{"id":15395487,"url":"https://github.com/stef/ngx_http_auth_sasl_module","last_synced_at":"2025-04-16T00:11:30.369Z","repository":{"id":50399776,"uuid":"494895983","full_name":"stef/ngx_http_auth_sasl_module","owner":"stef","description":"SASL authentication module for nginx","archived":false,"fork":false,"pushed_at":"2022-07-28T19:17:59.000Z","size":54,"stargazers_count":3,"open_issues_count":1,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-16T00:11:24.139Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stef.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-05-21T21:12:18.000Z","updated_at":"2023-09-08T18:34:46.000Z","dependencies_parsed_at":"2022-09-22T19:02:13.361Z","dependency_job_id":null,"html_url":"https://github.com/stef/ngx_http_auth_sasl_module","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fngx_http_auth_sasl_module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fngx_http_auth_sasl_module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fngx_http_auth_sasl_module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fngx_http_auth_sasl_module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stef","download_url":"https://codeload.github.com/stef/ngx_http_auth_sasl_module/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249173086,"owners_count":21224483,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-01T15:28:30.553Z","updated_at":"2025-04-16T00:11:30.344Z","avatar_url":"https://github.com/stef.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"* NGINX HTTP SASL authentication module\n\nThis is experimental.\n\nIt implements this RFC draft:\nhttps://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl\n\n** Dependencies\nIf you want to build this, it expects an nginx source tree in '../nginx'\n\nYou also need https://github.com/arithy/packcc in '../packcc/' if you change\n'src/http_auth_header_parser.peg'.\n\n** Deployment\n\nyou can test with this script:\nhttps://github.com/stef/libopaque/blob/master/sasl/http_sasl.py if you\nhave also the opaque mechanism installed from the libopaque\nrepo. Otherwise adapt the script to use a different mechanism.\n\nIn any case the Makefile explains it all, or has pointers to more\ninformation.\n\n** Limitations\n\nOne possible limitation is that SASL is(/can be) stateful, and the\nstate is currently kept in a worker process. If different worker\nprocesses handle the different steps of the same authentication flow\nthen the state will be a problem, as it is currently not shared\nbetween worker processes. Sadly the state used by cyrus sasl contains\nall kind of pointers, especially function pointers (which should be\nthe same, but this is depending also on the SASL mech probably) and\nthus using shared memory to share the contexts could lead to problems.\n\nEven more of a limitation is if the SASL auth is terminated at servers\nbehind a load balancer, the SASL state must be known by the backend\nserver, otherwise it will not succeed, thus a load balancer must make\nsure that the same backend server is used for the whole of a SASL auth\nexecution.\n\n** Variables\n\nThis module setst the following nginx variables:\n\n*** sasl_secure\nIs only \"yes\" (without the quotes) when a client is authenticated to\nthe current resource. It never has another value; it is simply\nundefined when not secured by SASL\n\n*** sasl_realm\nIs the realm for which the secure exchange succeeded. A realm is not\nalways used, because sites only need it when there are more than one\nin the same name space. When undefined in the SASL flow, this variable\nwill not be set.\n\n*** sasl_user\nIs the client identity as confirmed through SASL authentication. Its\ncontent is formatted like an email address, and includes a domain\nname. That domain need not be related to the web server; it is\npossible for a web server to welcome foreign clients.\n\n*** sasl_mech\nIndicates the mechanism used, and is one of the standardised SASL\nmechanism names. It may be used to detect the level of security.\n\n** Config\n\nA minimal example config with verbose logging:\n\n#+BEGIN_EXAMPLE\nerror_log logs/error.log debug;\nevents { }\nhttp {\n   auth_sasl localhost;\n   sasl_realm localhost;\n   sasl_mechanisms \"OPAQUE\";\n   sasl_db_path /usr/local/etc/sasldb2;\n\n   add_header X-SASL-SECURE $sasl_secure;\n   add_header X-REMOTE-USER $sasl_user;\n   add_header X-SASL-REALM $sasl_realm;\n   add_header X-SASL-MECH $sasl_mech;\n\n   server {\n       listen *:8090;\n       root .;\n   }\n}\n#+END_EXAMPLE\n\n** Credits\n\nThis project was funded through the NGI0 PET Fund, a fund established\nby NLnet with financial support from the European Commission's Next\nGeneration Internet programme, under the aegis of DG Communications\nNetworks, Content and Technology under grant agreement No 825310.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstef%2Fngx_http_auth_sasl_module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstef%2Fngx_http_auth_sasl_module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstef%2Fngx_http_auth_sasl_module/lists"}