I am a big fan of Sinatra, the adept development framework for building small and tight web applications.

So recently when I was setting up Dovecot with LDAP authentication on an OpenVZ virtual server, I gave the NGINX IMAP proxy a try.

While I got it working, I found the authentication module a bit clunky at first. It passes credentials from the user to an authentication system using HTTP, expecting HTTP headers back about whether the users’ credentials were legitimate and where to proxy their connection.

After I tried out an example PHP authentication mechanism, it made more sense. NGINX is a web server, too! Its super simple, and I wouldn’t mind seeing more authentication mechanisms like this. Here’s how it works (examples are from the NGINX wiki):

Request:

GET /auth HTTP/1.0
Host: auth.server.hostname
Auth-Method: plain
Auth-User: user
Auth-Pass: password
Auth-Protocol: imap
Auth-Login-Attempt: 1
Client-IP: 192.168.1.1

Response:

HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 192.168.1.10
Auth-Port: 143
Auth-User: newname
Auth-Pass: newpassword

Seeing how much I dig Sinatra, how about a Sinatra application that proxies this simple HTTP authentication mechanism to a SASL mechanism?

The NGINX mail authentication mechanism is actually more sophisticated than the basic HTTP authentication module because it supports CRAM-MD5 which some e-mail clients support.

If only NGINX supported authorization via digest authentication like this using an HTTP request to handle the actual authentication - that would be so cool!! It might even compete with the fact that Apache can use digest authentication via a MySQL/Postgres/SQLite backend!

¥