Skip to content
Snippets Groups Projects
Select Git revision
  • ea823518e83e9a04868bda584ea26b3aaf6d1fd2
  • master default protected
  • v1.15.1
  • v1.15.0
  • v1.14.7
  • v1.14.6
  • v1.14.5
  • v1.14.4
  • v1.14.3
  • v1.14.2
  • v1.14.1
  • v1.14.0
  • v1.13.2
  • v1.13.1
  • v1.13.0
  • v1.12.1
  • v1.12.0
  • v1.11.1
  • v1.11.0
  • v1.10.0
  • v1.9.2
  • v1.9.1
22 results

setup.py

Blame
    • nginx-ldap-auth.conf 5.20 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126 
    

    

    

    error_log logs/error.log debug;

events { }

http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;

    # The back-end daemon listens on port 9000 as implemented
    # in backend-sample-app.py.
    # Change the IP address if the daemon is not running on the
    # same host as NGINX/NGINX Plus.
    upstream backend {
        server 127.0.0.1:9000;
    }

    # NGINX/NGINX Plus listen on port 8081 for requests that require
    # authentication. Change the port number as appropriate.
    server {
        listen 8081;

        # Protected application
        location / {
            auth_request /auth-proxy;

            # redirect 401 to login form
            # Comment them out if using HTTP basic authentication.
            # or authentication popup won't show
            error_page 401 =200 /login;

            proxy_pass http://backend/;
        }

        location /login {
            proxy_pass http://backend/login;
            # Login service returns a redirect to the original URI
            # and sets the cookie for the ldap-auth daemon
            proxy_set_header X-Target $request_uri;
        }

        location = /auth-proxy {
            internal;

            # The ldap-auth daemon listens on port 8888, as set
            # in nginx-ldap-auth-daemon.py.
            # Change the IP address if the daemon is not running on
            # the same host as NGINX/NGINX Plus.
            proxy_pass http://127.0.0.1:8888;

            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;

            # The following directive adds the cookie to the cache key
            proxy_cache_key "$http_authorization$cookie_nginxauth";

            # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
            # communicates with a LDAP server, passing in the following
            # parameters to specify which user account to authenticate. To
            # eliminate the need to modify the Python code, this file contains
            # 'proxy_set_header' directives that set the values of the
            # parameters. Set or change them as instructed in the comments.
            #
            #    Parameter      Proxy header
            #    -----------    ----------------
            #    url            X-Ldap-URL
            #    starttls       X-Ldap-Starttls
            #    basedn         X-Ldap-BaseDN
            #    binddn         X-Ldap-BindDN
            #    bindpasswd     X-Ldap-BindPass
            #    cookiename     X-CookieName
            #    realm          X-Ldap-Realm
            #    template       X-Ldap-Template

            # (Required) Set the URL and port for connecting to the LDAP server,
            # by replacing 'example.com'.
            # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
            proxy_set_header X-Ldap-URL      "ldap://example.com";

            # (Optional) Establish a TLS-enabled LDAP session after binding to the
            # LDAP server. Set the value to "true: to enable.
            # This is the 'proper' way to establish encrypted TLS connections, see
            # http://www.openldap.org/faq/data/cache/185.html
            proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment

            # (Required) Set the Base DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BaseDN   "cn=Users,dc=test,dc=local";

            # (Required) Set the Bind DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";

            # (Required) Set the Bind password, by replacing 'secret'.
            proxy_set_header X-Ldap-BindPass "secret";

            # (Required) The following directives set the cookie name and pass
            # it, respectively. They are required for cookie-based
            # authentication. Set to empty value if using HTTP basic
            # authentication (do not comment).
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;

            # (Required if using Microsoft Active Directory as the LDAP server)
            # Set the LDAP template with "(sAMAccountName=%(username)s)"
            proxy_set_header X-Ldap-Template ""; # Optional, do not comment

            # (Set to "true"  if using Microsoft Active Directory and
            # getting "In order to perform this operation a successful bind
            # must be completed on the connection." errror)
            proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment

            # (Optional)
            # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active
            # Directory as the LDAP server.
            # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server,
            # which is the default set in nginx-ldap-auth-daemon.py.
            proxy_set_header X-Ldap-Template ""; # Optional, do not comment

            # (Optional) Set the realm name, e.g. "Restricred", which is the
            # default set in nginx-ldap-auth-daemon.py.
            proxy_set_header X-Ldap-Realm ""; # Optional, do not comment
        }
    }
}