auth-pam
Basic authentication against the system PAM stack
Overview
ngx_http_auth_pam_module implements HTTP basic authentication against PAM, the pluggable authentication framework used on Linux. Any PAM backend works, including local Unix accounts, LDAP, and custom pam_exec scripts.
nginx prompts the client for credentials and hands them to the configured PAM service for verification. The worker runs as an unprivileged user, so the PAM stack must authenticate without root: for local shadow passwords that means giving the nginx user read access to /etc/shadow.
The module is maintained by Sergio Talens-Oliag and has been packaged in Debian and Ubuntu for years.
Key directives
auth_pamSets the basic auth realm and turns on PAM authentication for a location, or disables it with off.auth_pam_service_nameSelects the PAM service file under /etc/pam.d to authenticate against, default nginx.auth_pam_set_pam_envExports HOST and REQUEST as PAM environment variables so pam_exec scripts can decide per request.Backend agnosticWorks with any PAM module, so the same nginx config can sit in front of Unix accounts, LDAP, or one-time passwords.Example
Availability
Ships as a dynamic module in libnginx-mod-http-auth-pam, installed automatically with nginx-extras. The package drops a load_module config into /etc/nginx/modules-enabled/, so it loads on start.