在笔者之前的博文《关于httpd 2.x,mod_auth_mysql模块的安装配置以及对aes加密的支持》中,所提及到的mod_auth_mysql模块,是专门用于Apache httpd的第三方认证模块。在本文中,将介绍在Nginx上面相对应的一个模块,nginx_auth_mysql。准备工作
下载nginx_auth_mysql的源代码CentOS7服务器,nginx源码包(笔者使用nginx1.12.0稳定版)支持nginx的编译环境,并安装有openssl开发包存在libmysqlclient以及libmysqld动态库
nginx_auth_mysql的源代码文件如下所示:查看一下config配置文件,其内容如下所示:由上述配置文件的格式,可以看出是专门进行静态编译的第三方模块。由于在Nginx 1.9.11版本之后,已经支持以动态模块的方式来支持第三方扩展,并且由上述配置文件的内容,初步判定可以将其修改为动态模块的编译配置,因此这里将其编译为动态库,以供Nginx进行加载。关于配置文件的修改以及动静模块的转换,参照如下两篇文章:Converting Static Modules to Dynamic ModulesNew Config Shell File经过修改之后的config文件内容如下所示:在编译的时候,添加上--add-dynamic-module
选项,将模块添加进来。笔者这里使用的是--add-dynamic-module=/root/nginx-1.12.0/nginx_auth_mysql
,其中的nginx_auth_mysql目录用于存放模块的源代码。在进行编译的过程中,笔者遇到了如下错误:从上面的报错结果来看,可以发现,是MD5_DIGEST_LENGTH没有定义,甚是奇怪……
经过排查,在ngx_http_auth_mysql_module.c文件里面,所引用的头文件当中,似乎确实并未包含MD5_DIGEST_LENGTH的定义,ngx_md5.h的全部内容如下所示:通过对比一个老版本的nginx源代码,发现确实有所不同,下面的是老版本的nginx的头文件,可以看出,引用了openssl的md5头文件定义:通过查阅md5头文件,得到其定义的值为16,因此,在nginx-1.12.0的ngx_md5.h里面,添加如下定义:保存之后,重新编译,成功通过。
编译完成之后,在objs文件夹里面生成了所需要的模块:将ngx_http_auth_mysql_module.so拷贝到对应的模块目录里面,至此完成了初步的模块安装任务。配置内容在nginx.conf文件中的main段里面添加如下一行,代表需要加载该模块:笔者使用默认主机/auth路径下的auth.html进行测试:在该模块的README文档中,详细介绍了模块使用的配置参数,如下所示:== CONFIGURATION ==
It is activated by adding several configuration options:auth_mysql_realm: HTTP basic authentiaction realm. Required.auth_mysql_host: the host of the MySQL server. Default is 127.0.0.1.auth_mysql_port: on which port to connect to the MySQL server. Default is 3306.auth_mysql_user: username for connection to the MySQL server. Default is root.auth_mysql_password: password for connection to the MySQL server. Default is empty.auth_mysql_database: name of the database. Required.auth_mysql_table: name of the table, which holds the user record.
You can have more than one table separated by comas. Default is users.auth_mysql_user_column: name of the username column. Default is username.auth_mysql_password_column: name of the password column. Default is password.auth_mysql_conditions: Additional SQL conditions. They will be placed after and AND.
Default is empty string.auth_mysql_group_table: name of the table, which holds the groups information.
You can have more than one table separated by comas. Default is the users table.auth_mysql_group_column: name of the group name column. Default is name.auth_mysql_group_conditions: Additional SQL conditions applied only in group queries.
They will be placed after an AND. Default is empty string.auth_mysql_encryption_type: the format of the password field. Should be one of:
none: the password is stored in plaintext in the database;md5: in the database is stored a md5 hash of the password;phpass: a portable php hash of the password is stored. See:
http://www.openwall.com/phpass/ for more information.
The default is md5.auth_mysql_allowed_users: whitespace delimited list of allowed users.auth_mysql_allowed_groups: whitespace delimited list of allowed groups开发云主机域名.
If both allowed_users and allowed_groups are defined, either of them has to satisfied.笔者这里使用mysql数据库创建认证用户的内容如下所示,创建nginx数据库,在nginx数据库里面添加一个nginx_auth的数据表,存放user字段和password字段,并且password字段用md5进行加密:在nginx.conf配置文件当中使用的配置如下所示:reload一下nginx,利用curl命令进行测试,得到的结果如下所示,可见模块正常运行:
其他事项
在httpd上面使用的mod_auth_mysql模块,自带了aes加密算法,但是在nginx上面使用的此模块,默认却没有添加该项功能,不过该模块的作者在README中提到:
== WRITING A NEW ECNRYPTION TYPE ==
Add an entry in the ngx_http_auth_mysql_enctypes
array. It has to be a struct
with two elements:ngx_str_t idThe name under which it should be referenced in the config file
ngx_uint_t (*checker)(ngx_http_request_t *r, ngx_str_t sent_password, ngx_str_t actual_password)A function, which given the request (mostly used for logging and memory allocation through its r->pool),
the password sent by the user and the password in the database has to determine whether they match.
If they match it should return NGX_OK, if they don’t it should return NGX_DECLINED. If other error
occures, it should log it and return NGX_ERR.Currently salts aren't supported, but if there are schemes, which require them it is quite easy.
Questions/patches may be sent to Nikolay Bachiyski, nikolay@automattic.com似乎只能等待牛人进行二次开发了……
今天小编给大家分享的是linux运行shell程序的方法,很多人都不太了解,今天小编为了让大家更加了解linux运行shell程序的方法,所以给大家总结了以下内容,一起往下看吧。一定会有所收获的哦。linux运行程序有三种方法,分别是:1、使文件具有可执行权限…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。