auth and security

sv savages at mozapps.com
Fri Sep 20 16:39:39 UTC 2013 

I have a configuration that is working but I would like a second( third,
fourth...) opinion.

what I want to do it

protect a location /zot.   zot contains static pages
/zot/ws        is a web socket connection

only with a cookie can a person access /zot and /zot/ws

if no cookie  rewrite to /login

login serves a page to login.
the reply is back to /login
if login is accessed with $args rewite to /auth

/auth validates the credentials  and returns /zot/index and cookie
not valid returns /login

/zot/ws is websocket connection
/auth is a cgi
/login servers login static pages
/zot returns static app pages

that is the basic idea.

code
**********************
        location /auth {
                if ($login = '') {
                        return 403;
                }

                proxy_redirect off;
                proxy_buffering off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For
$proxy_add_x_forwarded_for;
                # maybe all cookies?
                proxy_set_header        Cookie          $cookie_hzc;

                # I tried database, did not work,  $nextval was always
nothing
                #postgres_pass database;
                #postgres_query HEAD GET "select nextval('nextsession')";
                #postgres_rewrite no_rows 403;
                #postgres_output text;
                #postgres_set $nextval 0 0 required;
                #set $args $args&sess=$nextval;

                # if I could authorize and make a secure cookie here
                 #   that the back end knows about is OK
                proxy_pass http://localhost:8088;
        }

       location /login {
                if ($args) {
                        # maybe check the args?  user=??? passwd="""  *
lua here OK
                        set $login 1;
                        rewrite ^/login/login(.*)$ /auth$1;
                }
                alias /var/www/login;

        }

        location /zot/ws {
                 if ($http_cookie !~* 'hzc') {
                        # maybe check cookie?   * lua is OK
                        rewrite ^/hzc(.*)$ /login$1;
                }
                # maybe all cookies?
                proxy_set_header        Cookie          $cookie_hzc;

                proxy_redirect off;
                proxy_buffering off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For
$proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                proxy_pass http://localhost:8088;
        }

        location /zot {
                 if ($http_cookie !~* 'hzc') {
                        # maybe check cookie?  * lua is OK
                        rewrite ^/hzc(.*)$ /login$1;
                }
                alias /var/www/zot;
        }

More information about the nginx-devel mailing list