Security improvements

763f23b2 · Liam Crilly · GitHub · 5e5d5b1b · 763f23b2
Unverified Commit 763f23b2 authored Apr 12, 2022 by Liam Crilly Committed by GitHub Apr 12, 2022
--- a/nginx-ldap-auth.conf
+++ b/nginx-ldap-auth.conf
@@ -47,6 +47,7 @@ http {
            proxy_pass http://127.0.0.1:8888;
            proxy_pass_request_body off;
+            proxy_pass_request_headers off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;
@@ -78,10 +79,10 @@ http {
            proxy_set_header X-Ldap-URL      "ldap://example.com";
            # (Optional) Establish a TLS-enabled LDAP session after binding to the
-            # LDAP server. Set the value to "true: to enable.
+            # LDAP server.
            # This is the 'proper' way to establish encrypted TLS connections, see
            # http://www.openldap.org/faq/data/cache/185.html
-            proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-Starttls "true";
            # (Required) Set the Base DN, by replacing the value enclosed in
            # double quotes.
@@ -96,30 +97,33 @@ http {
            # (Required) The following directives set the cookie name and pass
            # it, respectively. They are required for cookie-based
-            # authentication. Set to empty value if using HTTP basic
+            # authentication. Comment them out if using HTTP basic
-            # authentication (do not comment).
+            # authentication.
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+            # (Optional) Uncomment if using HTTP basic authentication
+            #proxy_set_header Authorization $http_authorization;
            # (Required if using Microsoft Active Directory as the LDAP server)
-            # Set the LDAP template with "(sAMAccountName=%(username)s)"
+            # Set the LDAP template by uncommenting the following directive.
-            proxy_set_header X-Ldap-Template ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
-            # (Set to "true"  if using Microsoft Active Directory and
+            # (May be required if using Microsoft Active Directory and
            # getting "In order to perform this operation a successful bind
            # must be completed on the connection." errror)
-            proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-DisableReferrals "true";
-            # (Optional)
+            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
-            # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active
+            # template by uncommenting the following directive and replacing
-            # Directory as the LDAP server.
+            # '(cn=%(username)s)' which is the default set in
-            # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server,
+            # nginx-ldap-auth-daemon.py.
-            # which is the default set in nginx-ldap-auth-daemon.py.
+            #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
-            proxy_set_header X-Ldap-Template ""; # Optional, do not comment
+            # (Optional) Set the realm name, by uncommenting the following
-            # (Optional) Set the realm name, e.g. "Restricted", which is the
+            # directive and replacing 'Restricted' which is the default set
-            # default set in nginx-ldap-auth-daemon.py.
+            # in nginx-ldap-auth-daemon.py.
-            proxy_set_header X-Ldap-Realm ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-Realm    "Restricted";
        }
    }
 }