authentication being passed to php

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

authentication being passed to php

nginx.mailinglist
Hello

just a quick question 

in lighttpd i was able to pass the username and pass from the url to php backend

but nothing happens in nginx?

let me explain


lets say you have a URL like this



i expect my php backend to have user and pass entries in the $_SERVER variable as happens with lighttpd

am i missing something with nginx? is it even possible?


Regards
Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

Igor Sysoev
On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:

> Hello
> just a quick question
>
> in lighttpd i was able to pass the username and pass from the url to php
> backend
>
> but nothing happens in nginx?
>
> let me explain
>
>
> lets say you have a URL like this
>
> http://userX:passY@.../bleh.php
>
>
> i expect my php backend to have user and pass entries in the $_SERVER
> variable as happens with lighttpd
>
> am i missing something with nginx? is it even possible?

$echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
dXNlclg6cGFzc1k=

      proxy_pass http://example.com/bleh.php;
      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";


--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

nginx.mailinglist
Thank you

I see that works fine for that particular user:pass combo

but (sorry to be a pain)

that means i have to encode the user:pass combination into the config file

what happens if there are thousands of user:pass combinations?

how can this info be dynamically passed to the php backend for authentication to occur there (by looking up in a database for example)?

i cant be updating the config file everytime a new user is added that can be crazy especially if there are thousands or more users

Regards

edit: i google and found this old email conversation on nginx mailinglist

2009/7/23 Igor Sysoev <[hidden email]>
On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:

> Hello
> just a quick question
>
> in lighttpd i was able to pass the username and pass from the url to php
> backend
>
> but nothing happens in nginx?
>
> let me explain
>
>
> lets say you have a URL like this
>
> http://userX:passY@.../bleh.php
>
>
> i expect my php backend to have user and pass entries in the $_SERVER
> variable as happens with lighttpd
>
> am i missing something with nginx? is it even possible?

$echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
dXNlclg6cGFzc1k=

     proxy_pass http://example.com/bleh.php;
     proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";


--
Igor Sysoev
http://sysoev.ru/en/


Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

Igor Sysoev
On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:

> Thank you
> I see that works fine for that particular user:pass combo
>
> but (sorry to be a pain)
>
> that means i have to encode the user:pass combination into the config file
>
> what happens if there are thousands of user:pass combinations?
>
> how can this info be dynamically passed to the php backend for
> authentication to occur there (by looking up in a database for example)?
>
> i cant be updating the config file everytime a new user is added that can be
> crazy especially if there are thousands or more users
>
> Regards
>
> edit: i google and found this old email conversation on nginx mailinglist
> http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results

I do not understand your problem.
nginx passes client's user:pass in Authorization header transparently.

> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> >
> > > Hello
> > > just a quick question
> > >
> > > in lighttpd i was able to pass the username and pass from the url to php
> > > backend
> > >
> > > but nothing happens in nginx?
> > >
> > > let me explain
> > >
> > >
> > > lets say you have a URL like this
> > >
> > > http://userX:passY@.../bleh.php
> > >
> > >
> > > i expect my php backend to have user and pass entries in the $_SERVER
> > > variable as happens with lighttpd
> > >
> > > am i missing something with nginx? is it even possible?
> >
> > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > dXNlclg6cGFzc1k=
> >
> >      proxy_pass http://example.com/bleh.php;
> >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

nginx.mailinglist
Hi Igor

its ok i got it working now!

all i have to do was add this to my config


fastcgi_pass_header Authorization;


i wasn't testing the HTTP request properly so wasn't seeing the results expected

Thank you very much!
made my work day




2009/7/23 Igor Sysoev <[hidden email]>
On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:

> Thank you
> I see that works fine for that particular user:pass combo
>
> but (sorry to be a pain)
>
> that means i have to encode the user:pass combination into the config file
>
> what happens if there are thousands of user:pass combinations?
>
> how can this info be dynamically passed to the php backend for
> authentication to occur there (by looking up in a database for example)?
>
> i cant be updating the config file everytime a new user is added that can be
> crazy especially if there are thousands or more users
>
> Regards
>
> edit: i google and found this old email conversation on nginx mailinglist
> http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results

I do not understand your problem.
nginx passes client's user:pass in Authorization header transparently.

> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> >
> > > Hello
> > > just a quick question
> > >
> > > in lighttpd i was able to pass the username and pass from the url to php
> > > backend
> > >
> > > but nothing happens in nginx?
> > >
> > > let me explain
> > >
> > >
> > > lets say you have a URL like this
> > >
> > > http://userX:passY@.../bleh.php
> > >
> > >
> > > i expect my php backend to have user and pass entries in the $_SERVER
> > > variable as happens with lighttpd
> > >
> > > am i missing something with nginx? is it even possible?
> >
> > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > dXNlclg6cGFzc1k=
> >
> >      proxy_pass http://example.com/bleh.php;
> >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--

Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

Igor Sysoev
On Thu, Jul 23, 2009 at 11:57:06AM +0100, nginx.mailinglist wrote:

> Hi Igor
> its ok i got it working now!
>
> all i have to do was add this to my config
>
>
> *fastcgi_pass_header ** **Authorization;*
>
>
> i wasn't testing the HTTP request properly so wasn't seeing the results
> expected

fastcgi_pass_header passes headers from backend to client.
It can not resolve your issue.

> Thank you very much!
> made my work day
>
>
>
>
> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:
> >
> > > Thank you
> > > I see that works fine for that particular user:pass combo
> > >
> > > but (sorry to be a pain)
> > >
> > > that means i have to encode the user:pass combination into the config
> > file
> > >
> > > what happens if there are thousands of user:pass combinations?
> > >
> > > how can this info be dynamically passed to the php backend for
> > > authentication to occur there (by looking up in a database for example)?
> > >
> > > i cant be updating the config file everytime a new user is added that can
> > be
> > > crazy especially if there are thousands or more users
> > >
> > > Regards
> > >
> > > edit: i google and found this old email conversation on nginx mailinglist
> > >
> > http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results
> >
> > I do not understand your problem.
> > nginx passes client's user:pass in Authorization header transparently.
> >
> > > 2009/7/23 Igor Sysoev <[hidden email]>
> > >
> > > > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> > > >
> > > > > Hello
> > > > > just a quick question
> > > > >
> > > > > in lighttpd i was able to pass the username and pass from the url to
> > php
> > > > > backend
> > > > >
> > > > > but nothing happens in nginx?
> > > > >
> > > > > let me explain
> > > > >
> > > > >
> > > > > lets say you have a URL like this
> > > > >
> > > > > http://userX:passY@.../bleh.php
> > > > >
> > > > >
> > > > > i expect my php backend to have user and pass entries in the $_SERVER
> > > > > variable as happens with lighttpd
> > > > >
> > > > > am i missing something with nginx? is it even possible?
> > > >
> > > > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > > > dXNlclg6cGFzc1k=
> > > >
> > > >      proxy_pass http://example.com/bleh.php;
> > > >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> > > >
> > > >
> > > > --
> > > > Igor Sysoev
> > > > http://sysoev.ru/en/
> > > >
> > > >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

István
In reply to this post by Igor Sysoev
he is mixing up two different things

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

14.8 Authorization

      A user agent that wishes to authenticate itself with a server--
usually, but not necessarily, after receiving a 401 response--does
so by including an Authorization request-header field with the
request. The Authorization field value consists of credentials
containing the authentication information of the user agent for
the realm of the resource being requested.
          Authorization  = "Authorization" ":" credentials
      HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [43]. If a request is
authenticated and a realm specified, the same credentials SHOULD
be valid for all other requests within this realm (assuming that
the authentication scheme itself does not require otherwise, such
as credentials that vary according to a challenge value or using
synchronized clocks).
      When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
      1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using
it.
      2. If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server, using the
request-headers from the new request to allow the origin server
to authenticate the new request.
      3. If the response includes the "public" cache-control directive,
it MAY be returned in reply to any subsequent request.


