Shulou(Shulou.com)06/03 Report--

In the author's previous blog "about the installation and configuration of the httpd 2.x module modulated authentic MySQL module and the support for aes encryption", the mod_auth_mysql module mentioned is a third-party authentication module dedicated to Apache httpd. In this article, we will introduce a corresponding module on Nginx, nginx_auth_mysql.

Preparatory work

Download the source code for nginx_auth_mysql

CentOS7 server, nginx source package (the author uses nginx1.12.0 stable Edition)

Supports the compilation environment of nginx and installs the openssl development package

There are libmysqlclient and libmysqld dynamic libraries

Installation process record

The source code file for nginx_auth_mysql is as follows:

$lsconfig crypt_private.c crypt_private.h LICENSE ngx_http_auth_mysql_module.c README

Look at the config configuration file, which is as follows:

$cat config.bakngx_addon_name=ngx_http_auth_mysql_moduleHTTP_MODULES= "$HTTP_MODULES ngx_http_auth_mysql_module" NGX_ADDON_SRCS= "$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_mysql_module.c $ngx_addon_dir/crypt_private.c" CORE_LIBS= "$CORE_LIBS-lcrypto-lmysqlclient" USE_MD5=YES

From the format of the above configuration file, we can see that it is a third-party module that specializes in static compilation. Since after version 1.9.11 of Nginx, third-party extensions have been supported as dynamic modules, and from the contents of the above configuration file, it is preliminarily determined that it can be modified into the compiled configuration of dynamic modules, so it is compiled into a dynamic library for Nginx to load.

For the modification of the configuration file and the conversion of the dynamic and static module, refer to the following two articles:

Converting Static Modules to Dynamic Modules

New Config Shell File

The contents of the modified config file are as follows:

Ngx_addon_name=ngx_http_auth_mysql_moduleif test-n "$ngx_module_link"; then ngx_module_type=HTTP ngx_module_name=$ngx_addon_name ngx_module_srcs= "$ngx_addon_dir/ngx_http_auth_mysql_module.c $ngx_addon_dir/crypt_private.c" ngx_module_incs= "/ usr/include/mysql" ngx_module_libs= "- lcrypto-lmysqlclient-lmysqld-L/usr/lib64/mysql". Auto/moduleelse HTTP_MODULES= "$HTTP_MODULES ngx_http_auth_mysql_module" NGX_ADDON_SRCS= "$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_mysql_module.c $ngx_addon_dir/crypt_private.c" CORE_LIBS= "$CORE_LIBS-lcrypto-lmysqlclient" USE_MD5=YESfi

At compile time, add the-- add-dynamic-module option to add the module. The author uses-- add-dynamic-module=/root/nginx-1.12.0/nginx_auth_mysql here, in which the nginx_auth_mysql directory is used to store the source code of the module.

In the process of compilation, the author encountered the following errors:

/ root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c: In function 'ngx_http_auth_mysql_check_md5':/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:488:19: error:' MD5_DIGEST_LENGTH' undeclared (first use in this function) u_char md5_ str2 * MD5_DIGEST_LENGTH + 1] ^ / root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:488:19: note: each undeclared identifier is reported only once for each function it appears in/root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:489:9: error: unused variable 'md5_digest' [- Werror=unused-variable] u_char md5_ digest [MD5 _ DIGEST_LENGTH] ^ / root/nginx-1.12.0/nginx_auth_mysql/ngx_http_auth_mysql_module.c:488:9: error: unused variable 'md5_str' [- Werror=unused-variable] u_char md5_ str2 * MD5_DIGEST_LENGTH + 1]

Judging from the error results above, we can find that MD5_DIGEST_LENGTH is not defined, which is very strange.

After investigation, it seems that the header file referenced in the ngx_http_auth_mysql_module.c file does not contain the definition of MD5_DIGEST_LENGTH. The full content of ngx_md5.h is as follows:

$cat ngx_md5.h/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. * / # ifndef _ NGX_MD5_H_INCLUDED_#define _ NGX_MD5_H_INCLUDED_#include # include typedef struct {uint64_t bytes; uint32_t a, b, c, d; u_char buffer [64];} ngx_md5_t;void ngx_md5_init (ngx_md5_t * ctx) Void ngx_md5_update (ngx_md5_t * ctx, const void * data, size_t size); void ngx_md5_final (u_char result [16], ngx_md5_t * ctx); # endif / * _ NGX_MD5_H_INCLUDED_ * /

By comparing the source code of an old version of nginx, it is found that it is indeed different. the following is the header file of the old version of nginx, and you can see that the MD5 header file definition of openssl is referenced:

. # if (NGX_HAVE_MD5) # if (NGX_HAVE_OPENSSL_MD5_H) # include # else#include # endif.

By looking up the md5 header file, we can see that the value of its definition is 16, so in the ngx_md5.h of nginx-1.12.0, add the following definition:

# define MD5_DIGEST_LENGTH 16

After saving, recompile and pass successfully.

