Hi, I am a newbie at nginx and looking at its authentication capabilities. It appears that when using auth_request, every client request would still require an invokation to the auth_request fastcgi or proxy_pass server.
Looking at auth_pam, I am not clear on how it works:
1. How does nginx pass the user credentials to the PAM module?
2. Would nginx remember that a user has been authenticated? Perhaps via a cookie that'd be returned by PAM? I looked at the nginx pam source code and didn't see it returning any cookie to nginx ... perhaps PAM does it by storing it on some context that's returned to NGINX?
3. Is the auth_pam directive mandatory? When I used it with
locate /
{
auth_pam "Login Banner";
auth_required_service_name "nginx";
}
where the PAM nginx file had 'auth required pam_unix.so"
a user/password login page popped up. But even after I entered a valid user/pwd and hit <cr>, the same login page would pop up again, prompting for a user/pwd. I got the same behavior even after removing the auth_required_service_name statement.
Can someone explain the behavior I experienced?
4. Is there a way for us to provide our own Login html page to the user? If yes, how do we do it and how would we pass the credentials to NGINX?
5. NGINX chooses the authentication method (local vs ldap vs rsa etc) based on the server/uri. For example, /www.example.org users would be authenticated via LDAP: location /example { auth_pam_service_name "authFile" } and the authFile would contains "auth required ldap.so"
Is there a way to configure nginx to base the authentication method on some user configuration outside of nginx?
Thank you for any clarifications!