nginx: understanding the purpose of auth_http (IMAP proxy)

The auth_http does two main things:

• It authenticates users (including various options to effectively delay users on failed authentication).
• And it determines which backend to use (and which username and password to use in backend authentication, if at all).

While in some cases authentication can be handled directly by a backend, it's not something always possible. Moreover, if nginx needs to be used as a mail proxy, it's almost always means that there are multiple backends and backend isn't known in advance.

It's also more efficient to handle authentication (in particular, authentication errors) with nginx, as mail servers tends to use process-per-connection model and can't effectively wait for a while before returning an error.

If you don't care about all of the above, and want nginx to just pass a connection to a predetermined backend, you may use something like this in nginx http{} block as a dead simple auth_http script:

location = /auth {
    add_header Auth-Status OK;
    add_header Auth-Server 127.0.0.2;  # backend ip
    add_header Auth-Port   143;        # backend port
    return 204;
}

With such auth script nginx will always get a successful authentication result, and it will pass the connection to the backend specified, with username and password provided by the client.

Note though, that this should not be used with SMTP, as there is no backend authentication with SMTP.

Related videos on Youtube

16 : 43

Configure NGINX as a Reverse Proxy

NGINX, Inc

52986

02 : 05

NGINX Explained in 100 Seconds

Fireship

733

02 : 10

Reverse proxy a remote IMAP/SMTP server with NGINX (2 Solutions!!)

Roel Van de Paar

354

02 : 23

DevOps & SysAdmins: nginx: understanding the purpose of auth_http (IMAP proxy)

Roel Van de Paar

5

30 : 51

NGINX Mail Proxy mit IMAP, POP3 und SMTP

Rene Fürst

1

Author by

huiqiang.zhang

Updated on September 18, 2022