After compilation is complete, the required modules are generated in the objs folder:

$ls objs/ | grep authngx_http_auth_mysql_module_modules.cngx_http_auth_mysql_module_modules.ongx_http_auth_mysql_module.so

Copy the ngx_http_auth_mysql_module.so to the corresponding module directory, and the preliminary module installation task is completed.

Configuration content

Add the following line to the main section in the nginx.conf file to indicate that the module needs to be loaded:

Load_module modules/ngx_http_auth_mysql_module.so

The author uses the auth.html under the default host / auth path to test:

$cat / opt/nginx/html/auth/auth.html auth page

The configuration parameters used by the module are described in detail in the README document of the module, as follows:

= = CONFIGURATION = =

It is activated by adding several configuration options:

Auth_mysql_realm: HTTP basic authentiaction realm. Required.

Auth_mysql_host: the host of the MySQL server. Default is 127.0.0.1.

Auth_mysql_port: on which port to connect to the MySQL server. Default is 3306.

Auth_mysql_user: username for connection to the MySQL server. Default is root.

Auth_mysql_password: password for connection to the MySQL server. Default is empty.

Auth_mysql_database: name of the database. Required.

Auth_mysql_table: name of the table, which holds the user record.

You can have more than one table separated by comas. Default is users.

Auth_mysql_user_column: name of the username column. Default is username.

Auth_mysql_password_column: name of the password column. Default is password.

Auth_mysql_conditions: Additional SQL conditions. They will be placed after and AND.

Default is empty string.

Auth_mysql_group_table: name of the table, which holds the groups information.

You can have more than one table separated by comas. Default is the users table.

Auth_mysql_group_column: name of the group name column. Default is name.

Auth_mysql_group_conditions: Additional SQL conditions applied only in group queries.

They will be placed after an AND. Default is empty string.

Auth_mysql_encryption_type: the format of the password field. Should be one of:

None: the password is stored in plaintext in the database

Md5: in the database is stored a md5 hash of the password

Phpass: a portable php hash of the password is stored. See:

Http://www.openwall.com/phpass/ for more information.

The default is md5.

Auth_mysql_allowed_users: whitespace delimited list of allowed users.

Auth_mysql_allowed_groups: whitespace delimited list of allowed groups.

If both allowed_users and allowed_groups are defined, either of them has to satisfied.

The content of using mysql database to create authenticated users is as follows: create nginx database, add a nginx_auth data table to nginx database, store user field and password field, and encrypt password field with md5:

$mysqlWelcome to the MariaDB monitor. Commands end with; or\ g.Your MariaDB connection id is 3337Server version: 5.5.44-MariaDB MariaDB ServerCopyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.Type 'help;' or'\ h' for help. Type'\ c'to clear the current input statement.MariaDB [(none)] > use nginx;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with-ADatabase changedMariaDB [nginx] > show tables +-+ | Tables_in_nginx | +-+ | nginx_auth | +-+ 1 row in set (0.00 sec) MariaDB [nginx] > select * from nginx_auth +-+-+ | user | password | +-+-+ | tom | d077f244ddf8r70e5ea758bd8352fcd8 | +-+- -- + 1 row in set (0.00 sec)

The configuration used in the nginx.conf configuration file is as follows:

.location / auth {root / opt/nginx/html; index auth.html; auth_mysql_realm "authentication"; auth_mysql_host "192.168.5.181"; auth_mysql_port "3306"; auth_mysql_user "nginx"; auth_mysql_password "nginx" Auth_mysql_database "nginx"; auth_mysql_table "nginx_auth"; auth_mysql_user_column "user"; auth_mysql_password_column "password"; auth_mysql_encryption_type "md5";}.

Reload nginx, and use the curl command to test. The result is as follows: the module is running normally:

$curl-u tom:right_password http://192.168.5.181/auth/auth page$ curl-u tom:wrong_password http://192.168.5.181/auth/ 401 Authorization Required401 Authorization Requirednginx/1.12.0

Other matters

The mod_auth_mysql module used on httpd comes with the aes encryption algorithm, but this module used on nginx does not add this feature by default, but the author of this module mentioned in README:

= = WRITING A NEW ECNRYPTION TYPE = =

Add an entry in the ngx_http_auth_mysql_enctypes array. It has to be a struct

With two elements:

Ngx_str_t id

The name under which it should be referenced in the config file

Ngx_uint_t (* checker) (ngx_http_request_t * r, ngx_str_t sent_password, ngx_str_t actual_password)

A function, which given the request (mostly used for logging and memory allocation through its r-> pool)

The password sent by the user and the password in the database has to determine whether they match.

If they match it should return NGX_OK, if they don't it should return NGX_DECLINED. If other error

Occures, it should log it and return NGX_ERR.

Currently salts aren't supported, but if there are schemes, which require them it is quite easy.

Questions/patches may be sent to Nikolay Bachiyski, nikolay@automattic.com

It'seems that we can only wait for the Niuren to carry out the secondary development.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.