0

I have a server. One of its functions is SyncThing. This app has no per-user authorization, only admin. So I decided to run different Syncthing instances for each user.

For authorization process I would like to use unix user names and passwords (from /etc/passwd).

I imaging to use nginx as the reverse proxy and authorization verifier. Could you please verify my idea and help me with examples.

Sample services layout:

  • Syncthing user1 listens on 127.0.0.1:8384
  • Syncthing user2 listens on 127.0.0.1:8385
  • Syncthing user3 listens on 127.0.0.1:8386
  • Nginx (or other) listens on all interfaces including IPv6 on default HTTPS port 0.0.0.0:433

Address would be https://synxrage.local/syncthing. Port must never appear in URLs.

Depending on successfully authorized user proxy directs to different internal port and user sees his admin panel.

kyb
  • 115
  • 6
  • Does this answer your question? [How can I forward requests from my web server?](https://serverfault.com/questions/1035016/how-can-i-forward-requests-from-my-web-server) – vidarlo Mar 12 '22 at 17:16
  • @vidarlo not really. The actual problem (use different backends for different authenticated users) is not addressed there. I don't know if that is even possible. – Gerald Schneider Mar 13 '22 at 05:59
  • [this ticket](https://trac.nginx.org/nginx/ticket/439) suggests the [`$remote_user` variable](http://nginx.org/en/docs/http/ngx_http_core_module.html#var_remote_user). It should be possible to use this to define the backend server to use. – Gerald Schneider Mar 13 '22 at 06:06
  • thank you guys for comments – kyb Mar 13 '22 at 19:51

1 Answers1

2

Okay, this nagged me and it was actually quite easy using the $remote_user variable.

To enable PAM auth you need to do some things:

Install nginx-extras:

sudo apt -y install nginx-extras

Create /etc/pam.d/nginx and add the following content:

auth       include      common-auth
account    include      common-account

Allow nginx to read the shadow file:

sudo usermod -aG shadow www-data

Instructions found here.

Now you can configure nginx

# configure one upstream per user
# give it the name of the user that logs in

upstream usera {
    server localhost:8384;
}

upstream userb {
    server localhost:8385;
}

upstream userc {
    server localhost:8386;
}

# now configure the actual reverse proxy

server {
    listen 80 default_server;

    location / {
        # add pam authentication
        auth_pam "PAM Authentication";
        auth_pam_service_name "nginx";

        # configure reverse proxy to connect to the per-user backend
        proxy_pass http://$remote_user;
    }
}
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • Is there a way to manage upstream dynamically. I mean add or remove users depending on changing users list at runtime. I even think for a UID based math: UID-1000+8384? where UID is Linux User ID. First user has usually id 1000. – kyb Mar 13 '22 at 19:56
  • Big thank you!! – kyb Mar 13 '22 at 19:57