How to give web server user read permission to /etc/shadow file?

I would like to have a local Linux user to be able to be authenticated (login) using the Nginx PAM module. I am using a CentOS 7 server. Specifically the below is what I am trying to do...

The README for the ngx http auth pam module says:

Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to authenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).

My first question is that in this case is 'nginx' the web server user? My second question is how can I set the permissions for the web server user to read the /etc/shadow file? Can someone please provide me with steps that have worked for them. I have followed along many tutorials that I have found online, but without success. Currently, when accessing the site that I want a local Linux user to be able to log into, I do get an authentication prompt (to enter the username and password) but when entering the credentials of a local Linux user it is without success, and just prompts me to enter it in again.

Thank you, any help is appreciated and I can give more information if needed.

Edit:

I have configured PAM in nginx by first building nginx up from source using the steps here. In my nginx.conf file I have added the following line towards the top to include the PAM module...

load_module /etc/nginx/modules/ngx_http_auth_pam_module.so;

I have also included the two lines below in my location directive in the nginx.conf...

auth_pam "Secure area";
auth_pam_service_name "nginx";

In the directory '/etc/pam.d' for the nginx service file I have the following two lines...

auth required /usr/lib/security/pam_unix.so
account required /usr/lib/security/pam_unix.so

Looking at the README for the ngx http auth pam module I see that I would have to give the web server user read permission to the /etc/shadow file. To do this I first created a new group called 'shadow'. I then assigned the web server user (which I am assuming is nginx) to the 'shadow' group. I then changed the permissions for the /etc/shadow file. The commands that I ran to do this is below...

groupadd shadow
usermod -a -G shadow nginx
chown root:shadow /etc/shadow
chmod g+r /etc/shadow

After doing this I checked the permissions for the /etc/shadow file using the command

ls -l /etc/shadow

and this is what the output was...

----r-----. 1 root shadow 1390 Aug 30 12:51 /etc/shadow

I also set a password for the nginx user. And just to reiterate, upon accessing the site that I want to have authentication, when I enter in the nginx username and password it just prompts me again to enter it.

I guess you already installed nginx-module-auth-pam as well as configured /etc/pam.d/nginx.

If not: install the rpm file, as everything will be configured for you. In other words: you don't have to manually tweak /etc/shadow access settings. In fact you must not tweak /etc/shadow in case you are using pam. This file contains the (hashed) passwords for your users, so in addition you don't want grant any process or program (except pam) or user (except root) access to this file for security reasons.

In case you have a subscription:

yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install nginx-module-auth-pam

If not: grab or build from https://github.com/jfut/nginx-module-auth-pam-rpm

Why not answering only your question? As the examples you brought are for Debian-like systems but the way to configure it is slightly different for Redhat-like systems, as CentOS 7.

You will find additional configuration examples for this module in GitHub.

Please also check https://nginx-extras.getpagespeed.com/ for additional configuration examples.