HTTP Authentication through database

JaminVP nginx-forum at nginx.us
Thu Oct 22 08:05:08 UTC 2015


Greetings,

I recently stumbled onto Nginx while researching a way to protect my
Elasticsearch server without using Elastic Shield. 
My setup has a Windows Server box containing a webserver which has Kibana
deployed on port 8080. The box also runs Elasticsearch as a service which
listens to port 9200. The Kibana webapplication is protected by a filter
which checks the HTTP-request header for the user-id and checks a database
if this user-id is allowed to access Kibana.

Unfortunatly, Kibana has to send queries and requests to Elasticsearch from
the user's browser. Hence Elasticsearch has to be accessible for the user.
This allows unauthorized users to send REST-requests to the Elasticsearch
server, making this a potential security threat.

My solution to this problem would be to implement Nginx as a reverse proxy
on the box, forcing the HTTP-requests to pass Nginx before being allowed to
access Elasticsearch, which would then only accessible on the box's
localhost. The authentication would be processed by Nginx's
http_auth_request_module, but I don't quite understand how to implement a
service to which I redirect this auth request to.

I found this StackOverflow page to be the most insightful:
http://stackoverflow.com/questions/25340630/how-can-i-set-up-an-automatic-authentication-layer-in-nginx
, but it still doesn't explain how to actually implement the authentication
service.

My preferred way of writing this service would be through Java and wrapping
it as a service. I understand that the service should return the HTTP-code
200 if the authentication is succesful and something else if it isn't. I'd
like to process the HTTP-request in the same way I processed the
HTTP-request in the filter I used to validate Kibana-users.

Any tips to get me started on writing a Java-application that would act as
an authentication service?

If this isn't possible in Java, is there a way to do it in Perl or Python?

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,262394,262394#msg-262394



More information about the nginx mailing list