All geek questions in one place

Nginx group http auth

coming from apache2, the only function that I can’t archive: have users in the password database ( htpasswd ) and allow access to various files / folders / virtual servers.

The main functions of http auth that I enabled are:

 location ~ ^/a/ { # should allow access for user1, user2 auth_basic "Restricted"; auth_basic_user_file /etc/nginx/auth/file_a; } location ~ ^/b/ { # should allow access for user2, user3 auth_basic "Restricted"; auth_basic_user_file /etc/nginx/auth/file_b; }

If I have user1, user2 in file_a and user2, user3 in file_b , this works, but I have to update both files when I change the password for user2 (the password should be the same for all locations). Since I will have> 15 different places with different access rights and> 10 users, this is actually not so simple. (I love shallow permissions!)

With Apache, I defined different groups for each location and demanded the correct group. Changing access was as easy as adding / removing users to groups.

Is there something similar or how can you easily handle this script with nginx?

+6
source share
3 answers

I finally manage it this way with the main http:

  • For each group, I have a separate password file, for example group_a.auth , group_b.auth , ...
  • In addition, I have a file in which each user and password are recorded, for example passwords.txt
  • passwords.txt has the same format as auth files, so something like user1:password_hash
  • I have a ruby ​​script update.rb to sync user passwords from password.txt to all .auth files (and more a wrapper for sed ):

Ruby script update.rb :

 #!/usr/bin/env ruby passwords = File.new("./passwords.txt","r") while pwline = passwords.gets pwline.strip! next if pwline.empty? user, _ = pwline.split(':') %x(sed -i 's/#{user}:.*/#{pwline.gsub('/','\/')}/g' *.auth) end
  • To update a user password: update the password in passwords.txt and execute update.rb
  • To add a user to a group (for example, from new_user to group_a ): open group_a.auth and add the line new_user: Then add new_user:password_hash to passwords.txt if the user is not already present and finally ran update.rb
0
source

You can make it work using the AuthDigest module and areas in the form of groups - you will have several entries for one user, but you can have them line after line in a single file. Not perfect, but better than the nightmare you have now.

A small configuration change (see auth_digest and user_file for the 2nd location):

 location ~ ^/a/ { # should allow access for user1, user2 auth_digest "Restricted"; auth_digest_user_file /etc/nginx/auth/file_a; } location ~ ^/b/ { # should allow access for user2, user3 auth_digest "Restricted2"; auth_digest_user_file /etc/nginx/auth/file_a; }

and file_a:

 user1:Restricted1:password_hash user2:Restricted1:password_hash user2:Restricted2:password_hash user3:Restricted2:password_hash
+11
source

I use nginx-groups.pl script, which parses the password and groups of Apache-style files and generates separate password files for each group. Thus, it essentially does the same thing as the Ruby script in Markus answer, but it uses only one file for all groups, and the group file in the same format as for apache.

Current script version:

 #! /usr/bin/env perl use strict; die "Usage: $0 USERSFILE GROUPSFILE\n" unless @ARGV == 2; my ($users_file, $groups_file) = @ARGV; my %users; open my $fh, "<$users_file" or die "cannot open '$users_file': $!\n"; while (my $line = <$fh>) { chomp $line; my ($name, $password) = split /:/, $line, 2; next if !defined $password; $users{$name} = $line; } open my $fh, "<$groups_file" or die "cannot open '$groups_file': $!\n"; while (my $line = <$fh>) { my ($name, $members) = split /:/, $line, 2 or next; next if !defined $members; $name =~ s/[ \t]//g; next if $name eq ''; my @members = grep { length $_ && exists $users{$_} } split /[ \t\r\n]+/, $members; my $groups_users_file = $name . '.users'; print "Writing users file '$groups_users_file'.\n"; open my $wh, ">$groups_users_file" or die "Cannot open '$groups_users_file' for writing: $!\n"; foreach my $user (@members) { print $wh "$users{$user}\n" or die "Cannot write to '$groups_users_file': $!\n"; } close $wh or die "Cannot close '$groups_users_file': $!\n"; }

Save it under whatever name you like and make it executable. Calling it without arguments will print a summary of usage.

See http://www.guido-flohr.net/group-authentication-for-nginx/ for more details!

-1
source

Source: https://habr.com/ru/post/918302/

More articles:


All Articles