{"id":24603,"date":"2015-08-19T14:04:09","date_gmt":"2015-08-19T12:04:09","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=24603"},"modified":"2016-12-12T11:29:41","modified_gmt":"2016-12-12T09:29:41","slug":"custom-single-sign-on-with-nginx-and-auth-request-module","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2015\/08\/19\/custom-single-sign-on-with-nginx-and-auth-request-module\/","title":{"rendered":"Custom Single Sign-On with Nginx and Auth Request Module"},"content":{"rendered":"\n

In a recent project I crashed into a wall. \u00a0At least for a couple of days that is. \u00a0The requirement was to integrate the Request Tracker<\/a> (aka RT) installation on CentOS 7<\/a> server with Nginx<\/a> to\u00a0a client’s company single sign-on solution. \u00a0Which wasn’t LDAP. \u00a0Or Active Directory. \u00a0Or anything standard at all – a complete homegrown system.<\/p>\n

<\/p>\n

First set of Google searches firmly suggested to use ngx_http_auth_request_module<\/a>. \u00a0The instructions seemed quite straightforward. \u00a0However, I was struggling to make it work. \u00a0The reason for that was trivial – Nginx web server shipped with CentOS 7 is compiled without this module:<\/p>\n

\r\n# rpm -qi nginx\r\nName        : nginx\r\nEpoch       : 1\r\nVersion     : 1.6.3\r\nRelease     : 6.el7\r\nArchitecture: x86_64\r\nInstall Date: Wed 05 Aug 2015 06:37:41 AM UTC\r\nGroup       : System Environment\/Daemons\r\nSize        : 1441031\r\nLicense     : BSD\r\nSignature   : RSA\/SHA256, Wed 08 Jul 2015 01:38:40 PM UTC, Key ID 6a2faea2352c64e5\r\nSource RPM  : nginx-1.6.3-6.el7.src.rpm\r\nBuild Date  : Fri 03 Jul 2015 12:44:51 PM UTC\r\nBuild Host  : buildvm-09.phx2.fedoraproject.org\r\nRelocations : (not relocatable)\r\nPackager    : Fedora Project\r\nVendor      : Fedora Project\r\nURL         : http:\/\/nginx.org\/\r\nSummary     : A high performance web server and reverse proxy server\r\nDescription :\r\nNginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and\r\nIMAP protocols, with a strong focus on high concurrency, performance and low\r\nmemory usage.\r\n<\/pre>\n
I do know how to build custom RPMs, but that would mean a much increased maintenance, which I wanted to avoid.<\/p>\n
So, the next question is: are there any compiled modules that I can use to solve the problem?<\/p>\n
\r\n# nginx -V\r\nnginx version: nginx\/1.6.3\r\nbuilt by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)\r\nTLS SNI support enabled\r\nconfigure arguments: --prefix=\/usr\/share\/nginx --sbin-path=\/usr\/sbin\/nginx --conf-path=\/etc\/nginx\/nginx.conf --error-log-path=\/var\/log\/nginx\/error.log --http-log-path=\/var\/log\/nginx\/access.log --http-client-body-temp-path=\/var\/lib\/nginx\/tmp\/client_body --http-proxy-temp-path=\/var\/lib\/nginx\/tmp\/proxy --http-fastcgi-temp-path=\/var\/lib\/nginx\/tmp\/fastcgi --http-uwsgi-temp-path=\/var\/lib\/nginx\/tmp\/uwsgi --http-scgi-temp-path=\/var\/lib\/nginx\/tmp\/scgi --pid-path=\/run\/nginx.pid --lock-path=\/run\/lock\/subsys\/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=\/usr\/lib\/rpm\/redhat\/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=\/usr\/lib\/rpm\/redhat\/redhat-hardened-ld -Wl,-E'\r\n<\/pre>\n
If you look carefully enough, you’ll notice the ngx_http_perl_module<\/a>. \u00a0Great news! \u00a0If I have Perl, I can do anything. \u00a0A quick scan through the documentation confirms that I should be able to access the request object.<\/p>\n
Fast forward a few hours and I still got nowhere. \u00a0The Nginx part was working enough for me to have some test variables and code snippets. \u00a0But in order to work with the request object, I had to have Nginx Perl module<\/a> installed on the system. \u00a0Which is not shipped with CentOS 7 as a package. \u00a0And which was failing to compile during the CPAN installation. \u00a0There was something or other about Nginx server not being compiled with sufficient parameters. \u00a0Sorry, I forgot to log the error and I moved on since.<\/p>\n
