Satisfy directive behaviour

Sergey Brester serg.brester at sebres.de
Wed Jul 1 14:55:05 UTC 2015 

Hi,

Look at module "auth_request" 
(http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
Good working solution at the moment is to use auth_request module 
together with some external auth-daemon.
You can avoid many problems, e.g. with async/sync handling etc.

Using that I have already successful realized many authentication 
methods (inclusively NTLM/Negotiate for windows).
If you have to realize anything doing handshake, you can use a variable 
$connection or combination "$connection:$remote_addr:$remote_port" as 
identifier for your connect with persistent authentication.

Regards,
sebres.


01.07.2015 15:36, Petra Kamenickova:

> Hi!
> 
> I'm working on custom PAM module which could be used as an 
> authorization support for authentication modules (e.g. 
> ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure 
> I fully get the interactions between and within
> phases in nginx. My background is Apache HTTP Server so that might have 
> twisted my expectations.
> 
> I have noticed that satisfy directive behaves slightly different than 
> Apache's satisfy - nginx checks every module in access phase and the 
> first successful invocation stops any subsequent checks whereas 
> Apache's satisfy checks host based access vs. other access modules. It 
> has some implications especially for authentication and authorization 
> implications. What would be the best way to make sure that 
> authorization phases that need authentication to be run gets that 
> authentication executed, even with satisfy any?
> 
> The post access phase looks like a good place for authorization but it 
> seems custom modules cannot really be added to this phase. So... is it 
> possible to add somehow my module handler into post access phase 
> without changing the core module? Or is there any way how to keep my 
> module in access phase but skip the satisfy check for that module?
> 
> I would be grateful for any help!
> 
> --
> Petra Kamenickova
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel [1]


Links:
------
[1] http://mailman.nginx.org/mailman/listinfo/nginx-devel

More information about the nginx-devel mailing list