Hello,
I want to create a "reverse" proxy. I want users of the reverse proxy
to authenticate to a radius server. I accomplished this by:
nginx.conf:
server {
listen 443 ssl;
server_name x.y.com;
ssl_certificate /usr/local/etc/ssl/x.y.com.chain.crt;
ssl_certificate_key /usr/local/etc/ssl/x.y.com.key;
location / {
auth_pam "Secure Zone";
auth_pam_service_name "nginx";
proxy_pass http://x.y.local;
}
}
pam.d/nginx:
auth required pam_radius.so
This works... except the RADIUS password is actually a "one time
password". It appears the web client retransmits the
previously-accepted username/password for each proxied page. This
will not work when using OTP (one time passwords).
Can anyone suggest a way to achieve:
1. reverse proxy
2. the reverse-proxy authenticates the user (ideally using RADIUS or PAM)
3. the authentication is "cached" and not re-submitted for each page visited
I imagine the only way to do this is to perform "authentication" in
the "application layer" using some kind of custom CGI and cookies.
Thank you,
Chris
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
I want to create a "reverse" proxy. I want users of the reverse proxy
to authenticate to a radius server. I accomplished this by:
nginx.conf:
server {
listen 443 ssl;
server_name x.y.com;
ssl_certificate /usr/local/etc/ssl/x.y.com.chain.crt;
ssl_certificate_key /usr/local/etc/ssl/x.y.com.key;
location / {
auth_pam "Secure Zone";
auth_pam_service_name "nginx";
proxy_pass http://x.y.local;
}
}
pam.d/nginx:
auth required pam_radius.so
This works... except the RADIUS password is actually a "one time
password". It appears the web client retransmits the
previously-accepted username/password for each proxied page. This
will not work when using OTP (one time passwords).
Can anyone suggest a way to achieve:
1. reverse proxy
2. the reverse-proxy authenticates the user (ideally using RADIUS or PAM)
3. the authentication is "cached" and not re-submitted for each page visited
I imagine the only way to do this is to perform "authentication" in
the "application layer" using some kind of custom CGI and cookies.
Thank you,
Chris
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx