This is an authentication server, similar to htpasswd-auth-server or ldap-auth-server. All users are stored in a Postgresql table, and there's a web interface. Administrators can set user's passwords, and require a user to change their password on their next login. Users can change their own passwords.
I have a repo for automatically installing OpenResty + luarocks - https://github.com/jprjr/setup-openresty
git clone https://github.com/jprjr/setup-openresty /tmp/setup-openresty
/tmp/setup-openresty/setup-openresty --prefix=/opt/openrestyThis will install openresty at /opt/openresty. You can then add
/opt/openresty/bin to your PATH, or make make symlinks from
/usr/local/bin to the binaries/scripts at /opt/openresty/bin, whichever
you prefer.
In all my examples, I'll assume you've somehow added luarocks to your PATH.
You'll need libyaml-dev and postgresql installed
sudo apt-get install libyaml-dev postgresqlThen create a username, password, and database for postgres-auth-server. You should change the below example to have a better password.
sudo -u postgres psql -c "create user psql_auth with password 'psql_auth'"
sudo -u postgres psql -c "create database psql_auth with owner psql_auth"sudo luarocks install postgres-auth-serverAssuming you used the setup-openresty script, then you'll
find postgres-auth-server at /opt/openresty/bin/postgres-auth-server
Create a file at /etc/postgres-auth-server/config.yaml -- there's an example
config.yaml file in this repo. Edit as needed.
Move on down to the Usage section
You can setup postgres-auth-server to use its own lua_modules folder:
git clone https://github.com/jprjr/postgres-auth-server.git
postgres-auth-server
luarocks-openresty --tree=lua_modules make rockspecs/postgres-auth-server-dev-1.rockspec
Then launch with
./bin/postgres-auth-server
By default, ./bin/postgres-auth-server will just try to use lua - you can
specify a lua binary to run with -l (binary), ie:
./bin/postgres-auth-server -l /opt/openresty/bin/lua
The authentication endpoint for apps/nginx is /auth, ie:
http://127.0.0.1:8080/authhttp://192.168.1.50:8080/authhttp://192.168.1.50:8080/users/auth-- if setup withhttp_prefix: '/users'
Please look at the etc/config.yaml.example file for details on how to configure this.
In any examples, substiute postgres-auth-server with
./bin/posgres-auth-server if you went for the self-contained
installation.
postgres-auth-server help
Usage: postgres-auth-server [-c /path/to/config.yaml] <action>
Available actions:
add username -- interactively add user
admin username -- make user admin
unadmin username -- make user admin
change username -- require change for user
list -- list users
import /path/to/htpasswd -- import existing htpasswd file
run -- run server
check -- check config filePrompts for a username, password, whether the user should be an admin, and if the user should be forced to change their password at next login.
Makes (username) flagged as an admin user.
Removes admin status from a user.
Forces a password change at next login.
Lists usernames, admin status, password change required status
Imports an existing htpasswd file.
If a user already exists, postgres-auth-server prints
a warning message indicating as such.
If the htpasswd file contains an encryption method not supported by postgres-auth-server, the user is not imported and a message is printed.
Launches postgres-auth-server
Attempts to parse the config file and checks for errors. Also tests that the postgres credentials are valid.
MIT (see LICENSE)