<div dir="ltr">How about using ngx_lua?<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-10-22 16:05 GMT+08:00 JaminVP <span dir="ltr"><<a href="mailto:nginx-forum@nginx.us" target="_blank">nginx-forum@nginx.us</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Greetings,<br>
<br>
I recently stumbled onto Nginx while researching a way to protect my<br>
Elasticsearch server without using Elastic Shield.<br>
My setup has a Windows Server box containing a webserver which has Kibana<br>
deployed on port 8080. The box also runs Elasticsearch as a service which<br>
listens to port 9200. The Kibana webapplication is protected by a filter<br>
which checks the HTTP-request header for the user-id and checks a database<br>
if this user-id is allowed to access Kibana.<br>
<br>
Unfortunatly, Kibana has to send queries and requests to Elasticsearch from<br>
the user's browser. Hence Elasticsearch has to be accessible for the user.<br>
This allows unauthorized users to send REST-requests to the Elasticsearch<br>
server, making this a potential security threat.<br>
<br>
My solution to this problem would be to implement Nginx as a reverse proxy<br>
on the box, forcing the HTTP-requests to pass Nginx before being allowed to<br>
access Elasticsearch, which would then only accessible on the box's<br>
localhost. The authentication would be processed by Nginx's<br>
http_auth_request_module, but I don't quite understand how to implement a<br>
service to which I redirect this auth request to.<br>
<br>
I found this StackOverflow page to be the most insightful:<br>
<a href="http://stackoverflow.com/questions/25340630/how-can-i-set-up-an-automatic-authentication-layer-in-nginx" rel="noreferrer" target="_blank">http://stackoverflow.com/questions/25340630/how-can-i-set-up-an-automatic-authentication-layer-in-nginx</a><br>
, but it still doesn't explain how to actually implement the authentication<br>
service.<br>
<br>
My preferred way of writing this service would be through Java and wrapping<br>
it as a service. I understand that the service should return the HTTP-code<br>
200 if the authentication is succesful and something else if it isn't. I'd<br>
like to process the HTTP-request in the same way I processed the<br>
HTTP-request in the filter I used to validate Kibana-users.<br>
<br>
Any tips to get me started on writing a Java-application that would act as<br>
an authentication service?<br>
<br>
If this isn't possible in Java, is there a way to do it in Perl or Python?<br>
<br>
Thanks<br>
<br>
Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,262394,262394#msg-262394" rel="noreferrer" target="_blank">https://forum.nginx.org/read.php?2,262394,262394#msg-262394</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br></div>