A lightweight authentication service backend designed to work with nginx's auth_request.
- auth_request handler,
- Authentication page,
- Local user database.
-
Clone this repo.
-
Install this package by
pip install .(recommended to install in avirtualenv). -
Create
config.yaml, followsconfig.example.yaml. A minimal version:
user_table: users.yaml
site_name: Restrict Area
logfile: /var/log/nslogin.py
login_life_time: 2592000 # 30 days- Add user with
nslogin-usercommand, e.g.
nslogin-user --config config.yaml --add --name terry-
Run the daemon of nslogin
nslogind --config config.yaml. -
Edit
nginx.conf,
location / {
auth_request /nslogin/auth; # <<< insert auth_request at locations that require auth
root /srv/http;
index index.html index.htm;
}
location ^~ /nslogin {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location /nslogin/auth {
proxy_pass http://127.0.0.1:8222/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location /nslogin {
rewrite /nslogin/(.*) /$1 break;
proxy_pass http://127.0.0.1:8222;
}
}
error_page 401 = @error401;
error_page 403 = @error403;
location @error401 {
return 302 http://$http_host/nslogin/?redirect=http://$http_host$request_uri;
}
location @error403 {
return 302 http://$http_host/nslogin/403;
}- Reload nginx and enjoy.
Sometimes one may want to restrict one user to access a specific path. This can be achieved by the privilege system of nslogin.
- Add user with privileges set as
nslogin-user --config config.yaml --add --name terry --privileges A, B
nslogin-user --config config.yaml --add --name alice --privileges A
nslogin-user --config config.yaml --add --name bob --privileges B or, in short,
nslogin-user -a -n terry -pr A, B
nslogin-user -a -n alice -pr A
nslogin-user -a -n bob -pr B- Edit
nginx.conf
location /kitchen {
auth_request /nslogin/auth/A; # <<< 'A' is the privilege requested to access this location
root /srv/http;
index index.html index.htm;
}
location /bedroom {
auth_request /nslogin/auth/B; # <<< 'B' is the privilege requested to access this location
root /srv/http;
index index.html index.htm;
}This configuration allows alice to access /kitchen and bob to access
/bedroom and grants terry the access to both locations.
Sometimes one would like to allow others to register to the server with a valid
invitation code. Register function can be enabled by putting the following snippet
into the config.yaml
register:
enabled: true
use_invitation_code: true
dispose_used_invitation_code: true
invitation_code_file: invitations.yamlwhere invitations.yaml is a list of invitation codes. A handy way to generate
some is
for i in {1..5}; do echo "- $(dd if=/dev/random bs=9 count=1 2>/dev/null | base64)"; done > invitations.yamlWhen redirection to the login page, the original URL is passed as a GET parameter:
location @error401 {
return 302 http://$http_host/nslogin/?redirect=http://$http_host$request_uri;
}If $request_uri includes other GET parameters, they will be ignored. In
order to properly encode $request_uri, one needs to install lua-nginx-module because nginx doesn't have the ability
to deal with complicated rewrite rules. Then use rewrite_by_lua_block:
location @error401 {
rewrite_by_lua_block {
return ngx.redirect("http://" .. ngx.var.http_host .. "/nslogin/?redirect=" .. ngx.escape_uri(ngx.var.request_uri))
}
}