nginx-ldap-auth.conf

error_log logs/error.log debug;

events { }

http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;

    # The back-end daemon listens on port 9000 as implemented
    # in backend-sample-app.py.
    # Change the IP address if the daemon is not running on the
    # same host as NGINX/NGINX Plus.
    upstream backend {
        server 127.0.0.1:9000;
    }

    # NGINX/NGINX Plus listen on port 8081 for requests that require
    # authentication. Change the port number as appropriate.
    server {
        listen 8081;

        # Protected application
        location / {
            auth_request /auth-proxy;

            # redirect 401 to login form
            # Comment them out if using HTTP basic authentication.
            # or authentication popup won't show
            error_page 401 =200 /login;

            proxy_pass http://backend/;
        }

        location /login {
            proxy_pass http://backend/login;
            # Login service returns a redirect to the original URI
            # and sets the cookie for the ldap-auth daemon
            proxy_set_header X-Target $request_uri;
        }

        location = /auth-proxy {
            internal;

            # The ldap-auth daemon listens on port 8888, as set
            # in nginx-ldap-auth-daemon.py.
            # Change the IP address if the daemon is not running on
            # the same host as NGINX/NGINX Plus.
            proxy_pass http://127.0.0.1:8888;

            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;

            # The following directive adds the cookie to the cache key
            proxy_cache_key "$http_authorization$cookie_nginxauth";

            # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
            # communicates with a LDAP server, passing in the following
            # parameters to specify which user account to authenticate. To
            # eliminate the need to modify the Python code, this file contains
            # 'proxy_set_header' directives that set the values of the
            # parameters. Set or change them as instructed in the comments.
            #
            #    Parameter      Proxy header
            #    -----------    ----------------
            #    url            X-Ldap-URL
            #    starttls       X-Ldap-Starttls
            #    basedn         X-Ldap-BaseDN
            #    binddn         X-Ldap-BindDN
            #    bindpasswd     X-Ldap-BindPass
            #    cookiename     X-CookieName
            #    realm          X-Ldap-Realm
            #    template       X-Ldap-Template

            # (Required) Set the URL and port for connecting to the LDAP server,
            # by replacing 'example.com'.
            # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
            proxy_set_header X-Ldap-URL      "ldap://example.com";

            # (Optional) Establish a TLS-enabled LDAP session after binding to the
            # LDAP server. Set the value to "true: to enable.
            # This is the 'proper' way to establish encrypted TLS connections, see
            # http://www.openldap.org/faq/data/cache/185.html
            proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment

            # (Required) Set the Base DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BaseDN   "cn=Users,dc=test,dc=local";

            # (Required) Set the Bind DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";

            # (Required) Set the Bind password, by replacing 'secret'.
            proxy_set_header X-Ldap-BindPass "secret";

            # (Required) The following directives set the cookie name and pass
            # it, respectively. They are required for cookie-based
            # authentication. Set to empty value if using HTTP basic
            # authentication (do not comment).
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;

            # (Required if using Microsoft Active Directory as the LDAP server)
            # Set the LDAP template with "(sAMAccountName=%(username)s)"
            proxy_set_header X-Ldap-Template ""; # Optional, do not comment

            # (Set to "true"  if using Microsoft Active Directory and
            # getting "In order to perform this operation a successful bind
            # must be completed on the connection." errror)
            proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment

            # (Optional)
            # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active
            # Directory as the LDAP server.
            # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server,
            # which is the default set in nginx-ldap-auth-daemon.py.
            proxy_set_header X-Ldap-Template ""; # Optional, do not comment

            # (Optional) Set the realm name, e.g. "Restricted", which is the
            # default set in nginx-ldap-auth-daemon.py.
            proxy_set_header X-Ldap-Realm ""; # Optional, do not comment
        }
    }
}