2

I’m building a system based on OpenVPN, where clients will connect to a website, secured by Basic Authentication (that’s the way it is, no way to change this).

I wish I could go through a nginx proxy that would add for me the correct basic authentication header before reaching the website. This way, based on the IP address the client uses (coming from OpenVPN configuration), I would retrieve it’s user/password in a DB and forge the header accordingly. So user don’t have to enter any login/password.

Injecting the basic-authentication header is easy with:

location / {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_pass http://6.6.6.6:80;
   proxy_set_header Authorization "Basic a2luZzppc25ha2Vk";
}

Where ‘a2luZzppc25ha2Vk' is of course the base64 for this login:password.

So now I need to replace a2luZzppc25ha2Vk with a value found in a DB, according to the $remote_addr

Aaron
  • 2,968
  • 1
  • 23
  • 36
Olivier D.
  • 23
  • 4

1 Answers1

1

You could dump your database to config in a way:

geo $auth_base64 {
    <remote_addr1>/32   <base64_1>;
    <remote_addr2>/32   <base64_2>;
    <remote_addrN>/32   <base64_N>;
    default             <base64_for_default_address>
}

Of course without "<>".

Then include this config into http {} section. You could make simple cronjob (dump, test, reload).

So variable $auth_base64, then, could be used in proxy_set_header directive:

proxy_set_header Authorization "Basic $auth_base64";

Or you can use 3rd party module: http://www.grid.net.ru/nginx/eval.en.html witch can evaluate backend response into variables. Not tested by myself. Some problems with modern nginx versions may occur.

Vadim
  • 1,329
  • 9
  • 8