|
1 | | -# nginx auth request server |
| 1 | +# nginx-auth-request-server |
2 | 2 |
|
3 | | -This is a **small and lightweight** http authentication server, to be used by nginx with `ngx_http_auth_request_module` to authenticate your website visitors against linux system users via PAM, providing additional security with two-factor-authentication. |
| 3 | +A **lightweight HTTP authentication backend** to be used with Nginx (`ngx_http_auth_request_module`) for authenticating website visitors against Linux system users via PAM with TOTP-based two-factor authentication. |
4 | 4 |
|
5 | | -## Request flow |
| 5 | +--- |
| 6 | + |
| 7 | +## Request Flow |
6 | 8 |
|
7 | 9 |  |
8 | 10 |
|
9 | | -## Scope and code quality |
| 11 | +--- |
| 12 | + |
| 13 | +## Project Scope and Goals |
| 14 | + |
| 15 | +This project is designed to be a **simple and minimal authenticator** rather than a full-featured user/session manager. |
| 16 | +It is intentionally kept simple and easy to understand for improved hackability. |
| 17 | + |
| 18 | +> If you want to add new features, please open a *discussion* first before creating a PR. |
| 19 | +> For more extensive changes, feel free to fork it to suit your needs. |
| 20 | +
|
| 21 | +Since this is my very first rust project, code may be suboptimal to some extent - use at your own risk. |
| 22 | +PRs to improve code quality and security are highly appreciated! |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +## Usage example |
| 27 | + |
| 28 | +### 1. Acquiring the binary |
| 29 | + |
| 30 | +Use a precompiled binary from the [releases](https://github.com/YOUR_REPO/releases) section or build it yourself: |
| 31 | + |
| 32 | +```bash |
| 33 | +cargo build --release |
| 34 | +``` |
| 35 | + |
| 36 | +You might need to install the following dependencies first: |
| 37 | + |
| 38 | +```bash |
| 39 | +sudo apt install libclang-dev build-essential libpam0g-dev libpam0g |
| 40 | +``` |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +### 2. Create the TOTP shadow file |
| 45 | + |
| 46 | +- Example path: `/etc/shadow_totp` (customizable via `--shadow-file`) |
| 47 | +- Format: `username,totp-secret` (Base32) |
| 48 | +- You can generate TOTP secrets with any generator you want ([example web application](https://it-tools.tech/otp-generator)) |
| 49 | +- **Only users listed in this file are allowed to log in!** |
| 50 | + |
| 51 | +Example: |
| 52 | + |
| 53 | +``` |
| 54 | +alice,JBSWY3DPEHPK3PXP |
| 55 | +bob,KZXW6YTBORSXEZJO |
| 56 | +``` |
| 57 | + |
| 58 | +Set appropriate permissions: |
| 59 | + |
| 60 | +```bash |
| 61 | +sudo chown YOUR_SERVICE_USER /etc/shadow_totp |
| 62 | +sudo chmod 600 /etc/shadow_totp |
| 63 | +``` |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +### 3. Set up as a systemd service |
| 68 | + |
| 69 | +A sample unit file is available in the `examples` directory. |
| 70 | + |
| 71 | +```bash |
| 72 | +# Copy compiled binary to /usr/local/bin; change source path accordingly if you downloaded a precompiled binary |
| 73 | +sudo cp target/release/nginx-auth-request-server /usr/local/bin/ |
| 74 | + |
| 75 | +# Modify unit file as needed |
| 76 | +sudo cp examples/systemd.service /etc/systemd/system/ |
| 77 | + |
| 78 | +# Enable and start service |
| 79 | +sudo systemctl enable --now nginx-auth-request-server |
| 80 | +``` |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +### 4. Configure nginx |
| 85 | + |
| 86 | +- Provide a login form at `/var/www/auth` |
| 87 | +- Adjust nginx config using snippets from `examples/etc/nginx` |
| 88 | + |
| 89 | +Make sure to include request rate limiting (e.g. `limit_req_zone`) to mitigate brute-force attacks. |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +## Security Notes |
| 94 | + |
| 95 | +- The binary has access to PAM: keep it secure. |
| 96 | +- TOTP shadow file must be protected from unauthorized access. |
| 97 | +- Brute-force protection is implemented **via nginx only** — consider checking or adding further safeguards if used in production. |
| 98 | + |
| 99 | +--- |
10 | 100 |
|
11 | | -### Project goals |
| 101 | +## License |
12 | 102 |
|
13 | | -Everything is *intentionally* kept as simple and minimal as viable. |
14 | | -This project is more a simple to understand tech-demo and minimal working example rather than a full-featured user and session manager. |
15 | | -If you really do want to add features, please open a *discussion* first before you create a PR. |
16 | | -Otherwise, feel free to create a fork for your personal requirements. |
| 103 | +Licensed under **MIT**. |
17 | 104 |
|
18 | | -Since this is my very first rust project, code may be suboptimal or even insecure to some extent - use at your own risk. |
19 | | -PRs to improve code quality and security are highly appreciated. |
| 105 | +--- |
20 | 106 |
|
21 | | -## Recommended usage |
| 107 | +## Contributing |
22 | 108 |
|
23 | | -Modify to your needs: |
| 109 | +Bugfixes and code improvements are welcome. |
24 | 110 |
|
25 | | -1. Compile using `cargo build --production` or download a precompiled binary from the release section and place the binary in `/usr/local/bin`. Note: You probably need to install `libclang-dev build-essential libpam0g-dev libpam0g` for the required `pam`-crate to compile. |
26 | | -2. Add and enable systemd service. A sample for the unit file is in the `examples` directory. |
27 | | -3. Add TOTP secrets comma-separated as `username,secret` in the shadow file you specified in the unit file (`--shadow-file`, defaults to `/etc/shadow_totp`). An example is provided in the `examples` directory. **Only users present in this file are allowed to log in.** |
28 | | -4. Set file permissions of this shadow file accordingly (readable by your selected service user, preferrably not readable by any other users or groups). |
29 | | -5. Add login form to `/var/www/auth`. |
30 | | -6. Include/add/modify nginx snippets and config as shown in `examples/etc/nginx`. |
| 111 | +> For new features: please open a GitHub Discussion first to align scope and vision. |
0 commit comments