search

wandenberg / nginx-push-stream-module

A pure stream http push technology for your Nginx setup. Comet made easy and really scalable.
Other
2.22k stars 295 forks source link

How to authorize #156

Closed misiek08 closed 9 years ago

misiek08 commented 10 years ago

Can I authorize all types of requests by backend? I mean using auth_request or something similar. Will it work with eventsource and websockets? I will be able to test it at weekend, but I wonna ask you first, because you can have already solution.

wandenberg commented 9 years ago

All work of authentication and authorization must be done before forward the request to push stream module. It can be done through another nginx modules or by another app and then redirect to the location where the module is configured.

kovkev commented 4 years ago

I'm confused on this. Let's say Android device A wants to get Chat Messages sent to user U. It will stream consume the messages from myserver.com/messageTo/U ? How do we ensure that the right device A is consuming messages from myserver.com/messageTo/U ? Is it possible to have some token passed to the server to authenticate?

wandenberg commented 4 years ago

Hi @kovkev , yes, but not on the module. The module does not take part in authentication/authorization. You should use other modules for that. For instance, Nginx has the secure link module. With it, you can ensure that only the person with a token can access a URL (a channel), and to access this token the user needs to access your application first in some way, to be authenticated and receive the URL. This is the easiest and faster way I can think ;)

paulosouzainfo commented 1 year ago

Maybe you needs to understanding about "auth request module" and over "nginx rewrites". Everybody can configure auth_requests to publish and subscribing any routes just transforming Push Stream routes for internal access and configure another routes, without X-Accel-Redirect or Reverse Proxy (this is not run anyway) and config the routes about needs writing a Nginx Rewrite rule like this...

location /publisher {
    auth_request /auth;
    push_stream_publisher admin;
    push_stream_channels_path               $arg_id;
}

location /protected-routes {
    auth_request /auth;
    auth_request_set $routes_to_access $upstream_http_auth_request_routes;

    rewrite /protected-routes /subscriber/$routes_to_access;
}

location ~ /subscriber/(.*) {
    internal;

    push_stream_subscriber;
    push_stream_channels_path                   $1;
}

location = /auth {
    proxy_pass https://your.authentication.route;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

In my opinion, this is the best way to prevent unauthorized routes access and you decide about routes for clients really needs.

The clients can't see whatever about your business and everybody connect just only you need.

sunnychun commented 1 year ago

您的信已收到,我将尽快给您答复

hunnomad commented 11 months ago

Hi,

Has there been any progress on this topic? I would like to actively use the Push module, but the security is a bit of a concern.

sunnychun commented 11 months ago

您的信已收到,我将尽快给您答复

wandenberg commented 11 months ago

Hi @hunnomad, what is the issue you are facing with authentication? As you can see in previous comments, it can be done in different ways outside of the module. If needed I can try to help you with the setup if you explain what is your issue. ;)