0

我正在尝试用更用户友好、更吸引人的东西来替换 http 基本身份验证,最重要的是,我的密码管理器可以自动填写这些内容,尤其是在手机上。

我从这个博客中复制了大部分内容,但这个例子使用了跨域 cookie。

所以我做了一些小的改动,使它与会话 cookie 一起工作。

这是我的示例文件:

/etc/nginx/nginx.conf

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
  worker_connections 1024;
  use epoll;
}


http {
  include mime.types;
  default_type application/octet-stream;

  log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;

  sendfile on;
  tcp_nopush on;

  keepalive_timeout 0;

  gzip on;

  server {
    listen 80;
    listen [::]:80;
    server_name www.example.com;

    index index.php;

    root /var/www/secured;

    location / {
      auth_request /auth;
      try_files $uri $uri/ /index.php?$args;
    }

    location = /auth {
      internal;
      proxy_pass http://auth.example.com;
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";
      proxy_set_header X-Original-URI $request_uri;
    }

    error_page 401 = @login;
    location @login {
      proxy_pass http://auth.example.com/?login&return=$http_host;
    }

    location = /logout {
      proxy_pass http://auth.example.com/?logout&return=$http_host;
    }

    location ~ \.php$ {
      fastcgi_pass 127.0.0.1:9000;
      include /etc/nginx/fastcgi.conf;
    }
  }

  server {
    listen 80;
    listen [::]:80;
    server_name auth.example.com;

    index index.php;

    root /var/www/auth;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
      fastcgi_pass 127.0.0.1:9000;
      include /etc/nginx/fastcgi.conf;
    }
  }
}

/var/www/auth/index.php

<?php
session_start();

if (!isset($_GET['login']) && !isset($_GET['logout'])) {
  if (isset($_SESSION['authorized']) && $_SESSION['authorized']) {
    http_response_code(200);
  } else {
    http_response_code(401);
  }
  die();
}

$error = "";
$loginUser = 'user';
$loginPass = 'pass';

$return = filter_input(INPUT_GET, 'return');

if (isset($_GET['logout'])) {
  session_destroy();
  if (!empty($return)) {
    header("Location: http://{$return}");
  }
  die();
}

if (isset($_POST['submit'])) {
  $postUser = filter_input(INPUT_POST, 'username');
  $postPass = filter_input(INPUT_POST, 'password');

  $_SESSION['authorized'] = ($postUser === $loginUser && $postPass === $loginPass);
  if (!$_SESSION['authorized']) {
    $error = "Invalid username or password.";
  } else if (!empty($return)) {
    header("Location: http://{$return}");
    die();
  }
}
?>

<!DOCTYPE html>
<html>
  <head>
    <title>Authentication</title>
    <meta http-equiv='content-type' content='text/html;charset=utf-8' />
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <link rel="icon" type="image/png" href="icon.png">

    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" crossorigin="anonymous"></script>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.5.3/css/bootstrap.min.css" crossorigin="anonymous" />
    <script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.5.3/js/bootstrap.min.js" crossorigin="anonymous"></script>

    <style>
      html, body {
        height: 100%;
        width: 100%;
      }
      .loginOuter {
        align-items: center;
        display: flex;
        height: 100%;
        justify-content: center;
        width: 100%;
      }
      .loginInner {
        min-width: 200px;
        width: 15%;
      }
    </style>
  </head>
  <body>
    <div class="loginOuter">
      <div class="loginInner">
        <form method="POST">
          <div class="form-group">
            <label for="username"><b>Username:</b></label>
            <input type="text" id="username" name="username" value="<?= $loginUser; ?>" class="form-control"/>
          </div>
          <div class="form-group">
            <label for="password"><b>Password:</b></label>
            <input type="password" id="password" name="password" value="<?= $loginPass; ?>" class="form-control"/>
          </div>
          <?php if (!empty($error)) { ?><div class="alert alert-danger" role="alert"><?= $error; ?></div><?php } ?>
          <button type="submit" name="submit" class="btn btn-success">Login</button>
          <?php if (!empty($return)) { ?><a href="http://<?= $return; ?>" class="btn btn-primary">Cancel</a><?php } ?>
        </form>
      </div>
    </div>
  </body>
</html>

/var/www/secured/index.php

<!doctype html>
<html>
  <head>
    <meta charset="utf-8">
    <title>Private</title>
  </head>
  <body> 
    <h1>Welcome!</h1><br> 
    <a href="/logout">Logout</a><br>
    <pre>
<?= json_encode($_SERVER, JSON_PRETTY_PRINT) ?>

<?= json_encode($_COOKIE, JSON_PRETTY_PRINT) ?>

<?= json_encode($_POST, JSON_PRETTY_PRINT) ?>

<?= json_encode($_GET, JSON_PRETTY_PRINT) ?>
    </pre>
  </body>
</html>

我的问题和担心是:我是否在可靠的基本身份验证中戳了一个大洞?

谢谢

4

0 回答 0