Send in your ideas. Deadline October 1, 2024
Theme fund: NGI0 PET
Start: 2019-04
End: 2019-04
More projects like this
Middleware and identity

ARPA2 resource ACL and HTTP SASL modules for NGINX

Extend consistent access control to NGINX webserver

In most of our daily interactions with a remote server we depend on the application running on the server to properly authenticate the user within the browser session, and to manage who can do what. However, if we want to enforce stronger guarantees with regards to restricted resources and tasks, our options are much more limited. This project from the ARPA2 community wants to move the state of the art in access control forward by combining the extensible SASL standard with a well-defined generic ACL mechanism that also allows for pseudonimity. The project will produce a self-contained library and two modules for a popular web server (NGINX) that use the new library. With the NGINX HTTP SASL module a user-agent can authenticate to the web server using any SASL mechanism the server supports. With the NGINX ARPA2 ACL module the web server can determine whether an authenticated user has authorization for the request that he/she sent. I.e. a user makes the request: "DELETE /messages/10" and the server can then decide based on the authenticated user, the action and resource whether this is allowed or not.

Why does this actually matter to end users?

For some use cases, web servers need to be a bit smarter. They are really good at serving up web pages really fast, which is the core of their task. Yet out of the box they understand very little of what they are doing, or who they are interacting with. That is pretty much left to the applications running on such a server. In some instances, it could be quite beneficial if some of these responsibilities could be delegated to the webserver. That way, developers can focus on applications themselves rather than on keeping unwanted or unauthorised visitors out.

We all want websites to be as secure as possible. We also want to grant users as much privacy as we can. Technical measures can of course be taken at the level of the application, as is done traditionally. But it is quite easy to make mistakes, and a lot of work. An awful lot of work. Developers waste a lot of time on implementing the same steps over and over. It would be a lot easier if some web tool can just assume that only valid users would enter, and that some reliable source would authoritatively tell them what rights they need to get.

This project from the ARPA2 community wants to deliver such a solution. It has already developed open source software libraries that offer an easy way to distinguish between who is entitled to see something and who isn't. This solution can already be used with all kinds of existing software, because it is compatible with the most popular standards organisations use to keep this data. And you can even work with all kinds of roles and pseudonyms, so unlike most traditional solutions their work isn't completely hardwired to individual people. The latter often leads to people giving their overpowered user credentials to others to quickly get stuff done. In the project, they will now implement it in such a way that all users of the most popular webserver of the moment can take advantage of the power of these libraries. This will help developers outsource one of their headache tasks to a simple and trustworthy open source server component, written by specialists with a focus on security, auditability and standards support. This will in turn simplify applications, will reduce their cost and improve their performance. And of course the small codebase will be significantly easier to analyse in terms of security.

Run by Netsend

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.