Adds additional environment variables for pam.
:Date: $Date: 2010-11-15 12:35:32 +0100 (dl 15 de nov de 2010) $ :Revision: $Rev: 4488 $
When compiling from source build as usual adding the -add-module option::
./configure --add-module=$PATH_TO_MODULE
If you are using a Debian GNU/Linux distribution is easy to build a modified package that includes this module::
apt-get source nginx
NGINX_DEBIAN=$(ls -d nginx-*/debian) mkdir $NGINX_DEBIAN/ngx_http_auth_pam_module cp config $NGINX_DEBIAN/ngx_http_auth_pam_module/ cp ngx_http_auth_pam_module.c $NGINX_DEBIAN/ngx_http_auth_pam_module/ cd $NGINX_DEBIAN; cd ..;
--add-module=./debian/ngx_http_auth_pam_module
to thesed -i -e '/./configure .$/,/[^]$/ { /^.[^]$/ { s%^(.*)$% --add-module=./debian/ngx_http_auth_pam_module n1%; } }' debian/rules
sed -i -e 's/^Build-Depends: /Build-Depends: libpam-dev, /;' debian/control
dch -l'+authpam' 'Added ngx_http_auth_pam_module support'
dpkg-buildpackage
sudo dpkg -i ../nginx*deb
The module only has two directives:
auth_pam
: This is the http authentication realm. If given the value
off
the module is disabled (needed when we want to override the value
set on a lower-level directive).
auth_pam_service_name
: this is the PAM service name and by default it is
set to nginx
.
To protect everything under /secure
you will add the following to the
nginx.conf
file::
location /secure { auth_pam "Secure Zone"; auth_pam_service_name "nginx"; }
Note that the module runs as the web server user, so the PAM modules used must
be able to authenticate the users without being root; that means that if you
want to use the pam_unix.so
module to autenticate users you need to let the
web server user to read the /etc/shadow
file if that does not scare you (on
Debian like systems you can add the www-data
user to the shadow
group).
As an example, to authenticate users against an LDAP server (using the
pam_ldap.so
module) you will use an /etc/pam.d/nginx
like the following::
auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so
If you also want to limit the users from LDAP that can authenticate you can
use the pam_listfile.so
module; to limit who can access resources under
/restricted
add the following to the nginx.conf
file::
location /restricted { auth_pam "Restricted Zone"; auth_pam_service_name "nginx_restricted"; }
Use the following /etc/pam.d/nginx_restricted
file::
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/nginx/restricted_users auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so
And add the users allowed to authenticate to the /etc/nginx/restricted_users
(remember that the web server user has to be able to read this file).
The plugin set's the following additional environment variables when using pam_exec.so
as pam module for authentication:
REQUEST=GET /some/url?foo&bar HTTP/1.1
HOST=localhost:8000
You may use this information for request based authentication. You need a recent pam release (>= version 1.0.90) to expose environment variables to pam_exec (Ubuntu 8.04 has a too old pam version here!).
.. ...... .. SVN Id: $Id: README 4488 2010-11-15 11:35:32Z sto $