HTTP Authentication through database

lhmwzy lhmwzy at gmail.com
Thu Oct 22 08:22:59 UTC 2015


How about using ngx_lua?

2015-10-22 16:05 GMT+08:00 JaminVP <nginx-forum at nginx.us>:

> Greetings,
>
> I recently stumbled onto Nginx while researching a way to protect my
> Elasticsearch server without using Elastic Shield.
> My setup has a Windows Server box containing a webserver which has Kibana
> deployed on port 8080. The box also runs Elasticsearch as a service which
> listens to port 9200. The Kibana webapplication is protected by a filter
> which checks the HTTP-request header for the user-id and checks a database
> if this user-id is allowed to access Kibana.
>
> Unfortunatly, Kibana has to send queries and requests to Elasticsearch from
> the user's browser. Hence Elasticsearch has to be accessible for the user.
> This allows unauthorized users to send REST-requests to the Elasticsearch
> server, making this a potential security threat.
>
> My solution to this problem would be to implement Nginx as a reverse proxy
> on the box, forcing the HTTP-requests to pass Nginx before being allowed to
> access Elasticsearch, which would then only accessible on the box's
> localhost. The authentication would be processed by Nginx's
> http_auth_request_module, but I don't quite understand how to implement a
> service to which I redirect this auth request to.
>
> I found this StackOverflow page to be the most insightful:
>
> http://stackoverflow.com/questions/25340630/how-can-i-set-up-an-automatic-authentication-layer-in-nginx
> , but it still doesn't explain how to actually implement the authentication
> service.
>
> My preferred way of writing this service would be through Java and wrapping
> it as a service. I understand that the service should return the HTTP-code
> 200 if the authentication is succesful and something else if it isn't. I'd
> like to process the HTTP-request in the same way I processed the
> HTTP-request in the filter I used to validate Kibana-users.
>
> Any tips to get me started on writing a Java-application that would act as
> an authentication service?
>
> If this isn't possible in Java, is there a way to do it in Perl or Python?
>
> Thanks
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,262394,262394#msg-262394
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20151022/f5fb9ea1/attachment.html>


More information about the nginx mailing list