7

i have installed nginx with auth_request module enabled, but i have a problem when i am trying to setup the authentication. I want to authenticate through a php script, when a user makes request to this location, then the nginx request to a php file and if the response will be 2xx then authentication true if the response will be 4xx then authentication failed.

This is what i made for now and it is working perfect this thing but i dont know how to pass arguments on the php file like username password for example: http://example.com/live/index.php?username=test&password=password

Here is the configuration which is working without these arguments.

location /live {
         auth_request /http_auth;
    }

    location /http_auth {
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_pass http://127.0.0.1/login.php;
}

Thank you

user3393046
  • 163
  • 1
  • 7
  • 15

1 Answers1

11

The trick here is to combine auth_basic and auth_request, here is an example:

location = /api {
        satisfy any;
        auth_basic "Restricted Access";
        auth_basic_user_file "/usr/local/nginx/htpasswd";
        auth_request /auth;
        try_files $uri $uri/ /api.html;
    }

    location = /auth {
       proxy_pass http://localhost:8080;
       proxy_pass_request_body off;
       proxy_set_header Content-Length "";
       proxy_set_header X-Original-URI $request_uri;
    }

You will notice that auth_basic_user_file is present and you probably don't want it but you can leave a blank file, the satisfy any will accept any success, auth_basic will fail but will also set the user and password in the HTTP Headers that are forwarded to your backend script where you can handle them accordingly.

Ramadheer Singh
  • 4,124
  • 4
  • 32
  • 44
PedroSena
  • 645
  • 6
  • 14
  • hey, can you document the code a little bit more i've been running into the same wall using a python script instead of php – Newbie Jun 29 '15 at 12:57
  • Is there some specific part that is not clear, @Newbie ? The idea here is: The request will come and reach /api, there the auth_basic module will mark it as invalid according to the "/usr/local/nginx/htpasswd" file, because it is empty. However, due to the satisfy any it will also send a request to /auth where you can handle it properly in your python script, since it is doing an "OR" operation(any) it will be false OR true making it work. That is a workaround because the auth_basic demands a auth_basic_user_file. Do you have your python back-end properly configured on nginx ? – PedroSena Jun 29 '15 at 13:49
  • I tried your trick but the login info is hashed by auth_basic when i look it up in the headers in my python script, is there another way to pass it without hashing it? – Newbie Jun 29 '15 at 13:54
  • basic authentication does not hash, it is just a base64 encoding, you can decode it back. Try this: encodedString.decode('base64') – PedroSena Jun 29 '15 at 14:03
  • that worked thanks! i have futher question is there a way to contact you? – Newbie Jun 29 '15 at 14:09
  • Sorry to digging out so old thread. I have problem. I want to use this above trick.. to redirect user and pass from basic auth to auth_request and there handle authentication in my other service. But when I give both auth_basic and auth_request, nginx seems to follow auth_request ignoring auth_basic. Why something like this can happen? – hohel Oct 12 '16 at 10:24
  • I seem to be having the same issue as hohel. Nginx seems to go straight to auth_request bypassing auth_basic altogether. According to the [docs](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) auth_request can be used in conjunction with auth_basic... @PedroSena can you comment if this is still working for you? – Chris Feb 17 '17 at 15:09
  • Are you both putting the two "auth_basic" statements before the auth_request ? – PedroSena Feb 18 '17 at 18:02
  • @PedroSena Yes auth_basic is before auth_request. – Chris Feb 21 '17 at 18:34
  • @PedroSena I opened a new [question](http://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic) as well, but haven't gotten any attention – Chris Feb 22 '17 at 13:56
  • I'm running into the same issue; with the above configuration the user is never prompted for login details the and auth_request is made first. – Tim van Dalen Mar 05 '18 at 16:34