Emulate mod_auth_mysql in nginx?

[Merlin]

On Sat, Mar 21, 2009 at 3:56 AM, Floren Munteanu <nginx at yqed.com> wrote:

>
>
> > If what you *really* want is a web interface to manage the users, simply
> make (or pay someone to make) a web interface to manage the password
> files.
> Problem solved, no waiting for asynchronous mysql interface.
>
> That is not a viable solution, you know it.


It is certainly a viable solution as Manilo indicates.


> Managing sensitive files in a
> web environment is very unsecure, through a web interface.


No more insecure than managing sensitive data through a web interface - in
either case you'll want SSL on top for any semblence of security.


> Ya, you can
> create a htpasswd file into /etc/nginx dir for example and do a chmod
> 0700/chown nginx on it. Then, it is secure to stick in there your
> usernames/passwords. But to use PHP or other language to manipulate
> sensitive data through a POST that can get sniffed easy by anyone is simply
> insane, IMO.


They can monitor the same POST requests to manage users in the database -
it's no more secure.  As I said above,  you'll want to place SSL on top, for
starters.

Not to mention that your file has to be editable by anyone in
> order to have your script write information into it...


Not really, it just needs to be editable by the user PHP is running as
(which I can control).  Alternatively, the PHP could make requests to some
other service listening on localhost for insertion/removal from the file.

There's a million ways to skin a cat; however, personally if I'm gonna use
htpasswd authentication, I just manage it with htpasswd (sometimes
indirectly in bash scripts).  Simple machines, for the win!

- Merlin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090321/9ba836d1/attachment-0001.html>