http-auth-spnego #

Nginx module for HTTP SPNEGO auth

Source: upstream source

Directives

auth_gss #

syntax: auth_gss on | off (on/off flag);

on/off, for ease of unsecuring while leaving other options in

auth_gss_allow_basic_fallback #

syntax: auth_gss_allow_basic_fallback on | off (on/off flag);

This is done by setting auth_gss_allow_basic_fallback in the config file. auth_gss_allow_basic_fallback off These options affect the operation of basic authentication: * auth_gss_realm: Kerberos realm name.

auth_gss_authorized_principal #

syntax: auth_gss_authorized_principal on | off (list of strings);

a principal name as a string, e.g. alice@EXAMPLE.COM.

auth_gss_authorized_principal_regex #

syntax: auth_gss_authorized_principal_regex on | off;

a regex to match against, e.g.

auth_gss_constrained_delegation #

syntax: auth_gss_constrained_delegation on | off (on/off flag);

Constrained delegation (S4U2proxy) can also be enabled using the auth_gss_constrained_delegation directive together with the auth_gss_delegate_credentials directive.

auth_gss_delegate_credentials #

syntax: auth_gss_delegate_credentials on | off (on/off flag);

Credential Delegation ----------------------------- User credentials can be delegated to nginx using the auth_gss_delegate_credentials directive.

auth_gss_force_realm #

syntax: auth_gss_force_realm on | off (on/off flag);

Forcibly authenticate using the realm configured in

auth_gss_format_full #

syntax: auth_gss_format_full on | off (on/off flag);

To override this behavior, set auth_gss_format_full to on in your configuration.

auth_gss_keytab #

syntax: auth_gss_keytab on | off (string);

absolute path to the keytab file containing service

auth_gss_map_to_local #

syntax: auth_gss_map_to_local on | off (on/off flag);

If you would like to enable GSS local name rules to rewrite usernames, you can specify the auth_gss_map_to_local option.

auth_gss_realm #

syntax: auth_gss_realm on | off (string);

Kerberos realm name. In most deployments this should not

auth_gss_service_ccache #

syntax: auth_gss_service_ccache on | off (string);

To specify the ccache file name to store the service ticket used for constrained delegation, set the auth_gss_service_ccache directive.

auth_gss_service_name #

syntax: auth_gss_service_name on | off (string);

service principal name to use when acquiring

auth_gss_zone_name #

syntax: auth_gss_zone_name 1 arg (string);  ·  context: http

Stores a single string value.

Example

location /secure/ {
    auth_gss              on;
    auth_gss_realm        EXAMPLE.COM;
    auth_gss_keytab       /etc/krb5.keytab;
    auth_gss_service_name HTTP/nginx.example.com;
    auth_gss_allow_basic_fallback on;
}

↑ back to index