Satisfy directive behaviour

[Petra Kamenickova]

Hi!

I'm working on custom PAM module which could be used as an authorization 
support for authentication modules (e.g. ngx_http_auth_spnego_module) and I ran 
into few problems. I'm not sure I fully get the interactions between and within
phases in nginx. My background is Apache HTTP Server so that might have twisted 
my expectations. 

I have noticed that satisfy directive behaves slightly different than Apache's 
satisfy - nginx checks every module in access phase and the first successful 
invocation stops any subsequent checks whereas Apache's satisfy checks host 
based access vs. other access modules. It has some implications especially for 
authentication and authorization implications. What would be the best way to 
make sure that authorization phases that need authentication to be run gets 
that authentication executed, even with satisfy any?

The post access phase looks like a good place for authorization but it seems 
custom modules cannot really be added to this phase. So... is it possible to 
add somehow my module handler into post access phase without changing the core 
module? Or is there any way how to keep my module in access phase but skip the 
satisfy check for that module? 

I would be grateful for any help!

--
Petra Kamenickova

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Satisfy directive behaviour

[Sergey Brester]

Hi,

Look at module "auth_request" 
(http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
Good working solution at the moment is to use auth_request module 
together with some external auth-daemon.

You can avoid many problems, e.g. with async/sync handling etc.

Using that I have already successful realized many authentication 
methods (inclusively NTLM/Negotiate for windows).
If you have to realize anything doing handshake, you can use a variable 
$connection or combination "$connection:$remote_addr:$remote_port" as 
identifier for your connect with persistent authentication.


Regards,
sebres.


01.07.2015 15:36, Petra Kamenickova:


Hi!

I'm working on custom PAM module which could be used as an 
authorization support for authentication modules (e.g. 
ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure 
I fully get the interactions between and within
phases in nginx. My background is Apache HTTP Server so that might have 
twisted my expectations.


I have noticed that satisfy directive behaves slightly different than 
Apache's satisfy - nginx checks every module in access phase and the 
first successful invocation stops any subsequent checks whereas 
Apache's satisfy checks host based access vs. other access modules. It 
has some implications especially for authentication and authorization 
implications. What would be the best way to make sure that 
authorization phases that need authentication to be run gets that 
authentication executed, even with satisfy any?


The post access phase looks like a good place for authorization but it 
seems custom modules cannot really be added to this phase. So... is it 
possible to add somehow my module handler into post access phase 
without changing the core module? Or is there any way how to keep my 
module in access phase but skip the satisfy check for that module?


I would be grateful for any help!

--
Petra Kamenickova

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel [1]



Links:
--
[1] http://mailman.nginx.org/mailman/listinfo/nginx-devel

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel