Group based HTTP basic authentication using Nginx and MySQL with help of Lua

Recently I moved from Apache to Nginx on one of my servers due to increase in traffic. But I was using HTTP Basic authentication with group based authorization on Apache in this manner:

However, there’s no AuthGroupFile  in nginx. But LUA, a programming language is supported in nginx. So here’s how I used LUA and MySQL for achieving this:

Now the real magic comes in the authenticate.lua  script, I’m posting the code below which is available in Github as well:

The group authentication script looks for users and groups in a table called http_users. Since this is a script you can modify the way users are searched for in the database or change the database altogether!
The lua modules required to run this script are: resty.mysql, resty.session, resty.string and cjson. Though the passwords are stored in the database as a SHA224 hash, the comparison of the password is done by the database itself. I did not convert the password to hash before sending it to database, so you may want to review this in case you are using remote database. I’m using local database over Unix socket so it doesn’t matter much.

The table and triggers I have for the same:

The triggers are required to convert the INSERT  or UPDATE statements into SHA224. I’m using MySQL’s SET data type to ensure that the group value is fixed. The same values can be used by Nginx in $user_group  variable before specifying the access_by_lua_file  directive.

FreeBSD IPFW NAT and Jails

IPFW in FreeBSD has built-in support for NATing and the configuration syntax is same as that of natd. It took me quite some time to figure out how to NAT for jails while ensuring that certain jails can have public IPs.

Configure the nat on one of the IP addresses:

When using stateful firewall, the NAT rule for incoming traffic must appear before check-state:

Other rules (service ports) can be placed below this:

Then the NAT rule for outgoing traffic:

Notice above, I am NATing only traffic that comes from . I allocate jails an IP on that subnet (unless I need a public IP for the jail). If the source is not mentioned in the rule, it will NAT even public IPs!

And finally, the outgoing ports:

The catch here is that we jump to the NAT rule only if the traffic comes from . If the traffic is coming from somewhere else (for example, a public IP allocated to one of the jails), it will hit the second rule and directly allow it.

Make sure you have the rule to allow loX traffic if you have separate clone interfaces for each jail.

Final touches:

The firewall script ipfw.rules must to contain other rules for services, icmp, etc not mentioned here.
Everything working smoothly now – ip4 from private jails, ip4 and ip6 from others 😀

FreeBSD ipfw: add_dyn_rule: Cannot allocate rule

One of the servers I run has FreeBSD 10. It hosts a high traffic Magento site. Magento being a very heavy application, requires a dedicated server. The site’s performance is very bad when it is hosted on VPS — or perhaps that depends on provider / needs tuning. Not my site. My task was to move it to dedicated server so I don’t have to consider all that stuff.

As someone new to FreeBSD, I try to stick to tools and utilities that are provided by FreeBSD itself and do not rely on those provided by other BSDs. This rule is quite flexible, but I can’t cite examples of relying on tools by other BSDs that I’m using right now. So, naturally, for firewall I chose IPFW which is FreeBSD’s own firewall. The other firewalls supported by FreeBSD are PF (which comes from OpenBSD) and IPFilter (which comes from NetBSD).

Continue reading “FreeBSD ipfw: add_dyn_rule: Cannot allocate rule”

The move from Linux to FreeBSD

About 2 months ago, I had a spare VPS at my host, Hetzner. So I decided to play with FreeBSD which was being offered for Hetzner servers and VPSes.
That’s how the whole thing started. I didn’t have much problems getting the concepts because it belongs to *nix family of OSes and I have been a pure Linux user since 2008.

First of all the basic difference between FreeBSD and GNU/Linux is that Linux is just the kernel and GNU is the userland. In layman’s terms, the hardware interface is called Linux, while the rest of the part: the shell, core tools, etc are GNU.It’s a piece from there, another from somewhere else and merging the whole thing into one collectively known as GNU/Linux. Linux itself cannot boot without GNU and GNU will not work without Linux (Yes, there is a GNU kernel project called GNU Hurd, but I don’t how far that went).
In FreeBSD, the whole thing is a complete unit. FreeBSD was derived from the original AT&T Unix and open sourced. You can read more about the differences at over-yonder.

Continue reading “The move from Linux to FreeBSD”

Securing FreeBSD server with Fail2Ban and IPFW

I’ve been playing with a FreeBSD machine for a while now and my primary server now runs FreeBSD 😀
So I came across this problem: installing Fail2Ban with IPFW.

FreeBSD has three different firewalls, so it’s difficult for any upstream application to decide on what kind of setup it should advocate. There is no one-size-fits-for-all. I read about various firewalls, and since I wanted to stick with FreeBSD only, I decided to use IPFW.

Continue reading “Securing FreeBSD server with Fail2Ban and IPFW”