Hello,
I want to create a “reverse” proxy. I want users of the reverse proxy
to authenticate to a radius server. I accomplished this by:
nginx.conf:
server {
listen 443 ssl;
server_name x.y.com;
ssl_certificate /usr/local/etc/ssl/x.y.com.chain.crt;
ssl_certificate_key /usr/local/etc/ssl/x.y.com.key;
location / {
auth_pam “Secure Zone”;
auth_pam_service_name “nginx”;
proxy_pass http://x.y.local;
}
}
pam.d/nginx:
auth required pam_radius.so
This works… except the RADIUS password is actually a “one time
password”. It appears the web client retransmits the
previously-accepted username/password for each proxied page. This
will not work when using OTP (one time passwords).
Can anyone suggest a way to achieve:
-
reverse proxy
-
the reverse-proxy authenticates the user (ideally using RADIUS or
PAM) -
the authentication is “cached” and not re-submitted for each page
visited
I imagine the only way to do this is to perform “authentication” in
the “application layer” using some kind of custom CGI and cookies.
Thank you,
Chris