external authentication using a custom script

CM Fields cmfileds at gmail.com
Thu Jun 14 20:10:12 UTC 2012


I would like to authenticate HTTP and HTTPS clients using an external script
through Nginx.

All the authentication scripts are already made and I will modify them in any
way necessary to work with Nginx. The scripts query completely custom database
servers and XML based authenticators so an external script is needed to work,
for example, with the current implementation of Apache.


Basically, I am looking for similar functionality of mod_authnz_external from
Apache in Nginx.  http://code.google.com/p/mod-auth-external/

For example, when the client connects to a certain "location" specified in the
nginx.conf, the Nginx server should ask them for their username and password
using the standard pop-up box; just like when auth_basic is used. But, instead
of checking a local file Nginx supplies the username and password to an
external script. The external script will authenticate the user/pass pair and
give a proper response back to Nginx to allow or deny. As long as the HTTP
client is connected Nginx will know they are authenticated just like
auth_basic.


At this point I was hoping for some opinions if I am on the right track to get
Nginx do what I need.

>From what I could find, the "auth_http" directive looks like a possibility,
but I wonder if it only works with POP3 and IMAP clients. Nginx will connect
to a remote http server with the username and pass in the headers. I take those
headers into my script and return with a OK or Invalid header response. I can
write a small HTTP deamon responder to be my authenticator if "auth_http" is
the right method.


Any other suggestions, ideas or opinions are very welcome. If anyone needs more
information or if a point was unclear, I would be happy to respond to the list
with more information. When I get external authentication working with Nginx I
would be happy to share the complete setup with the list.



More information about the nginx mailing list