user authentication with nginx

Francis Daly francis at daoine.org
Mon Aug 20 00:48:11 UTC 2012 

On Sun, Aug 19, 2012 at 06:37:39PM -0400, Bob Stanton wrote:
> On Sun, Aug 19, 2012 at 6:24 PM, Jonathan Matthews <contact at jpluscplusm.com>wrote:
> > On 19 August 2012 22:32, Bob Stanton <farseas at gmail.com> wrote:

Hi there,

[rearranging for ease of reading.]

> > > I want to find a secure but simple method for authenticating users in an
> > > Nginx environment.

http basic authentication within ssl. As in every http-server environment.

> > > I have succeeded in figuring out the auth_basic mod but that does not meet
> > > my needs.

Why not?

Which specific aspect of the nginx implementation of http basic
authentication is unsuitable for your use case?

Would http digest authentication avoid the problem you see?

Or would an alternative credential-checking method avoid the problem?

Does your own cookie-or-other authentication method avoid that problem?

(There are 3rd party modules that can help implement the first two
suggestions above, if you don't want to write your own module from
scratch.)

> > > I specifically want to supply my own form, get the username and PW, check it
> > > against my DB with a CGI program, and then pass values back to Nginx.

What part of the form submission is better than the simple http
authentication that you rejected above?

(There *can* be some parts; but without knowing what exactly your needs are,
it is hard to suggest something that meets them.)

> > Use proxy_pass (http://nginx.org/r/proxy_pass) or fastcgi_pass
> > (http://nginx.org/r/fastcgi_pass) to communicate the Auth headers to
> > your daemon, which should then respond with whatever page you want
> > your users to see in the event of auth success or failure.

That information is correct for the mechanics of how nginx will know to
invoke your application. But I think you'll want a very clear idea of
what your application will do, before needing that information.

> I am not clear on how this would work in the nginx.conf file.

I suggest you first gain a clear picture of how your application will
work in the http world. After you determine that it can work, you can
worry about the nginx implementation.

(For what it's worth: I think your plan involves sending a Set-Cookie
response header to the browser, expecting that the browser will send a
Cookie request header in future requests. But maybe I think wrong.)

> Also, aren't there security risks using the headers?  Can't someone spoof
> the headers and gain access that way?

Yes. Anyone can send a request with http authentication headers or with
cookie headers. Or with username and password details in the request,
or in the request body.

But it's not yet obvious to me how http basic authentication differs
from your alternative, in this respect.

> Like I said, this is all rather unclear to me.

Me too.

If you can explain why basic authentication doesn't meet your needs,
perhaps a suitable alternative can be suggested.

(Quite possibly form-submission to set a cookie *is* the best solution for
you. But maybe nginx-auth-request-module can let http basic authentication
work for you and will be easier. Or maybe something else is best.)

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list