Skip to content
/ nginx-auth-cas-lua Public

CAS authentication for nginx, similar to apache mod-auth-cas

License

View license
27 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

EsupPortail/nginx-auth-cas-lua

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

nginx-auth-cas-lua

WARNING, CAS integration is functional, but mileage may vary.

This is a CAS client written entirely using nginx's lua module. It is similar to apache mod_auth_cas.

Installation

Install dependencies

apt install libnginx-mod-http-lua

or

yum install nginx-mod-http-lua

mkdir -p /etc/nginx/lua/resty
cd /etc/nginx/lua/resty/
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http_headers.lua
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http_connect.lua
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http.lua

Install nginx-auth-cas-lua

cd /etc/nginx/lua/
wget https://raw.githubusercontent.com/prigaux/nginx-auth-cas-lua/master/src/cas.lua
wget https://raw.githubusercontent.com/prigaux/nginx-auth-cas-lua/master/src/global_cas_conf.lua

Configuration

  • configure cas_uri in /etc/nginx/lua/global_cas_conf.lua
  • configure various global stuff in nginx config
# needed for resty.http
resolver 8.8.8.8;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

lua_package_path '/etc/nginx/lua/?.lua;;';
lua_shared_dict cas_store 10M;
  • protect a location (REMOTE_USER is passed to proxy implicitly):
location /secured {
    access_by_lua_block { require('cas').forceAuthentication() }
    proxy_pass ...;
    ...
}

NB: access_by_lua_block must be before proxy_pass

  • or for FASTCGI protect a location and provide REMOTE_USER explicitly: 
    location /secured {
  access_by_lua_block { require('cas').forceAuthentication() }
  fastcgi_pass ...;
  fastcgi_param REMOTE_USER $http_remote_user;
  ...
}

Known limitations

  • only CAS protocol v2
  • no CAS proxy
  • no CAS single sign out

Various information

  • this work is based on Toshi Piazza's ngx-http-cas-client-lua
  • we could be using ngx.location.capture, but it does not work with HTTP/2.
  • with apache mod_auth_cas, you can not protect both in apache and in backend: mod_auth_cas will always validate the ticket, even if its session is valid. The current nginx-auth-cas-lua code does not have this limitation. NB: if the backend ask for proxy tickets, either use a different url to receive pgtIou, or use
if ($remote_addr !~ "^192[.]168[.]1[.](56|57)$") { # if request is from CAS, let it go to the backend unauthenticated (needed for pgtIOU)
    access_by_lua_block { require('cas').forceAuthentication() }
}

About

CAS authentication for nginx, similar to apache mod-auth-cas

Topics

nginx cas nginx-lua

Resources

Readme

License

View license
Activity
Custom properties

Stars

27 stars

Watchers

5 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages