Nginx: Difference between revisions
imported>Kvtb This no longer applies since NixOS 19.09. In 19.09 and newer versions, this is already handled by a patched version of nginx. The etag patch is applied by default, so no intervention is required |
imported>Kvtb Authentication via PAM |
||
| Line 102: | Line 102: | ||
==== HTTP Authentication ==== | ==== HTTP Authentication ==== | ||
===== Basic Authentication ===== | |||
Nginx can require users to login using HTTP Basic Authentication. In NixOS, this is set using the `basicAuth` option: | Nginx can require users to login using HTTP Basic Authentication. In NixOS, this is set using the `basicAuth` option: | ||
| Line 111: | Line 111: | ||
... | ... | ||
}; | }; | ||
}; | |||
</syntaxhighlight> | |||
===== Authentication via PAM ===== | |||
It is also possible to authenticate system users, e.g. users in the /etc/passwd file, by using the PAM module. | |||
<syntaxhighlight lang="nix"> | |||
security.pam.services.nginx.setEnvironment = false; | |||
services.nginx = { | |||
package = (pkgs.nginx.override { modules = [ pkgs.nginxModules.pam ]; }); # add PAM module | |||
... | |||
virtualHosts."example.com".extraConfig = '' | |||
auth_pam "Password Required"; | |||
auth_pam_service_name "nginx"; | |||
''; | |||
}; | |||
</syntaxhighlight> | |||
However, if the password of the user is stored in /etc/shadow, nginx by default will not be able to check the password. Nginx needs to run as root: | |||
<syntaxhighlight lang="nix"> | |||
services.nginx = { | |||
user = "root"; # allow access to /etc/shadow | |||
appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; | |||
... | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||