如何使用nginx进行用户级访问控制

时间:2015-01-10 14:29:18

标签: nginx lua docker-registry openresty

我希望将nginx用于特定网址的用户级访问控制,

对于其他用户<uid>,他们仅限访问http://myserver.com/<uid>(METHOD POST)。用户larrycai只能发布到http://myserver.com/larrycai/xxx

我不想在上游服务器中拥有此控件。

基本身份验证用于访问身份验证,如下所示

server {
    ...
    auth_basic "Auth";
    auth_basic_user_file conf/htpasswd;
}

现在我如何将经过身份验证的用户映射到自己的网址? (我是nginx的新手)。

我的用例是docker-registry前面的nginx docker容器,可以更好地控制用户访问。

2015.1.1更新

uid与unix系统无关,它仅用于应用程序,映射到REST接口

是否可以使用额外的模块,如openresty(基于lua)?

2 个答案:

答案 0 :(得分:8)

我已经能够找到一个解决方案,使许多用户能够从我的docker-registry中提取容器,只有特殊的授权用户才能使用ngx_openresty-1.7.7.1

来推送到我的注册表

<强> /usr/local/openresty/nginx/conf/nginx.conf

worker_processes  1;
error_log /var/log/lua.log notice;

events {
   worker_connections  1024;
}

http {
   include       mime.types;
   default_type  application/octet-stream;

   sendfile        on;
   keepalive_timeout  65;
    # For versions of nginx > 1.3.9 that include chunked transfer encoding support
    # Replace with appropriate values where necessary

    upstream docker-registry {
      server localhost:5000;
    }

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;
        #access_log  /var/log/nginx/log/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    }

    server {
      listen 443;
      server_name docker-registry01.company.com;

      ssl on;
      ssl_certificate /etc/ssl/certs/docker-registry;
      ssl_certificate_key /etc/ssl/private/docker-registry;

      client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

      # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
      chunked_transfer_encoding on;

      location / {
        auth_basic            "Restricted";
        auth_basic_user_file docker-registry.htpasswd;
        access_by_lua_file 'authorize.lua';

        include               docker-registry.conf;
      }

      location /_ping {
        auth_basic off;
        include               docker-registry.conf;
      }

      location /v1/_ping {
        auth_basic off;
        include               docker-registry.conf;
      }

    }
}

<强> /usr/local/openresty/nginx/conf/docker-registry.conf

proxy_pass                       http://docker-registry;
proxy_set_header  Host           $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP      $remote_addr; # pass on real client's IP
proxy_set_header  Authorization  ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout               900;

<强> /usr/local/openresty/nginx/authorize.lua

-- authorization rules

local restrictions = {
  all  = {
    ["^/$"]                             = { "HEAD" }
  },
  user = {
    ["^/$"]                             = { "HEAD", "GET" },
    ["^/v1/search$"]                    = { "HEAD", "GET" },
    ["^/v1/repositories/.*$"]           = { "HEAD", "GET" },
    ["^/v1/images/.*$"]                 = { "HEAD", "GET" }
  },
  admin  = {
    ["^/$"]                             = { "HEAD", "GET" },
    ["^/v1/search$"]                    = { "HEAD", "GET" },
    ["^/v1/repositories/.*$"]           = { "HEAD", "GET", "PUT" },
    ["^/v1/images/.*$"]                 = { "HEAD", "GET", "PUT" }
  }
}

-- list of roles and users
local user_role = {
   all   = {"all"},
   user  = {"user", "user2", "user3", "etc..."},
   admin = {"admin", "dave_albert", "other_admin", "jenkins"}
}

-- get authenticated user as role
local user = ngx.var.remote_user
local role = nil
for _role, user_list in pairs(user_role) do
   for k,user_name in pairs(user_list) do
      if user_name == user then
         role = _role
      end
   end
end

-- exit 403 when no matching role has been found
if restrictions[role] == nil then
  ngx.header.content_type = 'text/plain'
  ngx.status = 403
  ngx.say("403 Forbidden: You don't have access to this resource/role.")
  return ngx.exit(403)
end

-- get URL
local uri = ngx.var.uri

-- get method
local method = ngx.req.get_method()

local allowed  = false

for path, methods in pairs(restrictions[role]) do

  -- path matched rules?
  local p = string.match(uri, path)

  local m = nil

  -- method matched rules?
  for _, _method in pairs(methods) do
    m = m and m or string.match(method, _method)
  end

  if p and m then
    allowed = true
  end
end

if not allowed then
  ngx.header.content_type = 'text/plain'
  ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource  ["..method.." "..uri.."]")
  ngx.status = 403
  ngx.say("403 Forbidden: You don't have access to this resource.")
  return ngx.exit(403)
else
  ngx.log(ngx.WARN, "User ["..user.."] accessing resource ["..method.." "..uri.."]")
end

答案 1 :(得分:0)

您无法看到,让用户进入您的配置。

您可以通过

限制某些访问权限
location /larrycai {
    deny all;
}

总而言之,你无法通过nginx来限制这一点。 你可以写一个PHP脚本,但这似乎不是你想要的。