multiotp as Auithenticator for nginx

edited February 2022 in General
Hi there, i'm really a newbie on multiotp and nginx. therefor my question might be a little dumb. i'd like to have a reverse proxy which pre-authenticates users using mfa (with multiotp as source) in my current plan i need nginx as reverse-proxy, mutliotp for mfa and an apache as interface for authentication between the reverse-Proxy (nginx) and multiotp (because nginx does not speak radius) Is there a way to omit apache and have multiotp to do its work? Or will there be an easier way to solve this? Kind regards, mth9977

Comments

  • no one out there?
  • edited March 2022
    Hello, Instead of "speaking" radius, you could implement in PHP a prefix code with an HTTP authentication. Something like that : auto_prepend_file "multiotp.prepend.php" And here is a multiotp.prepend.php sample :
    <?php require_once('multiotp/multiotp.class.php'); /************************************************* * * Function to check the username and the password * and to cache the authentication result * *************************************************/ function authenticate_and_cache($username, $password, $timeout) { $result = FALSE; $cache_unique_id = (isset($_SESSION["authentication_unique_id"])?$_SESSION["authentication_unique_id"]:''); if ('' != $cache_unique_id) { $cache_timestamp = $_SESSION[$cache_unique_id."_authentication_timestamp"]; $cache_remote_addr = $_SESSION[$cache_unique_id."_authentication_remote_addr"]; $cache_username = $_SESSION[$cache_unique_id."_authentication_username"]; } else { $cache_timestamp = 0; $cache_remote_addr = ""; $cache_username = ""; } if ((0 == $cache_timestamp) || // If the timestamp is not set (time() > ($cache_timestamp + $timeout)) || // or the timestamp ahas expired ($cache_remote_addr != $_SERVER['REMOTE_ADDR']) || // or the client IP is another one ($cache_username != $username)) // or the username hsa changed { $multiotp = new Multiotp(); $multiotp->SetUsersFolder('multiotp/users/'); $multiotp->SetLogFolder('multiotp/log/'); $multiotp->SetEncryptionKey ('DefaultCliEncryptionKey'); $multiotp->EnableVerboseLog(); // Could be helpful at the beginning $multiotp->SetUser($username); $result = (0 == $multiotp->CheckToken($password)); if (TRUE == $result) { if ('' == $cache_unique_id) { $cache_unique_id = md5(uniqid(rand(), true)); } $_SESSION["authentication_unique_id"] = $cache_unique_id; $_SESSION[$cache_unique_id."_authentication_timestamp"] = time(); $_SESSION[$cache_unique_id."_authentication_remote_addr"] = $_SERVER['REMOTE_ADDR']; $_SESSION[$cache_unique_id."_authentication_username"] = $username; } else { $_SESSION["authentication_unique_id"] = ''; } } else { $_SESSION[$cache_unique_id."_authentication_timestamp"] = time(); $result = TRUE; } return $result; } // Start session if not already done if ('' == session_id()) { session_start(); } $php_auth_user = (isset($_SERVER['PHP_AUTH_USER'])?$_SERVER['PHP_AUTH_USER']:""); $php_auth_pw = (isset($_SERVER['PHP_AUTH_PW'])?$_SERVER['PHP_AUTH_PW']:""); $php_auth_realm = "Login on the server ".$_SERVER["SERVER_NAME"]; $php_auth_timeout = 0.5 * 60; // Timeout after 60 seconds for the trial if (('' == $php_auth_user) || (!authenticate_and_cache($php_auth_user, $php_auth_pw, $php_auth_timeout))) { header("HTTP/1.0 401 Unauthorized"); header("WWW-Authenticate: Basic realm=\"".$php_auth_realm."\""); echo ""; echo "401 Unauthorized access"; echo ""; echo "401 Unauthorized access"; echo "
    "; echo "You must login using your username and your password."; if ('' != (trim($php_auth_user))) { echo "
    "; echo "
    "; echo "You tried to login with the user ".$php_auth_user; } echo ""; echo ""; exit; }
Sign In or Register to comment.