7

I would like to use nginx PAM module to authenticate a site with existing users on a FreeBSD system. I tried to use pam_unix.so, but no luck. It's just not let me in with my usr/psw pair. :(

nginx conf:

location / {
        root html;
        auth_pam               "Secure Zone";
        auth_pam_service_name  "nginx";
        fastcgi_pass           127.0.0.1:9000;
        fastcgi_index          index.php;
        fastcgi_param          SCRIPT_FILENAME  /var/www/$fastcgi_script_name;
        include                fastcgi_params;
    }

The nginx file in the /usr/local/etc/pam.d dir:

auth    required     pam_unix.so
account required     pam_unix.so

I would appreciate if someone could tell me a working configuration. :)

Moshe Katz
  • 3,112
  • 5
  • 28
  • 43
noirello
  • 83
  • 1
  • 1
  • 6
  • Can you also add some logs of what's going on from nginx perspective? Depending on your OS you can also find some clues in /var/log/auth.log or similar file. – kworr Aug 07 '13 at 08:12

2 Answers2

6

Answer to a very old question, but I was able to confirm that this does work so this might help. This allows an nginx location to be authenticated against the local server account names. YMMV.

  • Ubuntu 18.04
  • nginx 1.14 (which includes the http_auth_pam module)
nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

Create /etc/pam.d/nginx and add the line:

@include common-auth

Within your nginx config:

location /secure {
        auth_pam                "Secure zone";
        auth_pam_service_name   "nginx";
}

and the magic sauce is:

sudo usermod -aG shadow www-data

Check in the nginx.conf for the account used in with the user www-data. It can sometimes be configured to nobody.

Restart nginx and bingo!

Thanks to the answers above that helped me complete this solution

Guy
  • 2,668
  • 2
  • 20
  • 24
4

Not sure if you've already tried this, but I did notice here:

Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to autenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).

Nginx HTTP Auth PAM Module README

I can't confirm your config I'm afraid as I'm not using pam_unix.so.

Andy Nash
  • 351
  • 2
  • 2
  • I tried to add www group read permission to the /etc/master.passwd (the FreeBSD equivalent of /etc/shadow as far as i know.) But still i can't be authenticated with my user :( (the nginx processes are run by root default) – noirello Mar 28 '12 at 10:06