This is an authentication server, similar to htpasswd-auth-server or ldap-auth-server. All users are stored in a Postgresql table, and there's a web interface. Administrators can set user's passwords, and require a user to change their password on their next login. Users can change their own passwords.
I have a repo for automatically installing OpenResty + luarocks - https://github.com/jprjr/setup-openresty
git clone https://github.com/jprjr/setup-openresty /tmp/setup-openresty
/tmp/setup-openresty/setup-openresty --prefix=/opt/openresty
This will install openresty at /opt/openresty
. You can then add
/opt/openresty/bin
to your PATH
, or make make symlinks from
/usr/local/bin
to the binaries/scripts at /opt/openresty/bin
, whichever
you prefer.
In all my examples, I'll assume you've somehow added luarocks
to your PATH.
You'll need libyaml-dev
and postgresql
installed
sudo apt-get install libyaml-dev postgresql
Then create a username, password, and database for postgres-auth-server. You should change the below example to have a better password.
sudo -u postgres psql -c "create user psql_auth with password 'psql_auth'"
sudo -u postgres psql -c "create database psql_auth with owner psql_auth"
sudo luarocks install postgres-auth-server
Assuming you used the setup-openresty
script, then you'll
find postgres-auth-server
at /opt/openresty/bin/postgres-auth-server
Create a file at /etc/postgres-auth-server/config.yaml
-- there's an example
config.yaml file in this repo. Edit as needed.
Move on down to the Usage section
You can setup postgres-auth-server
to use its own lua_modules
folder:
git clone https://github.com/jprjr/postgres-auth-server.git
postgres-auth-server
luarocks-openresty --tree=lua_modules make rockspecs/postgres-auth-server-dev-1.rockspec
Then launch with
./bin/postgres-auth-server
By default, ./bin/postgres-auth-server
will just try to use lua
- you can
specify a lua binary to run with -l (binary)
, ie:
./bin/postgres-auth-server -l /opt/openresty/bin/lua
The authentication endpoint for apps/nginx is /auth
, ie:
http://127.0.0.1:8080/auth
http://192.168.1.50:8080/auth
http://192.168.1.50:8080/users/auth
-- if setup withhttp_prefix: '/users'
Please look at the etc/config.yaml.example
file for details on how to configure this.
In any examples, substiute postgres-auth-server
with
./bin/posgres-auth-server
if you went for the self-contained
installation.
postgres-auth-server help
Usage: postgres-auth-server [-c /path/to/config.yaml] <action>
Available actions:
add username -- interactively add user
admin username -- make user admin
unadmin username -- make user admin
change username -- require change for user
list -- list users
import /path/to/htpasswd -- import existing htpasswd file
run -- run server
check -- check config file
Prompts for a username, password, whether the user should be an admin, and if the user should be forced to change their password at next login.
Makes (username) flagged as an admin user.
Removes admin status from a user.
Forces a password change at next login.
Lists usernames, admin status, password change required status
Imports an existing htpasswd file.
If a user already exists, postgres-auth-server
prints
a warning message indicating as such.
If the htpasswd file contains an encryption method not supported by postgres-auth-server, the user is not imported and a message is printed.
Launches postgres-auth-server
Attempts to parse the config file and checks for errors. Also tests that the postgres credentials are valid.
MIT (see LICENSE)