Authentication daemon for nginx-proxied or nginx-served applications
Project description
Authentication daemon for nginx-proxied or nginx-served applications.
Installation and Configuration
Create virtual environment for the daemon virtualenv env
Activate it using . ./env/bin/activate
Install nginxauthdaemon from pypi pip install nginxauthdaemon
Create config file overriding default values, see [Daemon configuration]. NB! You need to override default SESSION_SALT, DES_IV and DES_KEY for security.
Setup env variable DAEMON_SETTINGS pointing to your config file.
Run daemon with your favorite WSGI server, for ex gunicorn nginxauthdaemon:app.
Update nginx.conf. See [NGINX Configuration].
Reload nginx (nginx -t reload).
Test your setup.
Daemon configuration
Basic configuration properties are:
Option |
Description |
|---|---|
REALM_NAME |
Realm name shown on login page |
SESSION_COOKIE |
Session cookie name. Typically you do not need to change this. |
TARGET_HEADER |
Header used to pass protected URL from NGINX |
SESSION_SALT |
Long string used a salt for creation of session key. |
DES_IV |
8byte initial vector for DES algorithm |
DES_KEY |
8byte DES encryption key |
AUTHENTICATOR |
Authenticator class name, by default ‘auth.DummyAuthenticator’ |
Authenticators available out-of-the-box:
Authenticator name |
Description |
|---|---|
nginxauthdaemon.auth.DummyAuthenticator |
Simplest authenticator checking username equals password |
nginxauthdaemon.crowdauth.CrowdAuthenticator |
Atlassian Crowd based authenticator |
Crowd authenticator has additional options:
Option |
Description |
|---|---|
CROWD_URL |
Crowd server URL, for ex http://localhost:8095/crowd/ |
CROWD_APP_NAME |
Crowd application name |
CROWD_APP_PASSWORD |
Crowd application password |
NGINX Configuration
Your NGINX should be compiled with ngx_http_auth_request_module. Please check it using nginx -V command.
Example configuration:
upstream auth-backend {
server 127.0.0.1:5000;
}
location = /auth/validate {
internal;
proxy_pass http://auth-backend;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location = /auth/login {
proxy_pass http://auth-backend;
proxy_set_header X-Target $request_uri;
}
# Protected application
location / {
auth_request /auth/validate;
# redirect 401 and 403 to login form
error_page 401 403 =200 /auth/login;
}
Limitations
Daemon can be extended to support LDAP or any other auth method, but it support only Atlassian Crowd for now. I’ll be happy to merge PRs with new auth methods.
License
The reference implementation is subject to MIT License.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file nginxauthdaemon-1.1.0.tar.gz.
File metadata
- Download URL: nginxauthdaemon-1.1.0.tar.gz
- Upload date:
- Size: 8.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4dd34ee0f018c97f4df6f45de63e6b7aace1266273e68c3cb66d2a6090067d38 |
|
| MD5 | 393a6c083d377c145559a1d0ad122ca1 |
|
| BLAKE2b-256 | 03806779c441b9bb37292604b14c09df4ec941966d9c0c60a6fae87fa22a6fca |
File details
Details for the file nginxauthdaemon-1.1.0-py2.py3-none-any.whl.
File metadata
- Download URL: nginxauthdaemon-1.1.0-py2.py3-none-any.whl
- Upload date:
- Size: 10.6 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e1a5de77f17a8653a73d98f4f40ab1f4bac1c2c524ee52a6a2b9cdbc7f44e23a |
|
| MD5 | 733f2b99542fef1437d692824c8fe409 |
|
| BLAKE2b-256 | 578f7b171d4996446feb7a558e0dff0d710aedcf7d9a4cfe578482100c804380 |
