{"id":13489212,"url":"https://github.com/sto/ngx_http_auth_pam_module","last_synced_at":"2025-03-28T04:30:57.193Z","repository":{"id":26833074,"uuid":"30292379","full_name":"sto/ngx_http_auth_pam_module","owner":"sto","description":"Nginx module to use PAM for simple http authentication","archived":false,"fork":false,"pushed_at":"2023-06-20T15:55:44.000Z","size":41,"stargazers_count":118,"open_issues_count":4,"forks_count":27,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-31T02:33:32.593Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sto.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-02-04T09:57:25.000Z","updated_at":"2024-10-25T15:51:38.000Z","dependencies_parsed_at":"2024-10-31T02:31:00.145Z","dependency_job_id":null,"html_url":"https://github.com/sto/ngx_http_auth_pam_module","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sto%2Fngx_http_auth_pam_module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sto%2Fngx_http_auth_pam_module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sto%2Fngx_http_auth_pam_module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sto%2Fngx_http_auth_pam_module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sto","download_url":"https://codeload.github.com/sto/ngx_http_auth_pam_module/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245970355,"owners_count":20702395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T19:00:20.179Z","updated_at":"2025-03-28T04:30:56.922Z","avatar_url":"https://github.com/sto.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# ngx_http_auth_pam_module\n\n## Nginx module to use PAM for simple http authentication\n\n### Compilation\n\nWhen compiling from source build as usual adding the ``--add-module`` option:\n\n\t./configure --add-module=$PATH_TO_MODULE\n\nor if you want to build the module as dynamic use the ``--add-dynamic-module``\noption.\n\nIf you are using a Debian GNU/Linux distribution install the ``nginx-full``\npackage; the module has been included in the debian package since version\n``1.1.6-1``, so it is available on all stable distributions since the *wheezy*\nrelease.\n\n### Configuration\n\nThe module only has two directives:\n\n- ``auth_pam``: This is the http authentication realm. If given the value\n  ``off`` the module is disabled (needed when we want to override the value\n  set on a lower-level directive).\n\n- ``auth_pam_service_name``: this is the PAM service name and by default it is\n  set to ``nginx``.\n\n### Examples\n\nTo protect everything under ``/secure`` you will add the following to the\n``nginx.conf`` file:\n\n\tlocation /secure {\n\t    auth_pam              \"Secure Zone\";\n\t    auth_pam_service_name \"nginx\";\n\t}\n\nNote that the module runs as the web server user, so the PAM modules used must\nbe able to authenticate the users without being root; that means that if you\nwant to use the ``pam_unix.so`` module to autenticate users you need to let the\nweb server user to read the ``/etc/shadow`` file if that does not scare you (on\nDebian like systems you can add the ``www-data`` user to the ``shadow`` group).\n\nAs an example, to authenticate users against an LDAP server (using the\n``pam_ldap.so`` module) you will use an ``/etc/pam.d/nginx`` like the\nfollowing:\n\n\tauth    required     /lib/security/pam_ldap.so\n\taccount required     /lib/security/pam_ldap.so\n\nIf you also want to limit the users from LDAP that can authenticate you can\nuse the ``pam_listfile.so`` module; to limit who can access resources under\n``/restricted`` add the following to the ``nginx.conf`` file:\n\n\tlocation /restricted {\n\t    auth_pam              \"Restricted Zone\";\n\t    auth_pam_service_name \"nginx_restricted\";\n\t}\n\nUse the following ``/etc/pam.d/nginx_restricted`` file:\n\n\tauth    required     /lib/security/pam_listfile.so onerr=fail item=user \\\n\t                     sense=allow file=/etc/nginx/restricted_users\n\tauth    required     /lib/security/pam_ldap.so\n\taccount required     /lib/security/pam_ldap.so\n\nAnd add the users allowed to authenticate to the ``/etc/nginx/restricted_users``\n(remember that the web server user has to be able to read this file).\n\n### PAM Environment\n\nIf you want use the ``pam_exec.so`` plugin for request based authentication the\nmodule can add to the PAM environment the ``HOST`` and ``REQUEST`` variables if\nyou set the ``auth_pam_set_pam_env`` flag::\n\n\tlocation /pam_exec_protected {\n\t  auth_pam              \"Exec Zone\";\n\t  auth_pam_service_name \"nginx_exec\";\n\t  auth_pam_set_pam_env  on;\n\t}\n\nWith this configuration if you access an URL like:\n\n\thttp://localhost:8000/pam_exec_protected/page?foo=yes\u0026bar=too\n\nthe PAM environment will include the following variables:\n\n\tHOST=localhost:8000\n\tREQUEST=GET /pam_exec_protected/page?foo=yes\u0026bar=too HTTP/1.1\n\nYou may use this information for request based authentication.\nYou need a recent pam release (\u003e= version 1.0.90) to expose environment\nvariables to pam_exec.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsto%2Fngx_http_auth_pam_module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsto%2Fngx_http_auth_pam_module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsto%2Fngx_http_auth_pam_module/lists"}