2009/7/23 Igor Sysoev <[hidden email]>
On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:

> Thank you
> I see that works fine for that particular user:pass combo
>
> but (sorry to be a pain)
>
> that means i have to encode the user:pass combination into the config file
>
> what happens if there are thousands of user:pass combinations?
>
> how can this info be dynamically passed to the php backend for
> authentication to occur there (by looking up in a database for example)?
>
> i cant be updating the config file everytime a new user is added that can be
> crazy especially if there are thousands or more users
>
> Regards
>
> edit: i google and found this old email conversation on nginx mailinglist
> http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results

I do not understand your problem.
nginx passes client's user:pass in Authorization header transparently.

> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> >
> > > Hello
> > > just a quick question
> > >
> > > in lighttpd i was able to pass the username and pass from the url to php
> > > backend
> > >
> > > but nothing happens in nginx?
> > >
> > > let me explain
> > >
> > >
> > > lets say you have a URL like this
> > >
> > > http://userX:passY@.../bleh.php
> > >
> > >
> > > i expect my php backend to have user and pass entries in the $_SERVER
> > > variable as happens with lighttpd
> > >
> > > am i missing something with nginx? is it even possible?
> >
> > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > dXNlclg6cGFzc1k=
> >
> >      proxy_pass http://example.com/bleh.php;
> >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--



--
the sun shines for all
Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

nginx.mailinglist
Hmm

sorry for mix up i think i confused myself

whatever happened i now get the following entries in my php's $_SERVER


[HTTP_AUTHORIZATION] => Basic dGVzdDEyMzphYmM1Njc=
[PHP_AUTH_USER] => test123
[PHP_AUTH_PW] => abc567


which is exactly what i wanted, i can take the above values now and perfrom authentication against the database

sorry for all the confusion
i dont think this was an issue at all in first place
just my tests were wrong

thanks for the prompt help



On Thu, Jul 23, 2009 at 12:13 PM, István <[hidden email]> wrote:
he is mixing up two different things

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

14.8 Authorization

      A user agent that wishes to authenticate itself with a server--
usually, but not necessarily, after receiving a 401 response--does
so by including an Authorization request-header field with the
request. The Authorization field value consists of credentials
containing the authentication information of the user agent for
the realm of the resource being requested.
          Authorization  = "Authorization" ":" credentials
      HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [43]. If a request is
authenticated and a realm specified, the same credentials SHOULD
be valid for all other requests within this realm (assuming that
the authentication scheme itself does not require otherwise, such
as credentials that vary according to a challenge value or using
synchronized clocks).
      When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
      1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using
it.
      2. If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server, using the
request-headers from the new request to allow the origin server
to authenticate the new request.
      3. If the response includes the "public" cache-control directive,
it MAY be returned in reply to any subsequent request.


2009/7/23 Igor Sysoev <[hidden email]>
On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:

> Thank you
> I see that works fine for that particular user:pass combo
>
> but (sorry to be a pain)
>
> that means i have to encode the user:pass combination into the config file
>
> what happens if there are thousands of user:pass combinations?
>
> how can this info be dynamically passed to the php backend for
> authentication to occur there (by looking up in a database for example)?
>
> i cant be updating the config file everytime a new user is added that can be
> crazy especially if there are thousands or more users
>
> Regards
>
> edit: i google and found this old email conversation on nginx mailinglist
> http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results

I do not understand your problem.
nginx passes client's user:pass in Authorization header transparently.

> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> >
> > > Hello
> > > just a quick question
> > >
> > > in lighttpd i was able to pass the username and pass from the url to php
> > > backend
> > >
> > > but nothing happens in nginx?
> > >
> > > let me explain
> > >
> > >
> > > lets say you have a URL like this
> > >
> > > http://userX:passY@.../bleh.php
> > >
> > >
> > > i expect my php backend to have user and pass entries in the $_SERVER
> > > variable as happens with lighttpd
> > >
> > > am i missing something with nginx? is it even possible?
> >
> > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > dXNlclg6cGFzc1k=
> >
> >      proxy_pass http://example.com/bleh.php;
> >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--



--
the sun shines for all

Reply | Threaded
Open this post in threaded view
|

Re: authentication being passed to php

István
no worries

;)

On Thu, Jul 23, 2009 at 4:29 AM, nginx.mailinglist <[hidden email]> wrote:
Hmm

sorry for mix up i think i confused myself

whatever happened i now get the following entries in my php's $_SERVER


[HTTP_AUTHORIZATION] => Basic dGVzdDEyMzphYmM1Njc=
[PHP_AUTH_USER] => test123
[PHP_AUTH_PW] => abc567


which is exactly what i wanted, i can take the above values now and perfrom authentication against the database

sorry for all the confusion
i dont think this was an issue at all in first place
just my tests were wrong

thanks for the prompt help



On Thu, Jul 23, 2009 at 12:13 PM, István <[hidden email]> wrote:
he is mixing up two different things

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

14.8 Authorization

      A user agent that wishes to authenticate itself with a server--
usually, but not necessarily, after receiving a 401 response--does
so by including an Authorization request-header field with the
request. The Authorization field value consists of credentials
containing the authentication information of the user agent for
the realm of the resource being requested.
          Authorization  = "Authorization" ":" credentials
      HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [43]. If a request is
authenticated and a realm specified, the same credentials SHOULD
be valid for all other requests within this realm (assuming that
the authentication scheme itself does not require otherwise, such
as credentials that vary according to a challenge value or using
synchronized clocks).
      When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
      1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using
it.
      2. If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server, using the
request-headers from the new request to allow the origin server
to authenticate the new request.
      3. If the response includes the "public" cache-control directive,
it MAY be returned in reply to any subsequent request.


2009/7/23 Igor Sysoev <[hidden email]>
On Thu, Jul 23, 2009 at 11:22:19AM +0100, nginx.mailinglist wrote:

> Thank you
> I see that works fine for that particular user:pass combo
>
> but (sorry to be a pain)
>
> that means i have to encode the user:pass combination into the config file
>
> what happens if there are thousands of user:pass combinations?
>
> how can this info be dynamically passed to the php backend for
> authentication to occur there (by looking up in a database for example)?
>
> i cant be updating the config file everytime a new user is added that can be
> crazy especially if there are thousands or more users
>
> Regards
>
> edit: i google and found this old email conversation on nginx mailinglist
> http://markmail.org/message/tl7h2fclizgptwnr#query:NGINX%20PHP%20AUTHENTICATION+page:1+mid:f3xw2gjllat6urff+state:results

I do not understand your problem.
nginx passes client's user:pass in Authorization header transparently.

> 2009/7/23 Igor Sysoev <[hidden email]>
>
> > On Thu, Jul 23, 2009 at 10:50:12AM +0100, nginx.mailinglist wrote:
> >
> > > Hello
> > > just a quick question
> > >
> > > in lighttpd i was able to pass the username and pass from the url to php
> > > backend
> > >
> > > but nothing happens in nginx?
> > >
> > > let me explain
> > >
> > >
> > > lets say you have a URL like this
> > >
> > > http://userX:passY@.../bleh.php
> > >
> > >
> > > i expect my php backend to have user and pass entries in the $_SERVER
> > > variable as happens with lighttpd
> > >
> > > am i missing something with nginx? is it even possible?
> >
> > $echo userX:passY | perl -MMIME::Base64 -lne 'print encode_base64 $_'
> > dXNlclg6cGFzc1k=
> >
> >      proxy_pass http://example.com/bleh.php;
> >      proxy_set_header  Authorization "Basic dXNlclg6cGFzc1k=";
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >

--



--
the sun shines for all




--
the sun shines for all