Nginx 的两种认证方式

简介：

今天来研究一下 Nginx 的两种认证方式。

1、auth_basic 本机认证
2、ngx_http_auth_request_module 第三方认证

一、安装 Nginx

shell > sh auto.sh install nginx

install_nginx(){
  yum -y install gcc gcc-c++ wget make pcre-devel zlib-devel openssl-devel

  id www-data > /dev/null 2>&1 || useradd -r -s /sbin/nologin www-data

  cd /usr/local/src; wget -qc http://nginx.org/download/nginx-1.10.2.tar.gz || exit 9

  tar zxf nginx-1.10.2.tar.gz; cd nginx-1.10.2
  ./configure --prefix=/usr/local/nginx-1.10.2 \
              --with-http_dav_module \
              --with-http_ssl_module \
              --with-http_realip_module \
              --with-http_gzip_static_module \
              --with-http_stub_status_module \
              --with-http_degradation_module \
              --with-http_auth_request_module && make && make install
  mkdir /usr/local/nginx-1.10.2/conf/vhost; mkdir -p /data/logs/nginx
  mkdir -p /data/git-webroot/{api-htdocs,web-htdocs} && chown -R www-data.www-data /data/git-webroot
  echo "/usr/local/nginx-1.10.2/sbin/nginx" >> /etc/rc.local
}

二、auth_basic 本机认证

shell > yum -y install httpd-tools  # 安装 htpasswd 工具

shell > cd /usr/local/nginx-1.10.2/conf

shell > htpasswd -c pass.db wang  # 创建认证用户 wang 并输入密码，添加用户时输入 htpasswd pass.db username

shell > vim /usr/local/nginx-1.10.2/conf/vhost/local.conf

server {
    listen       80;
    server_name  local.server.com;
    
    auth_basic "User Authentication";
    auth_basic_user_file /usr/local/nginx-1.10.2/conf/pass.db;
    
    location / {
        root   /data/www;
        index  index.html;
    }
}

# 这样就实现了本机认证，需要维护 pass.db 文件

三、ngx_http_auth_request_module 第三方认证

# 编译 Nginx 时需要添加该模块 --with-http_auth_request_module
# 该模块可以将客户端输入的用户名、密码 username:password 通过 Base64 编码后写入 Request Headers 中
# 例如：wang:wang -> Authorization:Basic d2FuZzp3YW5n=
# 然后通过第三方程序解码后跟数据库中用户名、密码进行比较，Nginx 服务器通过 header 的返回状态判断是否认证通过。

shell > vim /usr/local/nginx-1.10.2/conf/vhost/local.conf  # 我们先来编辑本机配置文件，也就是用户直接访问的域名

server {
    listen 80;
    server_name local.server.com;

    auth_request /auth;

    location / {
        root   html;
        index  index.html;
    }

    location /auth {
        proxy_pass http://auth.server.com/HttpBasicAuthenticate.php;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }
}

# auth_request /auth; # 启用认证
# proxy_pass http://auth.server.com/HttpBasicAuthenticate.php; # 认证服务器地址
# 参考地址：http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

shell > vim /usr/local/nginx-1.10.2/conf/vhost/auth.conf  # 这是第三方认证服务器，认证逻辑使用的 PHP 代码

server {
    listen       80;
    server_name  auth.server.com;

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /usr/local/nginx-1.10.2/html$fastcgi_script_name;
        include        fastcgi_params;
    }
}

shell > vim /usr/local/nginx-1.10.2/html/HttpBasicAuthenticate.php

<?php

if(isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])){
    $username = $_SERVER['PHP_AUTH_USER'];
    $password = $_SERVER['PHP_AUTH_PW'];

    if ($username == 'wang' && $password == '123456'){
        return true;
    }
}

header('WWW-Authenticate: Basic realm="Git Server"');
header('HTTP/1.0 401 Unauthorized');

?>

# 用户访问 local.server.com 弹出框中输入的用户名、密码保存在 $_SERVER 变量中
# 中间 if 段，只做演示用，工作中应该是拿用户输入的用户名、密码跟数据库中的数据做比较
# 用户访问 local.server.com 就会去 auth.servere.com 做用户认证，认证通过后继续访问 local.server.com

# 目前 Nginx 的第三方认证，工作中自己搭建的 git + gitweb 在使用中，配置文件如下：( 认证逻辑大家使用自己喜欢的语言编写即可 )

shell > vim /usr/local/nginx-1.10.2/conf/vhost/git.server.com

server {
    listen      80;
    server_name git.server.com;
    root        /usr/local/share/gitweb;

    client_max_body_size 50m;

    #auth_basic "Git User Authentication";
    #auth_basic_user_file /usr/local/nginx-1.10.2/conf/pass.db;

    auth_request /auth;

    location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
        root /data/git;
    }

    location ~ /.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
        root          /data/git;
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_connect_timeout 24h;
        fastcgi_read_timeout 24h;
        fastcgi_send_timeout 24h;
        fastcgi_param SCRIPT_FILENAME     /usr/local/libexec/git-core/git-http-backend;
        fastcgi_param PATH_INFO           $uri;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param GIT_PROJECT_ROOT    /data/git;
        fastcgi_param REMOTE_USER $remote_user;
        include fastcgi_params;
    }

    try_files $uri @gitweb;

    location @gitweb {
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_param GITWEB_CONFIG    /etc/gitweb.conf;
        fastcgi_param SCRIPT_FILENAME  /usr/local/share/gitweb/gitweb.cgi;
        fastcgi_param PATH_INFO        $uri;
        include fastcgi_params;
    }

    location /auth {
        proxy_pass http://auth.server.com/HttpBasicAuthenticate.php;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }
}

# End