How to use nginx PAM module?
I would like to use nginx PAM module to authenticate a site with existing users on a FreeBSD system. I tried to use pam_unix.so, but no luck. It's just not let me in with my usr/psw pair. :(
nginx conf:
location / {
root html;
auth_pam "Secure Zone";
auth_pam_service_name "nginx";
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
include fastcgi_params;
}
The nginx file in the /usr/local/etc/pam.d dir:
auth required pam_unix.so
account required pam_unix.so
I would appreciate if someone could tell me a working configuration. :)
Solution 1:
Answer to a very old question, but I was able to confirm that this does work so this might help. This allows an nginx location to be authenticated against the local server account names. YMMV.
- Ubuntu 18.04
- nginx 1.14 (which includes the http_auth_pam module)
nginx -v
nginx version: nginx/1.14.0 (Ubuntu)
Create /etc/pam.d/nginx and add the line:
@include common-auth
Within your nginx config:
location /secure {
auth_pam "Secure zone";
auth_pam_service_name "nginx";
}
and the magic sauce is:
sudo usermod -aG shadow www-data
Check in the nginx.conf for the account used in with the user www-data. It can sometimes be configured to nobody.
Restart nginx and bingo!
Thanks to the answers above that helped me complete this solution
Solution 2:
Not sure if you've already tried this, but I did notice here:
Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to autenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).
Nginx HTTP Auth PAM Module README
I can't confirm your config I'm afraid as I'm not using pam_unix.so.