Index of /~sto/nginx/ngx_http_auth_pam_module-1.2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]ChangeLog2010-11-15 10:56 350  
[TXT]ChangeLog.html2010-11-15 12:39 4.3K 
[   ]LICENSE2010-11-15 10:49 1.3K 
[TXT]LICENSE.html2010-11-15 12:39 5.2K 
[   ]README2010-11-15 12:35 3.4K 
[TXT]README.html2010-11-15 12:37 11K 
[   ]config2008-09-01 13:02 198  
[TXT]config.html2010-11-15 12:39 4.1K 
[TXT]ngx_http_auth_pam_module.c2010-11-15 10:57 11K 
[TXT]ngx_http_auth_pam_module.c.html2010-11-15 12:38 49K 

Nginx module to use PAM for simple http authentication

Nginx module to use PAM for simple http authentication

Date: 2010-11-15
Revision: 4488

Compilation

When compiling from source build as usual adding the -add-module option:

./configure --add-module=$PATH_TO_MODULE

If you are using a Debian GNU/Linux distribution is easy to build a modified package that includes this module:

# Get the source
apt-get source nginx
# Copy the module
NGINX_DEBIAN=$(ls -d nginx-*/debian)
mkdir $NGINX_DEBIAN/ngx_http_auth_pam_module
cp config  $NGINX_DEBIAN/ngx_http_auth_pam_module/
cp ngx_http_auth_pam_module.c $NGINX_DEBIAN/ngx_http_auth_pam_module/
cd $NGINX_DEBIAN; cd ..;
# Add the argument ``--add-module=./debian/ngx_http_auth_pam_module`` to the
# ./configure call on the debian/rules file
sed -i -e '/.\/configure .*\\$/,/[^\\]$/ {
  /^.*[^\\]$/ {
    s%^\(.*\)$%\t    --add-module=./debian/ngx_http_auth_pam_module \\\n\1%;
  }
}' debian/rules
# Add the libpam-dev build dependency
sed -i -e 's/^Build-Depends: /Build-Depends: libpam-dev, /;' debian/control
# Update the package version using the dch command from devscripts
dch -l'+authpam' 'Added ngx_http_auth_pam_module support'
# Build the package
dpkg-buildpackage
# And install
sudo dpkg -i ../nginx*deb

Configuration

The module only has two directives:

Examples

To protect everything under /secure you will add the following to the nginx.conf file:

location /secure {
      auth_pam              "Secure Zone";
      auth_pam_service_name "nginx";
}

Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to autenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).

As an example, to authenticate users against an LDAP server (using the pam_ldap.so module) you will use an /etc/pam.d/nginx like the following:

auth    required     /lib/security/pam_ldap.so
account required     /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate you can use the pam_listfile.so module; to limit who can access resources under /restricted add the following to the nginx.conf file:

location /restricted {
      auth_pam              "Restricted Zone";
      auth_pam_service_name "nginx_restricted";
}

Use the following /etc/pam.d/nginx_restricted file:

auth    required     /lib/security/pam_listfile.so onerr=fail item=user \
                     sense=allow file=/etc/nginx/restricted_users
auth    required     /lib/security/pam_ldap.so
account required     /lib/security/pam_ldap.so

And add the users allowed to authenticate to the /etc/nginx/restricted_users (remember that the web server user has to be able to read this file).