0

I have a server. One of its functions is SyncThing. This app has no per-user authorization, only admin. So I decided to run different Syncthing instances for each user.

For authorization process I would like to use unix user names and passwords (from /etc/passwd).

I imaging to use nginx as the reverse proxy and authorization verifier. Could you please verify my idea and help me with examples.

Sample services layout:

  • Syncthing user1 listens on 127.0.0.1:8384
  • Syncthing user2 listens on 127.0.0.1:8385
  • Syncthing user3 listens on 127.0.0.1:8386
  • Nginx (or other) listens on all interfaces including IPv6 on default HTTPS port 0.0.0.0:433

Address would be https://synxrage.local/syncthing. Port must never appear in URLs.

Depending on successfully authorized user proxy directs to different internal port and user sees his admin panel.

Improve this question
3
  • Does this answer your question? How can I forward requests from my web server? Commented Mar 12, 2022 at 17:16
  • @vidarlo not really. The actual problem (use different backends for different authenticated users) is not addressed there. I don't know if that is even possible. Commented Mar 13, 2022 at 5:59
  • this ticket suggests the $remote_user variable. It should be possible to use this to define the backend server to use. Commented Mar 13, 2022 at 6:06

1 Answer 1

Reset to default
2

Okay, this nagged me and it was actually quite easy using the $remote_user variable.

To enable PAM auth you need to do some things:

Install nginx-extras:

sudo apt -y install nginx-extras

Create /etc/pam.d/nginx and add the following content:

auth include common-auth account include common-account

Allow nginx to read the shadow file:

sudo usermod -aG shadow www-data

Instructions found here.

Now you can configure nginx

# configure one upstream per user # give it the name of the user that logs in upstream usera { server localhost:8384; } upstream userb { server localhost:8385; } upstream userc { server localhost:8386; } # now configure the actual reverse proxy server { listen 80 default_server; location / { # add pam authentication auth_pam "PAM Authentication"; auth_pam_service_name "nginx"; # configure reverse proxy to connect to the per-user backend proxy_pass http://$remote_user; } }
Improve this answer
1
  • Is there a way to manage upstream dynamically. I mean add or remove users depending on changing users list at runtime. I even think for a UID based math: UID-1000+8384? where UID is Linux User ID. First user has usually id 1000. Commented Mar 13, 2022 at 19:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.