Satisfy directive behaviour
serg.brester at sebres.de
Wed Jul 1 14:55:05 UTC 2015
Look at module "auth_request"
Good working solution at the moment is to use auth_request module
together with some external auth-daemon.
You can avoid many problems, e.g. with async/sync handling etc.
Using that I have already successful realized many authentication
methods (inclusively NTLM/Negotiate for windows).
If you have to realize anything doing handshake, you can use a variable
$connection or combination "$connection:$remote_addr:$remote_port" as
identifier for your connect with persistent authentication.
01.07.2015 15:36, Petra Kamenickova:
> I'm working on custom PAM module which could be used as an
> authorization support for authentication modules (e.g.
> ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure
> I fully get the interactions between and within
> phases in nginx. My background is Apache HTTP Server so that might have
> twisted my expectations.
> I have noticed that satisfy directive behaves slightly different than
> Apache's satisfy - nginx checks every module in access phase and the
> first successful invocation stops any subsequent checks whereas
> Apache's satisfy checks host based access vs. other access modules. It
> has some implications especially for authentication and authorization
> implications. What would be the best way to make sure that
> authorization phases that need authentication to be run gets that
> authentication executed, even with satisfy any?
> The post access phase looks like a good place for authorization but it
> seems custom modules cannot really be added to this phase. So... is it
> possible to add somehow my module handler into post access phase
> without changing the core module? Or is there any way how to keep my
> module in access phase but skip the satisfy check for that module?
> I would be grateful for any help!
> Petra Kamenickova
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel 
More information about the nginx-devel