On Sun, Feb 28, 2010 at 3:00 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:
> Here is auth request module, it allows authorization based on
> subrequest result.  It works at access phase and therefore may be
> nicely combined with other access modules (access, auth_basic) via
> satisfy directive.
>

This is really awesome!

But too sad the ngx_eval module can't work in subrequests itself so I
can not combine this with ngx_eval + ngx_drizzle + ngx_rds_json to do
mysql-based auth :)

It's mostly an issue in the ngx_eval, not your excellent
ngx_auth_request ;) Our ngx_srcache module will also take advantage of
subrequests to do response caching.

For now, I'm using something like this for mysql-based login and it
works on my machine [1]:

location = /auth {
default_type 'application/json';
eval_subrequest_in_memory off;
eval $res {
set_quote_sql_str $user $arg_user;
set_quote_sql_str $pass $arg_pass;
set $sql 'select count(*) res from users where name=$user
and passwd=$pass';
drizzle_query $sql;
drizzle_pass backend;
rds_json on;
rds_json_content_type application/octet-stream;
}
if ($res ~ '"res":1') {
echo "Cool! you're already logged in!";
}
if ($res !~ '"res":1') {
return 403;
}
}

where the "backend" upstream name used in the drizzle_pass directive
is defined like this:

upstream backend {
drizzle_server 127.0.0.1:3306 dbname=test
password=some_pass user=monty protocol=mysql;
drizzle_keepalive max=400 overflow=reject;
}

Then we can login the system by GET /auth?user=john&pass=some_pass.
Well, it's just a naive demonstration. Hopefully I'm not too OT :P

Cheers,
-agentzh

[1] Here we're using my fork of ngx_eval module (
http://github.com/agentzh/nginx-eval-module ) for two important
features: 1) capture outputs from arbitrary locations with output
filter support, 2) pass the parent request's query string (or "args")
into the eval block.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx