auth and security
sv
savages at mozapps.com
Fri Sep 20 16:39:39 UTC 2013
I have a configuration that is working but I would like a second( third,
fourth...) opinion.
what I want to do it
protect a location /zot. zot contains static pages
/zot/ws is a web socket connection
only with a cookie can a person access /zot and /zot/ws
if no cookie rewrite to /login
login serves a page to login.
the reply is back to /login
if login is accessed with $args rewite to /auth
/auth validates the credentials and returns /zot/index and cookie
not valid returns /login
/zot/ws is websocket connection
/auth is a cgi
/login servers login static pages
/zot returns static app pages
that is the basic idea.
code
**********************
location /auth {
if ($login = '') {
return 403;
}
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
# maybe all cookies?
proxy_set_header Cookie $cookie_hzc;
# I tried database, did not work, $nextval was always
nothing
#postgres_pass database;
#postgres_query HEAD GET "select nextval('nextsession')";
#postgres_rewrite no_rows 403;
#postgres_output text;
#postgres_set $nextval 0 0 required;
#set $args $args&sess=$nextval;
# if I could authorize and make a secure cookie here
# that the back end knows about is OK
proxy_pass http://localhost:8088;
}
location /login {
if ($args) {
# maybe check the args? user=??? passwd=""" *
lua here OK
set $login 1;
rewrite ^/login/login(.*)$ /auth$1;
}
alias /var/www/login;
}
location /zot/ws {
if ($http_cookie !~* 'hzc') {
# maybe check cookie? * lua is OK
rewrite ^/hzc(.*)$ /login$1;
}
# maybe all cookies?
proxy_set_header Cookie $cookie_hzc;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_pass http://localhost:8088;
}
location /zot {
if ($http_cookie !~* 'hzc') {
# maybe check cookie? * lua is OK
rewrite ^/hzc(.*)$ /login$1;
}
alias /var/www/zot;
}
More information about the nginx-devel
mailing list