1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
# ngx_http_auth_pam_module
## Nginx module to use PAM for simple http authentication
### Compilation
When compiling from source build as usual adding the ``--add-module`` option:
./configure --add-module=$PATH_TO_MODULE
or if you want to build the module as dynamic use the ``--add-dynamic-module``
option.
If you are using a Debian GNU/Linux distribution install the ``nginx-full``
package; the module has been included in the debian package since version
``1.1.6-1``, so it is available on all stable distributions since the *wheezy*
release.
### Configuration
The module only has two directives:
- ``auth_pam``: This is the http authentication realm. If given the value
``off`` the module is disabled (needed when we want to override the value
set on a lower-level directive).
- ``auth_pam_service_name``: this is the PAM service name and by default it is
set to ``nginx``.
### Examples
To protect everything under ``/secure`` you will add the following to the
``nginx.conf`` file:
location /secure {
auth_pam "Secure Zone";
auth_pam_service_name "nginx";
}
Note that the module runs as the web server user, so the PAM modules used must
be able to authenticate the users without being root; that means that if you
want to use the ``pam_unix.so`` module to autenticate users you need to let the
web server user to read the ``/etc/shadow`` file if that does not scare you (on
Debian like systems you can add the ``www-data`` user to the ``shadow`` group).
As an example, to authenticate users against an LDAP server (using the
``pam_ldap.so`` module) you will use an ``/etc/pam.d/nginx`` like the
following:
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
If you also want to limit the users from LDAP that can authenticate you can
use the ``pam_listfile.so`` module; to limit who can access resources under
``/restricted`` add the following to the ``nginx.conf`` file:
location /restricted {
auth_pam "Restricted Zone";
auth_pam_service_name "nginx_restricted";
}
Use the following ``/etc/pam.d/nginx_restricted`` file:
auth required /lib/security/pam_listfile.so onerr=fail item=user \
sense=allow file=/etc/nginx/restricted_users
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
And add the users allowed to authenticate to the ``/etc/nginx/restricted_users``
(remember that the web server user has to be able to read this file).
### PAM Environment
If you want use the ``pam_exec.so`` plugin for request based authentication the
module can add to the PAM environment the ``HOST`` and ``REQUEST`` variables if
you set the ``auth_pam_set_pam_env`` flag::
location /pam_exec_protected {
auth_pam "Exec Zone";
auth_pam_service_name "nginx_exec";
auth_pam_set_pam_env on;
}
With this configuration if you access an URL like:
http://localhost:8000/pam_exec_protected/page?foo=yes&bar=too
the PAM environment will include the following variables:
HOST=localhost:8000
REQUEST=GET /pam_exec_protected/page?foo=yes&bar=too HTTP/1.1
You may use this information for request based authentication.
You need a recent pam release (>= version 1.0.90) to expose environment
variables to pam_exec.
|
