Module ngx_mail_auth_http_module
Directives
| Syntax: | auth_http URL; |
| Default: | — |
| Context: | mail , server |
设置 HTTP 认证服务器的 URL。协议描述为below。
| Syntax: | auth_http_header header value; |
| Default: | — |
| Context: | mail , server |
将指定的 Headers 附加到发送到身份验证服务器的请求。此 Headers 可以用作共享密钥,以验证请求是否来自 nginx。例如:
auth_http_header X-Auth-Key "secret_string";
| Syntax: | auth_http_pass_client_cert on | off; |
| Default: | auth_http_pass_client_cert off; |
| Context: | mail , server |
该指令出现在 1.7.11 版本中。
将“ Auth-SSL-Cert”Headers 和client证书以 PEM 格式(编码)附加到发送到身份验证服务器的请求。
| Syntax: | auth_http_timeout time; |
| Default: | auth_http_timeout 60s; |
| Context: | mail , server |
设置与认证服务器通信的超时时间。
Protocol
HTTP 协议用于与身份验证服务器进行通信。响应主体中的数据将被忽略,信息仅在 Headers 中传递。
请求和响应的示例:
Request:
GET /auth HTTP/1.0
Host: localhost
Auth-Method: plain # plain/apop/cram-md5/external
Auth-User: user
Auth-Pass: password
Auth-Protocol: imap # imap/pop3/smtp
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
Good response:
HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 198.51.100.1
Auth-Port: 143
Bad response:
HTTP/1.0 200 OK
Auth-Status: Invalid login or password
Auth-Wait: 3
如果没有“ Auth-Wait”Headers,则将返回错误并关闭连接。当前实现为每次身份验证尝试分配内存。仅在会话结束时才释放内存。因此,必须限制单个会话中无效身份验证尝试的次数-服务器必须在 10-20 次尝试后不使用“ Auth-Wait”Headers 进行响应(尝试次数在“ Auth-Login-Attempt”Headers 中传递) 。
使用 APOP 或 CRAM-MD5 时,请求-响应如下所示:
GET /auth HTTP/1.0
Host: localhost
Auth-Method: apop
Auth-User: user
Auth-Salt: <[email protected]>
Auth-Pass: auth_response
Auth-Protocol: imap
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
Good response:
HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 198.51.100.1
Auth-Port: 143
Auth-Pass: plain-text-pass
如果响应中存在“ Auth-User”Headers,则它将覆盖用于与后端进行身份验证的用户名。
对于 SMTP,响应还考虑了“ Auth-Error-Code”Headers-如果存在,则在出现错误时用作响应代码。否则,会将 535 5.7.0 代码添加到“身份验证”标题中。
例如,如果从身份验证服务器收到以下响应:
HTTP/1.0 200 OK
Auth-Status: Temporary server problem, try again later
Auth-Error-Code: 451 4.3.0
Auth-Wait: 3
则 SMTP 客户端将收到一个错误
451 4.3.0 Temporary server problem, try again later
如果代理 SMTP 不需要身份验证,则请求将如下所示:
GET /auth HTTP/1.0
Host: localhost
Auth-Method: none
Auth-User:
Auth-Pass:
Auth-Protocol: smtp
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
Auth-SMTP-Helo: client.example.org
Auth-SMTP-From: MAIL FROM: <>
Auth-SMTP-To: RCPT TO: <[email protected]>
对于 SSL/TLS 客户端连接(1.7.11),添加了“ Auth-SSL”Headers,并且如果enabled:“ SUCCESS”,“ FAILED: reason,则“ Auth-SSL-Verify”将包含客户端证书验证的结果。 ”和“ NONE”(如果不存在证书)。
Note
在 1.11.7 版之前,“ FAILED”结果不包含reason字符串。
存在客户端证书时,其详细信息将在以下请求 Headers 中传递:“ Auth-SSL-Subject”,“ Auth-SSL-Issuer”,“ Auth-SSL-Serial”和“ Auth-SSL-Fingerprint”。如果启用了auth_http_pass_client_cert,则证书本身将在“ Auth-SSL-Cert”Headers 中传递。该请求将如下所示:
GET /auth HTTP/1.0
Host: localhost
Auth-Method: plain
Auth-User: user
Auth-Pass: password
Auth-Protocol: imap
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Auth-SSL: on
Auth-SSL-Verify: SUCCESS
Auth-SSL-Subject: /CN=example.com
Auth-SSL-Issuer: /CN=example.com
Auth-SSL-Serial: C07AD56B846B5BFF
Auth-SSL-Fingerprint: 29d6a80a123d13355ed16b4b04605e29cb55a5ad
