Hi,
I just started with a small company that’s got a bunch of web apps being
served up from a bunch of different web servers. Some are ‘appliances’,
most are Apache.
It’s a mess of an infrastrucutre – slow and . My long term plan is to
convert to one lighter weight platform with commercial support
available. Although I haven’t used it myself for anything in production
yet, after a bunch of reading and some fooling around on my own, I’m 99%
sure it’s going to be Nginx.
In the short term – like the boss wants it yesterday! – I need to put
everything behind two factor authentication and enable SSL. Right now,
every web app is directly exposed to the web with single-factor auth
over http://.
In principle, I think I can solve this in one nginx instance. Setting
nginx up to listen on one IP, and serve up separate SSL certificates for
each web app is brilliantly easy in nginx! Works perfectly. SO that
part’s basically done.
The auth piece has me scratching my head – and I hope somebody here can
provide some guidance.
What I want to do is have all access to the webapps FIRST go through a
two factor authentication webpage in nginx. The two factors I need are
(1) a simple password known to the user, and (2) a
GoogleAuthenticator-generated token/passcode.
ONLY on correct & timely enter of both do I want the user passed through
to the webapp on one of those servers I mentioned. But once they do,
the ‘authentication site’ should become trabsparent and not interfere at
all with the session, etc.
I’m not sure how to:
(1) implement Google AUthenticator integration in Nginx. I’ve looked
for something built-in, or some plugin, which would be fantastic. But
I’ve haven’t found anything reliable yet.
(2) make sure that after Authentication is OK to make everything
transparent to & from the webapps behind the nginx instance. Is this
proxying? I’m pretty sure I need to pass some sort of variables, but is
there some setting that bundles up everything so it’s fully transparent?
Are there any built-in ways – and better yet, good tutorials! – that
exist alrady for these? I doubt I’ve thought up anything new here, so
I’m hoping someone’s already posted some know-how.
THanks a bunch for any help!
Dave