How to authenticate local Linux user with Nginx PAM module?
I would like to be able to have a local Linux user authenticate with their credentials when accessing a site. I am using the ngx_http_auth_pam_module. In the nginx.conf file I have the following configuration for the location directive:
location / {
proxy_pass http://somewebsite:5000;
root html;
index index.html index.htm;
auth_pam "Secure area";
auth_pam_service_name "nginx";
}
With the "auth_pam" and "auth_pam_service_name" syntaxes in my nginx.conf file I get prompted when accessing the site to enter in credentials. In the /etc/pam.d directory I have created an "nginx" service file with the following:
auth required pam_unix.so
account required pam_unix.so
I am running this on a CentOS 7 server. I understand that I would have to create a local Linux user and/or group and possibly provide access to the /etc/shadow file but using the tutorials I found online I am still not able to login with a local user. Would someone please be able to provide me with steps on how to get it to work so that I can login with a local Linux user when accessing the site?
Thank you, any help is appreciated and I can give more information if needed.
Solution 1:
The README for this third party nginx module says:
Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the
pam_unix.somodule to autenticate users you need to let the web server user to read the/etc/shadowfile if that does not scare you (on Debian like systems you can add thewww-datauser to theshadowgroup).
Note well the security implications of allowing your web server and/or web application to read the shadow file.