About the NGINX_AUTH_MYSQL certification module

In the author's previous blog post "about the installation configuration of the HTTPD 2.x,mod_auth_mysql module and support for AES encryption," The Mod_auth_mysql module mentioned is a third-party authentication module specifically for Apache httpd. In this paper, we will introduce a module corresponding to the nginx above, Nginx_auth_mysql.

• Preparatory work

• 
  

1. Download the source code for Nginx_auth_mysql

2. CentOS7 Server, Nginx source package (I use nginx1.12.0 stable version)

3. Supports the Nginx build environment and installs the OpenSSL development package

4. Presence of libmysqlclient and Libmysqld dynamic libraries
   

Installation process Logging

The source code files for Nginx_auth_mysql are as follows:

$ lsconfig crypt_private.c crypt_private.h LICENSE ngx_http_auth_mysql_module.c README

Take a look at the config configuration file, which reads as follows:

$ cat config.bakngx_addon_name=ngx_http_auth_mysql_modulehttp_modules= "$HTTP _modules ngx_http_auth_mysql_module" ngx_addon_srcs= "$NGX _addon_srcs $ngx _addon_dir/ngx_http_auth_mysql_module.c $ngx _addon_dir/crypt_private.c" CORE_ libs= "$CORE _libs-lcrypto-lmysqlclient" Use_md5=yes

By the format of the above configuration file, it can be seen that the third-party module is specifically for static compilation. Since the Nginx 1.9.11 version, has supported the dynamic module to support the third-party extension, and the contents of the above configuration file, the preliminary decision can be modified to the dynamic module's compilation configuration , so here it compiled into a dynamic library for Nginx to load.

For changes in configuration files and the conversion of static and dynamic modules, refer to the following two articles:

1. Converting Static Modules to Dynamic Modules

2. New Config Shell File

The contents of the config file after modification are as follows:

ngx_addon_name=ngx_http_auth_mysql_moduleif test -n  "$ngx _module_link"; then         ngx_module_type=http        ngx_ Module_name= $ngx _addon_name        ngx_module_srcs= "$ngx _addon_dir/ngx _http_auth_mysql_module.c  $ngx _addon_dir/crypt_private.c "         ngx_module_incs= "/usr/include/mysql"          ngx_module_libs= "- Lcrypto -lmysqlclient -lmysqld -l/usr/lib64/mysql "         . auto/moduleelse        http_modules= "$HTTP _modules  Ngx_http_auth_mysql_module "        ngx_addon_srcs=" $NGX _addon_srcs   $NGX _addon_dir/ngx_http_auth_mysql_module.c  $ngx _addon_dir/crypt_private.c "         core_libs= "$CORE _libs -lcrypto -lmysqlclient"         use_md5 =yesfi

At compile time, add the --add-dynamic-module option to add the module in. The author uses this --add-dynamic-module=/root/nginx-1.12.0/nginx_auth_mysql , where the Nginx_auth_mysql directory is used to store the source code of the module.

In the process of compiling, I encountered the following error :

/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c: in function  ' Ngx_http_auth_ Mysql_check_md5 ':/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:488:19: error:  ' Md5_digest_length '  undeclared  (first use in this function)   u_char  md5_str[2*MD5_DIGEST_LENGTH + 1];                    ^/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql _module.c:488:19: note: each undeclared identifier is reported only  Once for each function it appears in/root/nginx-1.12.0/nginx_auth_mysql/ngx_http _auth_mysql_module.c:489:9: error: unused variable  ' Md5_digest '  [-Werror= unused-variable]  u_char md5_digest[md5_digest_length];           ^/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:488:9: error: unused variable  ' md5_ Str '  [-Werror=unused-variable]  u_char md5_str[2*MD5_DIGEST_LENGTH + 1];

after troubleshooting, in the Ngx_http_auth_mysql_module.c file, in the referenced header file, does not seem to contain md5_digest_ The definition of length , the entire contents of Ngx_md5.h are as follows:

$ cat ngx_md5.h/* * copyright  (C)  Igor Sysoev * Copyright  ( C)  nginx, inc. */#ifndef  _ngx_md5_h_included_#define _ngx_md5_h_included_#include  <ngx_config.h> #include  <ngx_core.h>typedef struct {     uint64_t  bytes;    uint32_t  a, b, c, d;   &NBSP;&NBSP;U_CHAR&NBSP;&NBSP;&NBSP;&NBSP;BUFFER[64];}  ngx_md5_t;void ngx_md5_init (NGX_MD5_T&NBSP;*CTX); Void ngx_md5_update (Ngx_md5_t *ctx,  const void *data, size_t size); Void ngx_md5_final (u_char result[16],  NGX_MD5_T&NBSP;*CTX); #endif  /* _ngx_md5_h_included_ */

By comparing an old version of the Nginx source code, the discovery is indeed different, the following is the old version of the Nginx header file, you can see, reference to the OpenSSL MD5 header file definition:

... #if (NGX_HAVE_MD5) #if (ngx_have_openssl_md5_h) #include <openssl/md5.h> #else # include <md5.h > #endif .......

By looking at the MD5 header file, the value defined is 16, so in Nginx-1.12.0 's ngx_md5.h, add the following definition:

#define MD5_DIGEST_LENGTH 16

After saving, recompile, successfully passed.
After the compilation is complete, the required modules are generated in the Objs folder:

$ ls objs/| grep authngx_http_auth_mysql_module_modules.cngx_http_auth_mysql_module_modules.ongx_http_auth_mysql_module.so

Copy the ngx_http_auth_mysql_module.so to the corresponding module directory and complete the initial module installation task.

