How to set up nginx as a 2-factor authentication portal that becomes transparent once auth'd?
Andrew Alexeev
andrew at nginx.com
Fri Apr 12 22:29:22 UTC 2013
Hi Dave,
On Apr 12, 2013, at 2:34 PM, ix8675874 at sent.at wrote:
> Hi,
>
> I just started with a small company that's got a bunch of web apps being
> served up from a bunch of different web servers. Some are 'appliances',
> most are Apache.
>
> It's a mess of an infrastrucutre -- slow and . My long term plan is to
> convert to one lighter weight platform with commercial support
> available. Although I haven't used it myself for anything in production
> yet, after a bunch of reading and some fooling around on my own, I'm 99%
> sure it's going to be Nginx.
>
> In the short term -- like the boss wants it yesterday! -- I need to put
> everything behind two factor authentication and enable SSL. Right now,
> every web app is directly exposed to the web with single-factor auth
> over http://.
>
> In principle, I think I can solve this in one nginx instance. Setting
> nginx up to listen on one IP, and serve up separate SSL certificates for
> each web app is brilliantly easy in nginx! Works perfectly. SO that
> part's basically done.
>
> The auth piece has me scratching my head -- and I hope somebody here can
> provide some guidance.
>
> What I want to do is have all access to the webapps FIRST go through a
> two factor authentication webpage in nginx. The two factors I need are
> (1) a simple password known to the user, and (2) a
> GoogleAuthenticator-generated token/passcode.
>
> ONLY on correct & timely enter of both do I want the user passed through
> to the webapp on one of those servers I mentioned. But once they do,
> the 'authentication site' should become trabsparent and not interfere at
> all with the session, etc.
>
> I'm not sure how to:
>
> (1) implement Google AUthenticator integration in Nginx. I've looked
> for something built-in, or some plugin, which would be fantastic. But
> I've haven't found anything reliable yet.
> (2) make sure that after Authentication is OK to make everything
> transparent to & from the webapps behind the nginx instance. Is this
> proxying? I'm pretty sure I need to pass some sort of variables, but is
> there some setting that bundles up everything so it's fully transparent?
>
> Are there any built-in ways -- and better yet, good tutorials! -- that
> exist alrady for these? I doubt I've thought up anything new here, so
> I'm hoping someone's already posted some know-how.
There's an http request authentication module by one of nginx core developers here:
http://mdounin.ru/hg/ngx_http_auth_request_module/file/a29d74804ff1/README
And have you checked Lua-module for nginx by agentzh (Yichun Zhang) ?
http://wiki.nginx.org/HttpLuaModule
http://seatgeek.com/blog/dev/oauth-support-for-nginx-with-lua
https://gist.github.com/josegonzalez/4196901
etc. :)
> THanks a bunch for any help!
>
>
> Dave
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
More information about the nginx
mailing list