forked from stnoonan/spnego-http-auth-nginx-module
-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
75 lines (58 loc) · 2.3 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Nginx module to use SPNEGO+GSSAPI+Kerberos for HTTP authentication
==================================================================
Testing
-------
Authentication has been tested with (at least) the following:
Software
Nginx 1.2.3
Internet Explorer 8.0.7600.16385
Firefox 10.0.6
Chrome 20.0.1132.57
Curl 7.19.5 (GSS-Negotiate), 7.27.0 (SPNEGO/fbopenssl)
The underlying kerberos library used for these tests was MIT KRB5 1.7
History
-------
Michael Shadle paid YoctoPetaBorg from RentACoder to develop this extension as
ngx_http_auth_sso_module. Michael then renamed it to
ngx_http_auth_spnego_module. This initial module provided spnego support using
Microsoft's sample spnegohelp files. Since then, SPNEGO support has made its
way into various GSS/Kerberos libraries.
Various other people have contributed minor patches to make the extension work
in their environments.
Provenance
----------
The initial codebase was a fork of Apache's mod_auth_gss_krb5 0.0.5
(http://modgssapache.sf.net) with changes to support nginx.
Compilation
-----------
When compiling from source build as usual adding the --add-module option:
./configure --add-module=$PATH_TO_MODULE
inside top Nginx source directory.
Configuration
-------------
The module has following directives:
- auth_gss: "on"/"off", for ease of unsecuring while leaving other
options in the config file,
- auth_gss_realm: what Kerberos realm name to use, for now only used to
remove it from full user@realm.name,
- auth_gss_keytab: absolute path-name to keytab file containing service
credentials,
- auth_gss_service_name: what service name to use when acquiring
credentials. (TOFIX: HTTP but should be a list in case of some other
browsers wanting perhaps khttp or http)
TOFIX: for now they are all merely location specific. i.e. no way to
specify main or per server defaults, except for ...
Examples
--------
... current "hardcodeds" ;-}
location /topsecret {
auth_gss on;
auth_gss_realm LOCALDOMAIN;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP;
}
Additional Information
----------------------
Generating a keytab with an HTTP SPN will be specific to your environment. As
with many things, ask your local administrators or try examples on Google until
you find something that works.