From 5e5d5b1b8669e633d906c678786411ac0ed61968 Mon Sep 17 00:00:00 2001
From: Liam Crilly <liam.crilly@nginx.com>
Date: Tue, 12 Apr 2022 10:58:56 +0100
Subject: [PATCH] Security improvements
---
README.md | 48 +++++++++++++++++++++++++-----------------------
1 file changed, 25 insertions(+), 23 deletions(-)
diff --git a/README.md b/README.md
index 598769d..820449d 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,9 @@ http {
location = /auth-proxy {
proxy_pass http://<strong>127.0.0.1</strong>:8888;
+ proxy_pass_request_body off;
+ proxy_pass_request_headers off;
+ proxy_set_header Content-Length "";
proxy_cache <strong>auth_cache</strong>; # Must match the name in the proxy_cache_path directive above
proxy_cache_valid 200 <strong>10m</strong>;
@@ -112,7 +115,7 @@ http {
}
</pre>
-If the authentication server runs Active Directory rather than OpenLDAP, set the following directive as shown:
+If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown:
```
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
```
@@ -121,53 +124,52 @@ In addition, the **X-Ldap-Template** header can be used to create complex LDAP s
Suppose, your web resource should only be available for users from `group1` group.
In such a case you can define `X-Ldap-Template` template as follows:
-```nginx
+```
proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))";
```
The search filters can be combined from less complex filters using boolean operations and can be rather complex.
-The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, set the following directives to have an empty value, as shown:
+The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives, and enable the Authorization header as shown:
-```nginx
-proxy_set_header X-CookieName "";
-proxy_set_header Cookie "";
-```
+<pre>
+<strong>#</strong>proxy_set_header X-CookieName "nginxauth";
+<strong>#</strong>proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+<strong>proxy_set_header Authorization $http_authorization;</strong>
+</pre>
## Customization
### Caching
The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown:
-```nginx
+<pre>
http {
...
- #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+ <strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;
...
server {
...
location = /auth-proxy {
- #proxy_cache auth_cache;
+ <strong>#</strong>proxy_cache auth_cache;
# note that cookie is added to cache key
- #proxy_cache_key "$http_authorization$cookie_nginxauth";
- #proxy_cache_valid 200 10m;
+ <strong>#</strong>proxy_cache_key "$http_authorization$cookie_nginxauth";
+ <strong>#</strong>proxy_cache_valid 200 10m;
}
}
}
-```
+</pre>
### Optional LDAP Parameters
-If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, set the following directive as shown, and change the value:
-```nginx
-proxy_set_header X-Ldap-Template "(cn=%(username)s)";
-```
-
-If you want to change the realm name from the default value (**Restricted**), set the following directive:
-```nginx
-proxy_set_header X-Ldap-Realm "Restricted";
-```
+If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
+<pre>
+proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";
+</pre>
-> **Note:** All LDAP parameters must have a value, even optional ones. Use the empty string (`""`) for unused parameters (do not comment).
+If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
+<pre>
+proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";
+</pre>
### Authentication Server
--
GitLab