Home >Operation and Maintenance >Nginx >ACL configuration based on user authentication in Nginx reverse proxy

ACL configuration based on user authentication in Nginx reverse proxy

PHPz
PHPzOriginal
2023-06-10 12:12:15833browse

Nginx is widely used in reverse proxy, load balancing and other scenarios. These application scenarios often require access control. Nginx provides a configuration method based on access control list (ACL), which can implement access control for different users, different IP addresses, different request paths, etc. This article focuses on the ACL configuration method based on user authentication to achieve identity authentication and permission control.

  1. User authentication module

Nginx provides two user authentication modules: ngx_http_auth_basic_module and ngx_http_auth_request_module. The former is based on HTTP Basic Auth, and the user needs to provide the username and password in the request header, while the latter authenticates the request through the back-end server. Both authentication modules have their own advantages and disadvantages. Choose the authentication module that suits you according to your actual needs.

  1. Authentication process

The user authentication process based on the ngx_http_auth_request_module module is as follows:

1) The client sends a request to Nginx;
2) Nginx Intercept the request and send an authentication request to the backend server;
3) The backend server authenticates the user and returns the authentication result;
4) Nginx responds to the client based on the authentication result.

  1. Configuration Example

Assume that our application provides the following interfaces:

1)/admin: Only administrators can access;
2)/user: Any user can access;
3)/login: The interface used for user authentication.

Now, we hope to use Nginx to reverse proxy and implement access control on the interface. At the same time, we hope that only authenticated users can access the interface. We can check the login status through the following configuration.

location /admin {
    auth_request /auth;
    error_page   401 = /login;
    proxy_pass   http://upstream;
}

location /user {
    auth_request /auth;
    proxy_pass   http://upstream;
}

location = /auth {
    internal;
    proxy_pass   http://upstream/auth;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

In this configuration, we define three locations. Among them, /admin and /user respectively represent the interfaces that require access control, and /auth is the interface used for user authentication. When the client requests /admin, Nginx forwards the authentication request to /auth through the auth_request directive. If a 401 error code is returned, it jumps to /login. The processing of /user is similar, except that error code processing is not added. The processing of /auth is where user authentication is truly implemented. It proxies to the back-end server for authentication and returns the authentication result.

In this example, /auth is the backend interface for user authentication. We can support various authentication methods (such as LDAP, database, etc.) by writing corresponding backend code.

Generally speaking, Nginx's ACL function is based on a powerful regular expression engine and some agreed variables. It is a very effective permission control implementation method for developers of user authentication schemes. Of course, during implementation, targeted configuration must be carried out according to specific needs and optimized based on the characteristics of the application scenario.

The above is the detailed content of ACL configuration based on user authentication in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn