/ngx_http_auth_pam_module

Fork of nginx pam authentication module. Adds additional environment variables for pam.

Primary LanguageCOtherNOASSERTION

Nginx module to use PAM for simple http authentication
======================================================

:Date: $Date: 2010-11-15 12:35:32 +0100 (dl 15 de nov de 2010) $
:Revision: $Rev: 4488 $

Compilation
-----------

When compiling from source build as usual adding the -add-module option::

  ./configure --add-module=$PATH_TO_MODULE

If you are using a Debian GNU/Linux distribution is easy to build a modified
package that includes this module::

  # Get the source
  apt-get source nginx
  # Copy the module
  NGINX_DEBIAN=$(ls -d nginx-*/debian)
  mkdir $NGINX_DEBIAN/ngx_http_auth_pam_module
  cp config  $NGINX_DEBIAN/ngx_http_auth_pam_module/
  cp ngx_http_auth_pam_module.c $NGINX_DEBIAN/ngx_http_auth_pam_module/
  cd $NGINX_DEBIAN; cd ..;
  # Add the argument ``--add-module=./debian/ngx_http_auth_pam_module`` to the
  # ./configure call on the debian/rules file
  sed -i -e '/.\/configure .*\\$/,/[^\\]$/ {
    /^.*[^\\]$/ { 
      s%^\(.*\)$%\t    --add-module=./debian/ngx_http_auth_pam_module \\\n\1%;
    }
  }' debian/rules
  # Add the libpam-dev build dependency
  sed -i -e 's/^Build-Depends: /Build-Depends: libpam-dev, /;' debian/control
  # Update the package version using the dch command from devscripts
  dch -l'+authpam' 'Added ngx_http_auth_pam_module support'
  # Build the package 
  dpkg-buildpackage
  # And install
  sudo dpkg -i ../nginx*deb

Configuration
-------------

The module only has two directives:

- ``auth_pam``: This is the http authentication realm. If given the value
  ``off`` the module is disabled (needed when we want to override the value
  set on a lower-level directive).

- ``auth_pam_service_name``: this is the PAM service name and by default it is
  set to ``nginx``.

Examples
--------

To protect everything under ``/secure`` you will add the following to the
``nginx.conf`` file::

  location /secure {
  	auth_pam              "Secure Zone";
  	auth_pam_service_name "nginx";
  }

Note that the module runs as the web server user, so the PAM modules used must
be able to authenticate the users without being root; that means that if you
want to use the ``pam_unix.so`` module to autenticate users you need to let the
web server user to read the ``/etc/shadow`` file if that does not scare you (on
Debian like systems you can add the ``www-data`` user to the ``shadow`` group).

As an example, to authenticate users against an LDAP server (using the
``pam_ldap.so`` module) you will use an ``/etc/pam.d/nginx`` like the following::

  auth    required     /lib/security/pam_ldap.so
  account required     /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate you can
use the ``pam_listfile.so`` module; to limit who can access resources under
``/restricted`` add the following to the ``nginx.conf`` file::

  location /restricted {
  	auth_pam              "Restricted Zone";
  	auth_pam_service_name "nginx_restricted";
  }

Use the following ``/etc/pam.d/nginx_restricted`` file::

  auth    required     /lib/security/pam_listfile.so onerr=fail item=user \
                       sense=allow file=/etc/nginx/restricted_users
  auth    required     /lib/security/pam_ldap.so
  account required     /lib/security/pam_ldap.so

And add the users allowed to authenticate to the ``/etc/nginx/restricted_users``
(remember that the web server user has to be able to read this file).

PAM Environment
---------------

The plugin set's the following additional environment variables when using ``pam_exec.so``
as pam module for authentication:

	REQUEST=GET /some/url?foo&bar HTTP/1.1
	HOST=localhost:8000

You may use this information for request based authentication.
You need a recent pam release (>= version 1.0.90) to expose environment
variables to pam_exec (Ubuntu 8.04 has a too old pam version here!).


.. ......
.. SVN Id: $Id: README 4488 2010-11-15 11:35:32Z sto $