Closed misiek08 closed 9 years ago
All work of authentication and authorization must be done before forward the request to push stream module. It can be done through another nginx modules or by another app and then redirect to the location where the module is configured.
I'm confused on this. Let's say Android device A wants to get Chat Messages sent to user U. It will stream consume the messages from myserver.com/messageTo/U ? How do we ensure that the right device A is consuming messages from myserver.com/messageTo/U ? Is it possible to have some token passed to the server to authenticate?
Hi @kovkev , yes, but not on the module. The module does not take part in authentication/authorization. You should use other modules for that. For instance, Nginx has the secure link module. With it, you can ensure that only the person with a token can access a URL (a channel), and to access this token the user needs to access your application first in some way, to be authenticated and receive the URL. This is the easiest and faster way I can think ;)
Maybe you needs to understanding about "auth request module" and over "nginx rewrites". Everybody can configure auth_requests to publish and subscribing any routes just transforming Push Stream routes for internal access and configure another routes, without X-Accel-Redirect or Reverse Proxy (this is not run anyway) and config the routes about needs writing a Nginx Rewrite rule like this...
location /publisher {
auth_request /auth;
push_stream_publisher admin;
push_stream_channels_path $arg_id;
}
location /protected-routes {
auth_request /auth;
auth_request_set $routes_to_access $upstream_http_auth_request_routes;
rewrite /protected-routes /subscriber/$routes_to_access;
}
location ~ /subscriber/(.*) {
internal;
push_stream_subscriber;
push_stream_channels_path $1;
}
location = /auth {
proxy_pass https://your.authentication.route;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
In my opinion, this is the best way to prevent unauthorized routes access and you decide about routes for clients really needs.
The clients can't see whatever about your business and everybody connect just only you need.
您的信已收到,我将尽快给您答复
Hi,
Has there been any progress on this topic? I would like to actively use the Push module, but the security is a bit of a concern.
您的信已收到,我将尽快给您答复
Hi @hunnomad, what is the issue you are facing with authentication? As you can see in previous comments, it can be done in different ways outside of the module. If needed I can try to help you with the setup if you explain what is your issue. ;)
Can I authorize all types of requests by backend? I mean using auth_request or something similar. Will it work with eventsource and websockets? I will be able to test it at weekend, but I wonna ask you first, because you can have already solution.