I wrote:
> I have an application (currently a separate Python daemon
> that shares a Redis database with the NGINX/Lua server) that
> uses IDENT (RFC 1413; https://www.ietf.org/rfc/rfc1413.txt)
> to authenticate incoming requests to change database en-
> tries. I want to integrate the functionality of this Python
> daemon in the NGINX/Lua server.
> Before I maybe duplicate some existing work: Has someone im-
> plemented this already, i. e. a function that for the cur-
> rent incoming request returns either the username as re-
> ported by the remote identd server or signals some error?
As I am developing for a narrow range of hosts, I did not do
anything fancy but:
| -- Access for other methods is restricted to the referenced tool, so
| -- query ident server.
| local sock = ngx.socket.tcp()
| sock:settimeout(5000)
| local ok, err = sock:connect(ngx.var.remote_addr, 113)
| if not ok then
| ngx.log(ngx.ERR, 'Failed to connect to ident server on ', ngx.var.remote_addr, ': ', err)
| ngx.exit(ngx.HTTP_UNAUTHORIZED)
| end
| sock:send(ngx.var.remote_port .. ',' .. ngx.var.server_port .. '\r\n')
| local line, err, partial = sock:receive()
| sock:close()
| if not line then
| ngx.log(ngx.ERR, 'Failed to receive response from ident server on ', ngx.var.remote_addr, ': ', err)
| ngx.exit(ngx.HTTP_UNAUTHORIZED)
| end
| if line ~= ngx.var.remote_port .. ' , ' .. ngx.var.server_port .. ' : USERID : UNIX , UTF-8 :' .. ngx.var.proxymanager_labsproject_prefix .. toolname then
| ngx.log(ngx.ERR, 'Unauthorized attempt for ', toolname, ': ', line)
| ngx.exit(ngx.HTTP_UNAUTHORIZED)
| end
In the real world, there may be arbitrary white space, and
if some server encodes the username in EBCDIC just because
RFC 1413 allows it, it would fail, but as I'm only speaking
to pidentd on two Ubuntu releases, this did not warrant
deeper digging.
Tim