• Configuration content

Add the following line to the main section in the nginx.conf file to indicate that the module needs to be loaded:

Load_module modules/ngx_http_auth_mysql_module.so;

The author uses the default host/auth path under the auth.html to test:

$ cat/opt/nginx/html/auth/auth.html 
In this module's Readme document, the configuration parameters used by the module are described in detail, as follows:

 
 

  
  

  
= = CONFIGURATION = =
It is activated by adding several configuration options:
  

  
  
 
   

   
Auth_mysql_realm:http Basic Authentiaction Realm. Required.
 
   

   
Auth_mysql_host:the host of the MySQL server. Default is 127.0.0.1.
 
   

   
Auth_mysql_port:on which port to connect to the MySQL server. Default is 3306.
 
   

   
Auth_mysql_user:username for connection to the MySQL server. Default is root.
 
   

   
Auth_mysql_password:password for connection to the MySQL server. Default is empty.
 
   

   
Auth_mysql_database:name of the database. Required.
 
   

   
Auth_mysql_table:name of the table, which holds the user record.
You can has more than one table separated by Comas. Default is users.
 
   

   
Auth_mysql_user_column:name of the username column. Default is username.
 
   

   
Auth_mysql_password_column:name of the password column. Default is password.
 
   

   
Auth_mysql_conditions:additional SQL conditions. They'll is placed after and and.
Default is empty string.
 
   

   
Auth_mysql_group_table:name of the table, which holds the groups information.
You can has more than one table separated by Comas. Default is the users table.
 
   

   
Auth_mysql_group_column:name of the Group Name column. Default is name.
 
   

   
Auth_mysql_group_conditions:additional SQL conditions applied only in group queries.
They would be placed. A and. Default is empty string.
 
   

   
auth_mysql_encryption_type:the format of the password field. Should be one of:
 
   

   

 
    
 
     
none:the password is stored in plaintext in the database;
 
     
Md5:in The database is stored a MD5 hash of the password;
 
     
Phpass:a Portable PHP Hash of the password is stored. See:
Http://www.openwall.com/phpass/for more information.
The default is MD5.
 
    
 
   

   
Auth_mysql_allowed_users:whitespace delimited list of allowed users.
 
   

   
Auth_mysql_allowed_groups:whitespace delimited list of allowed groups.
If both Allowed_users and allowed_groups are defined, either of them have to satisfied.
 
  
 
 
The author here uses the MySQL database to create the authentication user's content as follows, creates the Nginx database, adds a Nginx_auth data table in the Nginx database, holds the user field and the password field, and the password field is encrypted with MD5:
$ mysqlwelcome to the mariadb monitor.  commands end with ;  or \g.your mariadb connection id is 3337server version: 5.5.44- mariadb mariadb servercopyright  (c)  2000, 2015, Oracle, MariaDB  Corporation ab and others. type  ' help; '  or  ' \h '  for help. Type  ' \c '  to clear the current input  statement. mariadb [(None)]> use nginx; reading table information for completion of table and column  Namesyou can turn off this feature to get a quicker startup  with -adatabase changedmariadb [nginx]> show tables;+-----------------+|  tables_in_nginx |+-----------------+| nginx_auth      |+-------- ---------+1 row in set  (0.00 sec) Mariadb [nginx]> select * from nginx_auth ; +------+----------------------------------+| user | password                           |+------+----------------------------------+| tom  |  d077f244ddf8r70e5ea758bd8352fcd8 |+------+----------------------------------+1 row in set   (0.00 SEC)
 
............location /auth {             root /opt/nginx/html;            index  auth.html;            auth_mysql_realm  " Authentication ";            auth_mysql_host " 192.168.5.181 ";            auth_mysql_port " 3306 ";            auth_mysql_user " Nginx ";             auth_mysql_password  "Nginx";             auth_mysql_database  "Nginx";             auth_mysql_table  "Nginx_auth";             auth_mysql_user_column  "User";             auth_mysql_password_column  "Password";             auth_mysql_encryption_type  "MD5";          .......
Reload the Nginx, using the Curl command to test, the results are as follows, the visible module is working properly:
$ curl-u tom:right_password http://192.168.5.181/auth/
 
  
 


 
  

  
   
 
    
Other matters
The Mod_auth_mysql module used above the HTTPD has an AES encryption algorithm, but this module, which is used on nginx, does not add this function by default, but the author of the module mentions in the Readme:
 
   
 
  


 
  

  
   

   
= = WRITING A NEW ecnryption TYPE = =
Add an entry in the ngx_http_auth_mysql_enctypes array. It has-be-a struct
With elements:
   

  
   
 
    

    
ngx_str_t ID
The name under which it should is referenced in the config file
 
    

    
 
 
 
 
     
 
      
 
ngx_uint_t (*checker) (ngx_http_request_t *r, ngx_str_t Sent_password, ngx_str_t actual_password) 
 
a function, which given the request (mostly used for logging and memory allocation through its r->pool), 
 the Passwo Rd sent by the user and the password in the database have to determine whether they match. 
 If they match it should return NGX_OK, if they don ' t it should return ngx_declined. If other error 
 Occures, it should log it and return Ngx_err. 
 currently salts aren ' t supported, but if there is schemes, which require them it's quite easy.  
 
 
     
 
   
  
   

   
Questions/patches may sent to Nikolay Bachiyski, [email protected]
   

 
  
It seems only to wait for the cattle to develop two times ...
This article is from the "Technical Achievement Dream" blog, please be sure to keep this source http://jiangche00.blog.51cto.com/4377920/1941560
About the NGINX_AUTH_MYSQL certification module