Nginx 的两种认证方式
简介:
今天来研究一下 Nginx 的两种认证方式。
1、auth_basic 本机认证
2、ngx_http_auth_request_module 第三方认证
一、安装 Nginx
shell > sh auto.sh install nginx install_nginx(){ yum -y install gcc gcc-c++ wget make pcre-devel zlib-devel openssl-devel id www-data > /dev/null 2>&1 || useradd -r -s /sbin/nologin www-data cd /usr/local/src; wget -qc http://nginx.org/download/nginx-1.10.2.tar.gz || exit 9 tar zxf nginx-1.10.2.tar.gz; cd nginx-1.10.2 ./configure --prefix=/usr/local/nginx-1.10.2 \ --with-http_dav_module \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_degradation_module \ --with-http_auth_request_module && make && make install mkdir /usr/local/nginx-1.10.2/conf/vhost; mkdir -p /data/logs/nginx mkdir -p /data/git-webroot/{api-htdocs,web-htdocs} && chown -R www-data.www-data /data/git-webroot echo "/usr/local/nginx-1.10.2/sbin/nginx" >> /etc/rc.local }
二、auth_basic 本机认证
shell > yum -y install httpd-tools # 安装 htpasswd 工具 shell > cd /usr/local/nginx-1.10.2/conf shell > htpasswd -c pass.db wang # 创建认证用户 wang 并输入密码,添加用户时输入 htpasswd pass.db username shell > vim /usr/local/nginx-1.10.2/conf/vhost/local.conf server { listen 80; server_name local.server.com; auth_basic "User Authentication"; auth_basic_user_file /usr/local/nginx-1.10.2/conf/pass.db; location / { root /data/www; index index.html; } }
# 这样就实现了本机认证,需要维护 pass.db 文件
三、ngx_http_auth_request_module 第三方认证
# 编译 Nginx 时需要添加该模块 --with-http_auth_request_module
# 该模块可以将客户端输入的用户名、密码 username:password 通过 Base64 编码后写入 Request Headers 中
# 例如:wang:wang -> Authorization:Basic d2FuZzp3YW5n=
# 然后通过第三方程序解码后跟数据库中用户名、密码进行比较,Nginx 服务器通过 header 的返回状态判断是否认证通过。
shell > vim /usr/local/nginx-1.10.2/conf/vhost/local.conf # 我们先来编辑本机配置文件,也就是用户直接访问的域名 server { listen 80; server_name local.server.com; auth_request /auth; location / { root html; index index.html; } location /auth { proxy_pass http://auth.server.com/HttpBasicAuthenticate.php; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; } }
# auth_request /auth; # 启用认证
# proxy_pass http://auth.server.com/HttpBasicAuthenticate.php; # 认证服务器地址
# 参考地址:http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
shell > vim /usr/local/nginx-1.10.2/conf/vhost/auth.conf # 这是第三方认证服务器,认证逻辑使用的 PHP 代码 server { listen 80; server_name auth.server.com; location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx-1.10.2/html$fastcgi_script_name; include fastcgi_params; } } shell > vim /usr/local/nginx-1.10.2/html/HttpBasicAuthenticate.php <?php if(isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])){ $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($username == 'wang' && $password == '123456'){ return true; } } header('WWW-Authenticate: Basic realm="Git Server"'); header('HTTP/1.0 401 Unauthorized'); ?>
# 用户访问 local.server.com 弹出框中输入的用户名、密码保存在 $_SERVER 变量中
# 中间 if 段,只做演示用,工作中应该是拿用户输入的用户名、密码跟数据库中的数据做比较
# 用户访问 local.server.com 就会去 auth.servere.com 做用户认证,认证通过后继续访问 local.server.com
# 目前 Nginx 的第三方认证,工作中自己搭建的 git + gitweb 在使用中,配置文件如下:( 认证逻辑大家使用自己喜欢的语言编写即可 )
shell > vim /usr/local/nginx-1.10.2/conf/vhost/git.server.com server { listen 80; server_name git.server.com; root /usr/local/share/gitweb; client_max_body_size 50m; #auth_basic "Git User Authentication"; #auth_basic_user_file /usr/local/nginx-1.10.2/conf/pass.db; auth_request /auth; location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ { root /data/git; } location ~ /.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { root /data/git; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_connect_timeout 24h; fastcgi_read_timeout 24h; fastcgi_send_timeout 24h; fastcgi_param SCRIPT_FILENAME /usr/local/libexec/git-core/git-http-backend; fastcgi_param PATH_INFO $uri; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /data/git; fastcgi_param REMOTE_USER $remote_user; include fastcgi_params; } try_files $uri @gitweb; location @gitweb { fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; fastcgi_param SCRIPT_FILENAME /usr/local/share/gitweb/gitweb.cgi; fastcgi_param PATH_INFO $uri; include fastcgi_params; } location /auth { proxy_pass http://auth.server.com/HttpBasicAuthenticate.php; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; } }
# End