"One Time" authentication (+reverse proxy, pam, radius)

Chris Stankevitz chrisstankevitz at gmail.com
Sat Dec 20 23:46:08 UTC 2014


Hello,

I want to create a "reverse" proxy.  I want users of the reverse proxy
to authenticate to a radius server.  I accomplished this by:

nginx.conf:
    server {
        listen 443 ssl;
        server_name x.y.com;
        ssl_certificate /usr/local/etc/ssl/x.y.com.chain.crt;
        ssl_certificate_key /usr/local/etc/ssl/x.y.com.key;
        location / {
            auth_pam "Secure Zone";
            auth_pam_service_name "nginx";
            proxy_pass http://x.y.local;
        }
    }

pam.d/nginx:
auth required pam_radius.so

This works... except the RADIUS password is actually a "one time
password".  It appears the web client retransmits the
previously-accepted username/password for each proxied page.  This
will not work when using OTP (one time passwords).

Can anyone suggest a way to achieve:

1. reverse proxy

2. the reverse-proxy authenticates the user (ideally using RADIUS or PAM)

3. the authentication is "cached" and not re-submitted for each page visited

I imagine the only way to do this is to perform "authentication" in
the "application layer" using some kind of custom CGI and cookies.

Thank you,

Chris



More information about the nginx mailing list