Welcome! Log In Create A New Profile

Advanced

"One Time" authentication (+reverse proxy, pam, radius)

Previous Message Next Message
Forum List Message List New Topic Print View
Chris Stankevitz
December 20, 2014 06:48PM
Hello,

I want to create a "reverse" proxy. I want users of the reverse proxy
to authenticate to a radius server. I accomplished this by:

nginx.conf:
server {
listen 443 ssl;
server_name x.y.com;
ssl_certificate /usr/local/etc/ssl/x.y.com.chain.crt;
ssl_certificate_key /usr/local/etc/ssl/x.y.com.key;
location / {
auth_pam "Secure Zone";
auth_pam_service_name "nginx";
proxy_pass http://x.y.local;
}
}

pam.d/nginx:
auth required pam_radius.so

This works... except the RADIUS password is actually a "one time
password". It appears the web client retransmits the
previously-accepted username/password for each proxied page. This
will not work when using OTP (one time passwords).

Can anyone suggest a way to achieve:

1. reverse proxy

2. the reverse-proxy authenticates the user (ideally using RADIUS or PAM)

3. the authentication is "cached" and not re-submitted for each page visited

I imagine the only way to do this is to perform "authentication" in
the "application layer" using some kind of custom CGI and cookies.

Thank you,

Chris

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

"One Time" authentication (+reverse proxy, pam, radius)

Chris Stankevitz December 20, 2014 06:48PM

Re: "One Time" authentication (+reverse proxy, pam, radius)

Chris Stankevitz December 22, 2014 10:18AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 151
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready