Implement database-based user authentication using nginx + pam + mysql

The HTTPAuthBasic module is a very useful module. It can be used to implement a user authentication system without coding. For more information, see: http: sudone.comnginxnginx_ssl.html AuthBasic, that is, it uses the htpasswd file method for authentication. When the environment is frequently updated or cross-server, file operations are very troublesome.

The HTTP Auth Basic module is a very useful module. It can be used to implement a user authentication system without coding. For details, refer:

Http://sudone.com/nginx/nginx_ssl.html

The disadvantage of the Auth Basic module is that it uses htPasswdFile authentication, file operations are very troublesome when the environment is frequently updated or cross-server, so a new method is created: PAM, with PAM, you can verify the user name and password directly from the database, so you don't have to worry about the htpasswd file.

PAM can be seen as an interface for user and permission authentication. It can be used to build a bridge between the authentication program and the Password Storage program. Similar to fastcgi, it is not limited to a certain software. It can not only connect nginx and mysql, but also connect nginx to ipvs or oracle or a public server such as LDAP.

Nginx does not support PAM, which is provided by the PAM module. The PAM module is a third-party module and needs to be downloaded and installed separately.

1. Install software

Software to be installed: nginx, ngx_http_auth_pam_moDuLe, pam-mysql, mysql

1) nginx and ngx_http_auth_pam_module

Ngx_http_auth_pam_module in:

Http://web.iti.upv.es /~ Sto/nginx/

Download

The nginx version I tested is 0.7.63. Add one after the configuration options:

--Dd-Module = ../ngx_http_auth_pam_module-1.1
(Nginx in/home/download/nginx-0.7.63 /)
(Ngx_http_auth_pam_module in/home/download/ngx_http_auth_pam_module-1.1 /)

Compilation and installation is complete, if there is pam errors in the compilation process, it is generally the system lacks pam-dev, I use debian, need to install the libpam0g-dev package:

Apt-get install libpam0g-dev

2) mysql

Simple installation in debian:

Apt-get install mysql-server-5.0

3) pam-mysql

This step is to obtain the/lib/security/pam_mysql.so file. I use:

Apt-get install libpam-mysql

You can download the source code from other systems. Just make it.

Ii. Configuration

1) Configure mysql

There is not much to configure for mysql. Create a database and a table to store the password, and configure the access account to access mysql:

Create database pam;
User pam;
Create table user (userIdVarchar (16), passwd varchar (50), primary key (userid) type = innodb default charSet= Utf8;

Grant select on pam. * TO pamuser @ localhost identified by '20140901 ';

After the preceding statement is executed, the following result is displayed:
Library: pam
Table: user
Field: userid, passwd
Access account: pamuser
Access code: 123456

2) Configure pam-mysql

Create a file nginx-mysql under/etc/pam. d/

/Etc/pam. d/nginx-mysql

Content:

Auth requirEd/Lib/security/pam_mysql.so user = pamuser passwd = 123456 host = localhost db = pam table = userColUmn = userid passwdcolumn = passwd crypt = 2
Account required/lib/security/pam_mysql.so user = pamuser passwd = 123456 host = localhost db = pam table = user usercolumn = userid passwdcolumn = passwd crypt = 2

The file name can be retrieved by yourself, as long as it corresponds to the nginx configuration. Copy the mysql configuration in the configuration file. The two statements are the same except the first word auth and account.

Crypt in Configuration:
0 = plain: plaintext
1 = Y: crypt () function
2 = mysql: password () function of mysql
3 = md5: md5 () function of mysql

Detailed configuration is visible:

Http://pam-mysql.sourceforge.net/Documentation/package-readme.php

3) Configure nginx

Server {
Listen 80;
Server_name pam.ws.netease.com;

LoCatIon /{
Auth_pam mysql pam;
Auth_pam_service_name nginx-mysql;
Root/data/html /;
}

}

Auth_pam: Prompt
Auth_pam_service_name:/etc/pam. d/file name

Test:

Insert a record in mysql:

Insert into user values ('abc', password ('20140901 '));

Create an object under/data/html:

Echo test>/data/html/test.html

Open the page, enter the account password, and test indicates that the operation is successful.

-------------------------------

Note:

1) because every request will access the mysql authentication permission, it will have an impact on the efficiency, so unnecessary requests, such as slice css, should not be accessed after authentication.
2) the old and new password functions can be supported based on the version. You can also configure the parameter old_passwords = 1 in mysql5 to force the old function to be used.
3) for the Basic authentication method exit problem, can refer to this article: http://sudone.com/linux/http_basic_authentication_logout.html