/nginx_auth_mysql

Primary LanguageCGNU General Public License v2.0GPL-2.0

nginx_auth_mysql
----------------

nginx_auth_mysql allows you to do basic authentication against
a MySQL database.

== INSTALLATION ==

To install, compile nginx with the following option:

  --add-module=/path/to/nginx_auth_mysql
  
If mysqlclient or any of the other libraries are in non-standard locations,
you can add them to CORE_LIBS in the `config` file. Also you may need to
add CORE_INCS for include files. Here is how these two lines look in order
to compile it on Mac OS X using mysqlclient from darwinports:

CORE_LIBS="$CORE_LIBS -lcrypto -lmysqlclient -L/opt/local/lib/mysql5/mysql/"
CORE_INCS="$CORE_INCS /opt/local/include/mysql5/mysql/"

Note: every time you change the `config` file, you have to run the ./configure
magic line again.
  
== CONFIGURATION ==
  
It is activated by adding several configuration options:

- auth_mysql_realm: HTTP basic authentiaction realm. Required.
- auth_mysql_host: the host of the MySQL server. Default is 127.0.0.1.
- auth_mysql_port: on which port to connect to the MySQL server. Default is 3306.
- auth_mysql_user: username for connection to the MySQL server. Default is root.
- auth_mysql_password: password for connection to the MySQL server. Default is empty.
- auth_mysql_database: name of the database. Required.
- auth_mysql_table: name of the table, which holds the user record.
    You can have more than one table separated by comas. Default is users.
- auth_mysql_user_column: name of the username column. Default is username.
- auth_mysql_password_column: name of the password column. Default is password.
- auth_mysql_conditions: Additional SQL conditions. They will be placed after and AND.
    Default is empty string.
- auth_mysql_group_table: name of the table, which holds the groups information.
    You can have more than one table separated by comas. Default is the users table.
- auth_mysql_group_column: name of the group name column. Default is name.
- auth_mysql_group_conditions: Additional SQL conditions applied only in group queries.
    They will be placed after an AND. Default is empty string.
- auth_mysql_encryption_type: the format of the password field. Should be one of:
    * none: the password is stored in plaintext in the database;
    * md5: in the database is stored a md5 hash of the password;
    * phpass: a portable php hash of the password is stored. See:
        http://www.openwall.com/phpass/ for more information.
    The default is md5.
- auth_mysql_allowed_users: whitespace delimited list of allowed users.
- auth_mysql_allowed_groups: whitespace delimited list of allowed groups.
    If both allowed_users and allowed_groups are defined, either of them has to satisfied.
    
== SAMPLE CONFIGURATION ==

location / {
            root   html;
            index  index.html index.htm;
            auth_mysql_realm "My Secret Website:";
            auth_mysql_host "db.acme.com";
            auth_mysql_user "root";
            auth_mysql_password "secretsanta";
            auth_mysql_database "acme_production";
            auth_mysql_table "acme_users";
            auth_mysql_password_column "pass";
            auth_mysql_user_column "user";
            auth_mysql_encryption_type "phpass";
            # only these two usernames will be accepted
            auth_mysql_allowed_users "roadrunner coyote";
            # either the usernames above will be acceped
            # or any user from the groups below
            auth_mysql_allowed_groups "omg-bbq-admins";

        }   

# groups example
location / {
            root   html;
            index  index.html index.htm;
            auth_mysql_realm "My Secret Website with Groups:";
            auth_mysql_database "acme_production";
            auth_mysql_group_table "groups, users_groups"
            auth_mysql_group_column "groups.name"
            auth_mysql_group_conditions "users.id = users_groups.user_id AND users_groups.group_id = groups.id"
            auth_mysql_allowed_users "roadrunner coyote";
            # either the usernames above will be acceped
            # or any user from the groups below
            auth_mysql_allowed_groups "omg-bbq-admins";
        }   


== HOW IT WORKS ==

- The query for retrieving the password is in the form:
    SELECT
        `password`
    FROM user_table [, group_table]
    WHERE
        `username` = '<username-from-HTTP-request>'
        [AND conditions]
        [AND group_conditions]
        [AND group_column IN (<groups-from-allowed-users-clause>)]

You should add an index on your username column.

== BUGS ==

msp_users.ID = msp_bp_groups_members.user_id

== WRITING A NEW ECNRYPTION TYPE ==

Add an entry in the `ngx_http_auth_mysql_enctypes` array. It has to be a struct
with two elements:
    - ngx_str_t id
    
        The name under which it should be referenced in the config file
        
    - ngx_uint_t (*checker)(ngx_http_request_t *r, ngx_str_t sent_password, ngx_str_t actual_password)
    
        A function, which given the request (mostly used for logging and memory allocation through its r->pool),
    the password sent by the user and the password in the database has to determine whether they match.
    If they match it should return NGX_OK, if they don't it should return NGX_DECLINED. If other error
    occures, it should log it and return NGX_ERR.    
    Currently salts aren't supported, but if there are schemes, which require them it is quite easy.
    
Questions/patches may be sent to Nikolay Bachiyski, nikolay@automattic.com