So, is that it? \u00a0No elegant, low maintenance solution then? \u00a0Nginx rebuild required? \u00a0I was very reluctant to believe this. \u00a0And I wasn’t in a hurry. \u00a0So I stopped and got some sleep. \u00a0And as it often happens, a midnight enlightenment occurred: look for another pre-compiled package for Nginx, don’t use the one from the CentOS project.<\/p>\n
Is there one? \u00a0Yes, of course! \u00a0In fact, there is an official Nginx repository, which supports CentOS (among other distributions), provides a much newer version of Nginx (1.8.0 instead of 1.6.3) and is compiled with the ngx_auth_request_module!<\/p>\n
Here is how it looks:<\/p>\n
\r\n# rpm -qi nginx\r\nName        : nginx\r\nEpoch       : 1\r\nVersion     : 1.8.0\r\nRelease     : 1.el7.ngx\r\nArchitecture: x86_64\r\nInstall Date: Thu 09 Jul 2015 02:07:42 PM EEST\r\nGroup       : System Environment\/Daemons\r\nSize        : 910765\r\nLicense     : 2-clause BSD-like license\r\nSignature   : RSA\/SHA1, Tue 21 Apr 2015 07:44:08 PM EEST, Key ID abf5bd827bd9bf62\r\nSource RPM  : nginx-1.8.0-1.el7.ngx.src.rpm\r\nBuild Date  : Tue 21 Apr 2015 06:37:00 PM EEST\r\nBuild Host  : centos7-amd64-ovl\r\nRelocations : (not relocatable)\r\nVendor      : nginx inc.\r\nURL         : http:\/\/nginx.org\/\r\nSummary     : High performance web server\r\nDescription :\r\nnginx [engine x] is an HTTP and reverse proxy server, as well as\r\na mail proxy server.\r\n\r\n# nginx -V\r\nnginx version: nginx\/1.8.0\r\nbuilt by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) \r\nbuilt with OpenSSL 1.0.1e-fips 11 Feb 2013\r\nTLS SNI support enabled\r\nconfigure arguments: --prefix=\/etc\/nginx --sbin-path=\/usr\/sbin\/nginx --conf-path=\/etc\/nginx\/nginx.conf --error-log-path=\/var\/log\/nginx\/error.log --http-log-path=\/var\/log\/nginx\/access.log --pid-path=\/var\/run\/nginx.pid --lock-path=\/var\/run\/nginx.lock --http-client-body-temp-path=\/var\/cache\/nginx\/client_temp --http-proxy-temp-path=\/var\/cache\/nginx\/proxy_temp --http-fastcgi-temp-path=\/var\/cache\/nginx\/fastcgi_temp --http-uwsgi-temp-path=\/var\/cache\/nginx\/uwsgi_temp --http-scgi-temp-path=\/var\/cache\/nginx\/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'\r\n<\/pre>\n
Excellent! \u00a0So, now on to the configuration … what do we need to do there?<\/p>\n
First of all, RT configuration is a straightforward FastCGI setup, as per the documentation<\/a>. \u00a0Adding auth request handling and we have the following location block:<\/p>\n
\r\nlocation \/ {\r\n  auth_request \/auth;\r\n  auth_request_set $username $upstream_http_x_username;\r\n\r\n  fastcgi_param  REMOTE_USER        $username;\r\n\r\n  fastcgi_param  QUERY_STRING       $query_string;\r\n  fastcgi_param  REQUEST_METHOD     $request_method;\r\n  fastcgi_param  CONTENT_TYPE       $content_type;\r\n  fastcgi_param  CONTENT_LENGTH     $content_length;\r\n\r\n  fastcgi_param  SCRIPT_NAME        '';\r\n  fastcgi_param  PATH_INFO          $uri;\r\n  fastcgi_param  REQUEST_URI        $request_uri;\r\n  fastcgi_param  DOCUMENT_URI       $document_uri;\r\n  fastcgi_param  DOCUMENT_ROOT      $document_root;\r\n  fastcgi_param  SERVER_PROTOCOL    $server_protocol;\r\n\r\n  fastcgi_param  GATEWAY_INTERFACE  CGI\/1.1;\r\n  fastcgi_param  SERVER_SOFTWARE    nginx\/$nginx_version;\r\n\r\n  fastcgi_param  REMOTE_ADDR        $remote_addr;\r\n  fastcgi_param  REMOTE_PORT        $remote_port;\r\n  fastcgi_param  SERVER_ADDR        $server_addr;\r\n  fastcgi_param  SERVER_PORT        $server_port;\r\n  fastcgi_param  SERVER_NAME        $server_name;\r\n\r\n  fastcgi_pass 127.0.0.1:9000;\r\n}\r\n<\/pre>\n
So, what’s happening here?<\/p>\n