This is a CAS client written entirely using nginx's lua module. It is similar to apache mod_auth_cas.
apt install libnginx-mod-http-lua
or
yum install nginx-mod-http-lua
mkdir -p /etc/nginx/lua/resty
cd /etc/nginx/lua/resty/
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http_headers.lua
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http_connect.lua
wget https://raw.githubusercontent.com/ledgetech/lua-resty-http/master/lib/resty/http.lua
cd /etc/nginx/lua/
wget https://raw.githubusercontent.com/prigaux/nginx-auth-cas-lua/master/src/cas.lua
wget https://raw.githubusercontent.com/prigaux/nginx-auth-cas-lua/master/src/global_cas_conf.lua
cas_uri
in /etc/nginx/lua/global_cas_conf.lua# needed for resty.http
resolver 8.8.8.8;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_package_path '/etc/nginx/lua/?.lua;;';
lua_shared_dict cas_store 10M;
location /secured {
access_by_lua_block { require('cas').forceAuthentication() }
proxy_pass ...;
...
}
NB: access_by_lua_block
must be before proxy_pass
location /secured {
access_by_lua_block { require('cas').forceAuthentication() }
fastcgi_pass ...;
fastcgi_param REMOTE_USER $http_remote_user;
...
}
pgtIou
, or use
if ($remote_addr !~ "^192[.]168[.]1[.](56|57)$") { # if request is from CAS, let it go to the backend unauthenticated (needed for pgtIOU)
access_by_lua_block { require('cas').forceAuthentication() }
}