Welcome! Log In Create A New Profile

Advanced

Re: user authentication with nginx

Francis Daly
August 19, 2012 08:50PM
On Sun, Aug 19, 2012 at 06:37:39PM -0400, Bob Stanton wrote:
> On Sun, Aug 19, 2012 at 6:24 PM, Jonathan Matthews <contact@jpluscplusm.com>wrote:
> > On 19 August 2012 22:32, Bob Stanton <farseas@gmail.com> wrote:

Hi there,

[rearranging for ease of reading.]

> > > I want to find a secure but simple method for authenticating users in an
> > > Nginx environment.

http basic authentication within ssl. As in every http-server environment.

> > > I have succeeded in figuring out the auth_basic mod but that does not meet
> > > my needs.

Why not?

Which specific aspect of the nginx implementation of http basic
authentication is unsuitable for your use case?

Would http digest authentication avoid the problem you see?

Or would an alternative credential-checking method avoid the problem?

Does your own cookie-or-other authentication method avoid that problem?

(There are 3rd party modules that can help implement the first two
suggestions above, if you don't want to write your own module from
scratch.)

> > > I specifically want to supply my own form, get the username and PW, check it
> > > against my DB with a CGI program, and then pass values back to Nginx.

What part of the form submission is better than the simple http
authentication that you rejected above?

(There *can* be some parts; but without knowing what exactly your needs are,
it is hard to suggest something that meets them.)

> > Use proxy_pass (http://nginx.org/r/proxy_pass) or fastcgi_pass
> > (http://nginx.org/r/fastcgi_pass) to communicate the Auth headers to
> > your daemon, which should then respond with whatever page you want
> > your users to see in the event of auth success or failure.

That information is correct for the mechanics of how nginx will know to
invoke your application. But I think you'll want a very clear idea of
what your application will do, before needing that information.

> I am not clear on how this would work in the nginx.conf file.

I suggest you first gain a clear picture of how your application will
work in the http world. After you determine that it can work, you can
worry about the nginx implementation.

(For what it's worth: I think your plan involves sending a Set-Cookie
response header to the browser, expecting that the browser will send a
Cookie request header in future requests. But maybe I think wrong.)

> Also, aren't there security risks using the headers? Can't someone spoof
> the headers and gain access that way?

Yes. Anyone can send a request with http authentication headers or with
cookie headers. Or with username and password details in the request,
or in the request body.

But it's not yet obvious to me how http basic authentication differs
from your alternative, in this respect.

> Like I said, this is all rather unclear to me.

Me too.

If you can explain why basic authentication doesn't meet your needs,
perhaps a suitable alternative can be suggested.

(Quite possibly form-submission to set a cookie *is* the best solution for
you. But maybe nginx-auth-request-module can let http basic authentication
work for you and will be easier. Or maybe something else is best.)

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

user authentication with nginx

Bob Stanton August 19, 2012 05:34PM

Re: user authentication with nginx

Jonathan Matthews August 19, 2012 06:26PM

Re: user authentication with nginx

Bob Stanton August 19, 2012 06:40PM

Re: user authentication with nginx

Francis Daly August 19, 2012 08:50PM

Re: user authentication with nginx

mike August 19, 2012 10:34PM

Re: user authentication with nginx

Javi Lavandeira August 20, 2012 12:46AM

Re: user authentication with nginx

Bob Stanton August 20, 2012 06:44AM

Re: user authentication with nginx

Javi Lavandeira August 20, 2012 07:08AM

Re: user authentication with nginx

Bob Stanton August 20, 2012 08:34AM

Re: user authentication with nginx

Javi Lavandeira August 20, 2012 08:44AM

Re: user authentication with nginx

Bob Stanton August 20, 2012 09:24AM

Re: user authentication with nginx

Javi Lavandeira August 20, 2012 09:34AM

Re: user authentication with nginx

smallfish August 20, 2012 10:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 127
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready