unrestricted access for specific domain
Peter Schober
peter.schober at univie.ac.at
Fri Nov 2 13:12:58 EDT 2018
* Cantor, Scott <cantor.2 at osu.edu> [2018-11-02 17:56]:
> If the source code existed, yes. I didn't get far enough into it to
> see how much work it would take, but I also saw a lot of references
> to people doing things where the nginx author would say "don't do
> that" so I couldn't tell how well defined its API even was.
OK...
> I don't think the authorizer support in FastCGI is part of nginx
> even now.
FWIW, I was just going by what was mentioned on
https://github.com/nginx-shib/nginx-http-shibboleth
and there's nothing about having to patch Nginx for FastCGI authorizer
support anymore.
> And the thing I found online that uses FastCGI apparently does it in
> a very weird way that re-introduces the risk of using headers into
> the equation, so it was all a bit of a mess from what I could
> see. It wasn't "just making FastCGI work", but some kind of weird
> reuse of the FastCGI code to implement the support back within nginx
> by doing some kind of subrequest hack that the nginx author told
> that guy he shouldn't do.
In case you're referring to
https://github.com/nginx-shib/nginx-http-shibboleth#configuration
it seems there are multiple methods, one of which can be used with
environment variables (while others would rely on request headers) but
all of then seem to use subrequests.
> I stopped looking at that, and then went and looked at the module
> option, and then that seemed to be impractical as a core deliverable
> since I'm not going to be packaging nginx and it stopped looking
> like a great use of my time.
ACK
Thanks for explaining.
-peter
More information about the users
mailing list