Nginx module to use PAM for simple http authentication
======================================================

:Date: $Date: 2013-09-17 12:00:49 +0200 (dt 17 de set de 2013) $
:Revision: $Rev: 7626 $

Compilation
-----------

When compiling from source build as usual adding the -add-module option::

  ./configure --add-module=$PATH_TO_MODULE

If you are using a Debian GNU/Linux distribution install the nginx-full package;
the module has been included in the nginx debian package since version 1.1.6-1
and there are newer packages on the stable distribution (wheezy) and the wheezy
version is also available from the oldstable backports repository
(squeeze-backports).

Configuration
-------------

The module only has two directives:

- ``auth_pam``: This is the http authentication realm. If given the value
  ``off`` the module is disabled (needed when we want to override the value
  set on a lower-level directive).

- ``auth_pam_service_name``: this is the PAM service name and by default it is
  set to ``nginx``.

Examples
--------

To protect everything under ``/secure`` you will add the following to the
``nginx.conf`` file::

  location /secure {
    auth_pam              "Secure Zone";
    auth_pam_service_name "nginx";
  }

Note that the module runs as the web server user, so the PAM modules used must
be able to authenticate the users without being root; that means that if you
want to use the ``pam_unix.so`` module to autenticate users you need to let the
web server user to read the ``/etc/shadow`` file if that does not scare you (on
Debian like systems you can add the ``www-data`` user to the ``shadow`` group).

As an example, to authenticate users against an LDAP server (using the
``pam_ldap.so`` module) you will use an ``/etc/pam.d/nginx`` like the following::

  auth    required     /lib/security/pam_ldap.so
  account required     /lib/security/pam_ldap.so

If you also want to limit the users from LDAP that can authenticate you can
use the ``pam_listfile.so`` module; to limit who can access resources under
``/restricted`` add the following to the ``nginx.conf`` file::

  location /restricted {
    auth_pam              "Restricted Zone";
    auth_pam_service_name "nginx_restricted";
  }

Use the following ``/etc/pam.d/nginx_restricted`` file::

  auth    required     /lib/security/pam_listfile.so onerr=fail item=user \
                       sense=allow file=/etc/nginx/restricted_users
  auth    required     /lib/security/pam_ldap.so
  account required     /lib/security/pam_ldap.so

And add the users allowed to authenticate to the ``/etc/nginx/restricted_users``
(remember that the web server user has to be able to read this file).


PAM Environment
---------------

If you want use the ``pam_exec.so`` plugin for request based authentication the
module can add to the PAM environment the ``HOST`` and ``REQUEST`` variables if
you set the ``auth_pam_set_pam_env`` flag::

  location /pam_exec_protected {
    auth_pam              "Exec Zone";
    auth_pam_service_name "nginx_exec";
    auth_pam_set_pam_env  on;
  }

With this configuration if you access an URL like:

  http://localhost:8000/pam_exec_protected/page?foo=yes&bar=too

the PAM environment will include the following variables::

    HOST=localhost:8000
    REQUEST=GET /pam_exec_protected/page?foo=yes&bar=too HTTP/1.1

You may use this information for request based authentication.
You need a recent pam release (>= version 1.0.90) to expose environment
variables to pam_exec.

.. ......
.. SVN Id: $Id: README 7626 2013-09-17 10:00:49Z sto $
