Re: Satisfy directive behaviour

Wed, 01 Jul 2015 07:55:46 -0700 

Hi,
Look at module "auth_request" (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html). Good working solution at the moment is to use auth_request module together with some external auth-daemon. 
You can avoid many problems, e.g. with async/sync handling etc.
Using that I have already successful realized many authentication methods (inclusively NTLM/Negotiate for windows). If you have to realize anything doing handshake, you can use a variable $connection or combination "$connection:$remote_addr:$remote_port" as identifier for your connect with persistent authentication. 

Regards,
sebres.


01.07.2015 15:36, Petra Kamenickova:


Hi!
I'm working on custom PAM module which could be used as an authorization support for authentication modules (e.g. ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure I fully get the interactions between and within phases in nginx. My background is Apache HTTP Server so that might have twisted my expectations.
I have noticed that satisfy directive behaves slightly different than Apache's satisfy - nginx checks every module in access phase and the first successful invocation stops any subsequent checks whereas Apache's satisfy checks host based access vs. other access modules. It has some implications especially for authentication and authorization implications. What would be the best way to make sure that authorization phases that need authentication to be run gets that authentication executed, even with satisfy any?
The post access phase looks like a good place for authorization but it seems custom modules cannot really be added to this phase. So... is it possible to add somehow my module handler into post access phase without changing the core module? Or is there any way how to keep my module in access phase but skip the satisfy check for that module? 

I would be grateful for any help!

--
Petra Kamenickova

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel [1]



Links:
------
[1] http://mailman.nginx.org/mailman/listinfo/nginx-devel

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to