How to process response from www-authenticate in nginx?

Question

I'm using openresty nginx v1.11.2.4. I wish to be able to authenticate users before they are given access to a resource or before they try to PUT something on the server. I am using the http_auth_request_module and the following is an except from my nginx.conf file:

location /video/ {
        auth_request /auth;
        root /usr/local/openresty/nginx/html;
    }

    location = /auth {
        more_set_headers "WWW-Authenticate: Basic";
        return 401;
    }

This results in the browser asking for user credentials alright but now how do I get/process the user credentials from the client?

Alexander Altshuler · Answer 1 · 2017-08-03T17:00:08.497

0

The ngx_http_auth_request_module implements client authorization based on the result of a subrequest.

If you want to use basic authentication you don't need to use ngx_http_auth_request_module. Use http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

edited Aug 03 '17 at 17:00

answered Aug 03 '17 at 09:14

Alexander Altshuler

2,930
1
17
27

For reasons unknown to me I was asked to use the auth_request directive – Ayudh Aug 08 '17 at 07:53

score -2 · Answer 2 · answered Aug 08 '17 at 07:52

-2

following the answer to the question here: Nginx authentication with auth_request module I was able to process the username and password by accessing the $http_authorization variable in my nginx.conf file. The following is an excerpt from my nginx.conf:

location /video {
        satisfy any;
        auth_basic "Private Property";
        auth_basic_user_file /usr/local/openresty/nginx/conf/htpasswd;
        auth_request /auth;
        root /usr/local/openresty/nginx/html;
        client_max_body_size 1000M;
        if ($request_method != "GET"){
            content_by_lua_file /root/Documents/contentbylua.lua;
        }
    }

location = /auth {
    set $authHeader $http_authorization;
    set $authUName $remote_user;
    content_by_lua_file /root/Documents/restrict.lua;
}

The following conf allows me to authenticate a user whose credentials are stored in a redisDB in the restrict.lua file which returns a 200 or 401 code depending on the credentials of the user back to the /location block.

The response (username & password) is accessed in the restrict.lua file by ngx.var.authHeader. Some string processing is done to remove the 'Basic' then the remnant is base64 decoded and then some string processing is done on it to obtain the password. That's all

answered Aug 08 '17 at 07:52

Ayudh

1,673
1
22
55

It is really misuse of ngx_http_auth_request_module and ngx_http_auth_basic_module. If you implement auth based on Redis just run your code within access_by_lua_* in the same location. From within Lua you already have access to all nginx variables,. no needs for set directives. And why you use auth_basic* directives? – Alexander Altshuler Aug 08 '17 at 09:46
I used the auth_basic directives to prompt for user credentials. I see your point of unnecessary set directives. – Ayudh Aug 08 '17 at 10:27
1

Add access_by_lua* to /video location. Check if Authorization header exists. If not - responds with 401 and WWW-Authenticate. If Authorization exists check it against Redis. And drop completely ngx_http_auth_request_module and ngx_http_auth_basic_module. – Alexander Altshuler Aug 08 '17 at 10:37
And last note - never use Basic HTTP Auth with http transport. – Alexander Altshuler Aug 08 '17 at 10:38
Thanks for the guidance. Yeah ill keep the last comment in mind – Ayudh Aug 08 '17 at 10:41

How to process response from www-authenticate in nginx?

2 Answers2