Fake Basic Auth

[Francis Daly]

On Sun, Aug 25, 2013 at 08:53:57AM +0200, Christian Felsing wrote:

Hi there,

> Nginx should be used as a reverse proxy and configured for client
> certificate authentication. Backoffice application supports basic auth only.
> Apache 2.4 solution for that kind of problems is "Fake Basic Auth" so
> backoffice application gets a remote_user and password generated from
> client certificate presented by user.

So, in nginx and http terms, at the point where you "proxy_pass
http://backoffice", you also want to "proxy_set_header Authorization"
with the correct value.

The correct value is "Basic " followed by the base64-encoding of
user:pass, where "user" and "pass" are respectively the username and
password that you want the backoffice application to see.

Presumably you have a method of deriving the username from the client
certificate, and you have a method for deriving the password for this
username.

I'm not aware of a distribution-nginx-config way of doing the base64
encoding. You could try using a part of a third-party module like
http://wiki.nginx.org/HttpSetMiscModule, or perhaps you could use one
of the language modules to do the conversion. (Or you could write a
dedicated module to just do exactly what you want.)

Another option, if you have a fixed set of client certificates, could
be to use a "map" to hardcode the Authorization header value for each
certificate, and then use that variable in the "proxy_set_header" line --
that would not need anything extra from nginx; and, as a bonus, whatever
method you have to turn the certificate into a username can be opaque
to nginx, so it can be as complicated as you like.

	f
-- 
Francis Daly        francis at daoine.org