Join Log in
Score:0
kyb avatar Server

Reverse proxy to direct different users to corresponding locations

gt flag
kyb

I have a server. One of its functions is SyncThing. This app has no per-user authorization, only admin. So I decided to run different Syncthing instances for each user.

For authorization process I would like to use unix user names and passwords (from /etc/passwd).

I imaging to use nginx as the reverse proxy and authorization verifier. Could you please verify my idea and help me with examples.

Sample services layout:

  • Syncthing user1 listens on 127.0.0.1:8384
  • Syncthing user2 listens on 127.0.0.1:8385
  • Syncthing user3 listens on 127.0.0.1:8386
  • Nginx (or other) listens on all interfaces including IPv6 on default HTTPS port 0.0.0.0:433

Address would be https://synxrage.local/syncthing. Port must never appear in URLs.

Depending on successfully authorized user proxy directs to different internal port and user sees his admin panel.

39
0 + 0
vidarlo avatar
ar flag
vidarlo
Does this answer your question? [How can I forward requests from my web server?](https://serverfault.com/questions/1035016/how-can-i-forward-requests-from-my-web-server)
0
Reply
in flag
Gerald Schneider
@vidarlo not really. The actual problem (use different backends for different authenticated users) is not addressed there. I don't know if that is even possible.
0
Reply
in flag
Gerald Schneider
[this ticket](https://trac.nginx.org/nginx/ticket/439) suggests the [`$remote_user` variable](http://nginx.org/en/docs/http/ngx_http_core_module.html#var_remote_user). It should be possible to use this to define the backend server to use.
0
Reply
kyb avatar
gt flag
kyb
thank you guys for comments
0
Reply
Score:1
avatar Server
in flag
Gerald Schneider

Okay, this nagged me and it was actually quite easy using the $remote_user variable.

To enable PAM auth you need to do some things:

Install nginx-extras:

sudo apt -y install nginx-extras

Create /etc/pam.d/nginx and add the following content:

auth       include      common-auth
account    include      common-account

Allow nginx to read the shadow file:

sudo usermod -aG shadow www-data

Instructions found here.

Now you can configure nginx

# configure one upstream per user
# give it the name of the user that logs in

upstream usera {
    server localhost:8384;
}

upstream userb {
    server localhost:8385;
}

upstream userc {
    server localhost:8386;
}

# now configure the actual reverse proxy

server {
    listen 80 default_server;

    location / {
        # add pam authentication
        auth_pam "PAM Authentication";
        auth_pam_service_name "nginx";

        # configure reverse proxy to connect to the per-user backend
        proxy_pass http://$remote_user;
    }
}
0 + 0
kyb avatar
gt flag
kyb
Is there a way to manage upstream dynamically. I mean add or remove users depending on changing users list at runtime. I even think for a UID based math: UID-1000+8384? where UID is Linux User ID. First user has usually id 1000.
0
Reply
kyb avatar
gt flag
kyb
Big thank you!!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.