How to set up nginx as a 2-factor authentication portal that becomes transparent once auth'd?

Andrew Alexeev andrew at nginx.com
Fri Apr 12 22:29:22 UTC 2013 

Hi Dave,

On Apr 12, 2013, at 2:34 PM, ix8675874 at sent.at wrote:

> Hi,
> 
> I just started with a small company that's got a bunch of web apps being
> served up from a bunch of different web servers.  Some are 'appliances',
> most are Apache.
> 
> It's a mess of an infrastrucutre -- slow and .  My long term plan is to
> convert to one lighter weight platform with commercial support
> available.  Although I haven't used it myself for anything in production
> yet, after a bunch of reading and some fooling around on my own, I'm 99%
> sure it's going to be Nginx.
> 
> In the short term -- like the boss wants it yesterday! -- I need to put
> everything behind two factor authentication and enable SSL.  Right now,
> every web app is directly exposed to the web with single-factor auth
> over http://.
> 
> In principle, I think I can solve this in one nginx instance.  Setting
> nginx up to listen on one IP, and serve up separate SSL certificates for
> each web app is brilliantly easy in nginx!  Works perfectly.  SO that
> part's basically done.
> 
> The auth piece has me scratching my head -- and I hope somebody here can
> provide some guidance.
> 
> What I want to do is have all access to the webapps FIRST go through a
> two factor authentication webpage in nginx.  The two factors I need are
> (1) a simple password known to the user, and (2) a
> GoogleAuthenticator-generated token/passcode.
> 
> ONLY on correct & timely enter of both do I want the user passed through
> to the webapp on one of those servers I mentioned.  But once they do,
> the 'authentication site' should become trabsparent and not interfere at
> all with the session, etc.
> 
> I'm not sure how to:
> 
> (1) implement Google AUthenticator integration in Nginx.  I've looked
> for something built-in, or some plugin, which would be fantastic.  But
> I've haven't found anything reliable yet.
> (2) make sure that after Authentication is OK to make everything
> transparent to & from the webapps behind the nginx instance.  Is this
> proxying?  I'm pretty sure I need to pass some sort of variables, but is
> there some setting that bundles up everything so it's fully transparent?
> 
> Are there any built-in ways -- and better yet, good tutorials! -- that
> exist alrady for these?  I doubt I've thought up anything new here, so
> I'm hoping someone's already posted some know-how.

There's an http request authentication module by one of nginx core developers here:

http://mdounin.ru/hg/ngx_http_auth_request_module/file/a29d74804ff1/README

And have you checked Lua-module for nginx by agentzh (Yichun Zhang) ?

http://wiki.nginx.org/HttpLuaModule
http://seatgeek.com/blog/dev/oauth-support-for-nginx-with-lua
https://gist.github.com/josegonzalez/4196901

etc. :)


> THanks a bunch for any help!
> 
> 
> Dave
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

More information about the nginx mailing list