Reverse proxy to direct different users to corresponding locations

Question

I have a server. One of its functions is SyncThing. This app has no per-user authorization, only admin. So I decided to run different Syncthing instances for each user.

For authorization process I would like to use unix user names and passwords (from /etc/passwd).

I imaging to use nginx as the reverse proxy and authorization verifier. Could you please verify my idea and help me with examples.

Sample services layout:

• Syncthing user1 listens on 127.0.0.1:8384
• Syncthing user2 listens on 127.0.0.1:8385
• Syncthing user3 listens on 127.0.0.1:8386
• Nginx (or other) listens on all interfaces including IPv6 on default HTTPS port 0.0.0.0:433

Address would be https://synxrage.local/syncthing. Port must never appear in URLs.

Depending on successfully authorized user proxy directs to different internal port and user sees his admin panel.

Answer 1

Okay, this nagged me and it was actually quite easy using the $remote_user variable.

To enable PAM auth you need to do some things:

Install nginx-extras:

sudo apt -y install nginx-extras

Create /etc/pam.d/nginx and add the following content:

auth       include      common-auth
account    include      common-account

Allow nginx to read the shadow file:

sudo usermod -aG shadow www-data

_{Instructions found here.}

Now you can configure nginx

# configure one upstream per user
# give it the name of the user that logs in
upstream usera {
    server localhost:8384;
}
upstream userb {
    server localhost:8385;
}
upstream userc {
    server localhost:8386;
}
now configure the actual reverse proxy
server {
    listen 80 default_server;
location / {
    # add pam authentication
    auth_pam "PAM Authentication";
    auth_pam_service_name "nginx";

    # configure reverse proxy to connect to the per-user backend
    proxy_pass http://$remote_user;
}

}