How to implement nginx auth_request check in Nginx without scripts?

B

Boris Korobkov2017-05-17 00:18:45

Nginx

Boris Korobkov, 2017-05-17 00:18:45

There is a high load site.
1. There is one authentication page /login, which is processed by PHP, checks the login / password (it comes from a normal html form), writes data to the session and cookie. There are very few referrals.
2. There is one authorization page /auth, which is processed by PHP, checks if the authenticated user has access rights to a certain page. Returns code 200 or 403.
3. All other content is in the form of pre-generated html pages, which are given to nginx without PHP. Some pages are public, some are only available to logged in, some only to users with certain rights. Access rights are checked using the nginx auth_request module, that is, for each access to the html page, a subrequest is made to /auth (see paragraph 2) with the transfer of $request_uri, which creates an extra load.
For optimization, I plan to get rid of the use of PHP in step 2. How can the same check be implemented on nginx itself, that is, how to check the rights using nginx by the user id ($http_cookie) and the requested URI ($request_uri)?
Let's say I can generate some files with a list of rights for all users in advance. What is the best format? The only structure that comes to mind is auth/user/$iserId/$request_uri , that is, to check for the existence of a file. If there is - 200, otherwise 403. But there can be a lot of users. You can write all users line by line to a file for each URI, but then how to parse this file from nginx?
You can write this data to memcache, but it does not guarantee reliable data storage.
Maybe some fast database that Nginx can access on its own?
Or write a daemon in java or node.js? But this is a potentially unnecessary point of failure.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

E

egor_nullptr, 2017-05-17
@BorisKorobkov

You can generate a config for nginx using map

#auth.conf
map $user_id:$request_uri $allow {
    default 0;
    1234:/path/page1.html 1;
    1234:/path/page2.html 1;
    5678:/path/page1.html 1;
    ...
}

And connect in the host config

#host.conf
include "auth.conf";
server {
    listen 80;
    server_name host.org;

    root /path/to/static/pages;

    location / {
        auth_request /_auth;
    }

    location = /_auth {
        if ($allow) {
            return 200;
        }
        return 403;
    }
}

A

Alexander N++, 2017-05-17
@sanchezzzhak

it is possible through
session_log_module
mysql_module
look location / auth {
through the session module get the session id
look through the mysql module session table
look authorized or not.
if not, then on the page like this ...
}
it is also worth adding that in php you will have to redefine the mechanism for storing sessions on the database
through session_set_save_handler
on the authorization page, after authorization, set the session through the usual puff.
it's all in theory.
I used the mysql module under ngnix, the impressions are only positive
, I also recommend updating php7+, it is 50% faster than the previous version, this is especially felt when working with arrays.