Nginx: protect url one-time password
There was a task to protect the admin part of the site. And it had to be done without making changes to the code of the site itself. The best I could find is oauth2_proxy and nginx-google-oauth , but they required handling callbacks. I did not like these decisions and rejected them.
I had to contact one of the nginx modules and accessories for the bike .
Since I am not a programmer, I will gladly accept comments on my margarine code. So. I sketched a simple application .
The installation example will be based on Debian / Ubuntu.
')
Installation:
Application Setup:
The last command will give something like this:
Scan QR: http://2qr.ru/otpauth://totp/OTPAuth:test1?secret=LOS5VMN5WI3FUTE4&issuer=OTPAuth
Or add manually SECRET KEY: LOS5VMN5WI3FUTE4
Emergency codes: 39816948,88908661,07327337,95159743,24616032
Add this to your OTP generator. I think you already have a Google Authentificator installed or similar. If not, then you have to install. There is help from Google. When adding users, backup codes are also generated, in case you lose your phone.
We proceed to configure nginx. For the selected location, add:
And these locations do authorization:
We start our application and restart nginx:
Now when you open site.name/private, you will see the one-time password input page:
What is implemented:
What are the plans:
I had to contact one of the nginx modules and accessories for the bike .
Since I am not a programmer, I will gladly accept comments on my margarine code. So. I sketched a simple application .
The installation example will be based on Debian / Ubuntu.
')
Installation:
# nginx ngx_http_auth_request_module nginx -V 2>&1 | grep -qF -- --with-http_auth_request_module && echo "OK" || sudo aptitude update && sudo aptitude install nginx-extras # git clone git@github.com:loukash/otp-auth.git # git clone git@bitbucket.org:loukash/otp-auth.git # cd otp-auth pip install -r requirements.txt Application Setup:
# python manage.py initdb # python manage.py useradd -l test The last command will give something like this:
Scan QR: http://2qr.ru/otpauth://totp/OTPAuth:test1?secret=LOS5VMN5WI3FUTE4&issuer=OTPAuth
Or add manually SECRET KEY: LOS5VMN5WI3FUTE4
Emergency codes: 39816948,88908661,07327337,95159743,24616032
Add this to your OTP generator. I think you already have a Google Authentificator installed or similar. If not, then you have to install. There is help from Google. When adding users, backup codes are also generated, in case you lose your phone.
We proceed to configure nginx. For the selected location, add:
location /private { ... auth_request /auth; error_page 401 /login; ... } And these locations do authorization:
location = /auth { internal; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_pass http://127.0.0.1:5000; } location = /login { proxy_pass http://127.0.0.1:5000; } We start our application and restart nginx:
sudo service nginx reload python manage.py runserver Now when you open site.name/private, you will see the one-time password input page:
What is implemented:
- One-time password check
- user management
- Backup codes
What are the plans:
- Make the application customizable
- Demonization
- Logging
Source: https://habr.com/ru/post/267095/
All Articles