From b60024a97090f4fc21b8beaed57ce29fa442f098 Mon Sep 17 00:00:00 2001 From: Liam Crilly Date: Tue, 12 Apr 2022 00:32:47 +0100 Subject: [PATCH 1/5] Security improvements --- nginx-ldap-auth.conf | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf index 50dcc10..ba69333 100644 --- a/nginx-ldap-auth.conf +++ b/nginx-ldap-auth.conf @@ -78,10 +78,10 @@ http { proxy_set_header X-Ldap-URL "ldap://example.com"; # (Optional) Establish a TLS-enabled LDAP session after binding to the - # LDAP server. + # LDAP server. Set the value to "true: to enable. # This is the 'proper' way to establish encrypted TLS connections, see # http://www.openldap.org/faq/data/cache/185.html - #proxy_set_header X-Ldap-Starttls "true"; + proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment # (Required) Set the Base DN, by replacing the value enclosed in # double quotes. @@ -96,30 +96,30 @@ http { # (Required) The following directives set the cookie name and pass # it, respectively. They are required for cookie-based - # authentication. Comment them out if using HTTP basic - # authentication. + # authentication. Set to empty value if using HTTP basic + # authentication (do not comment). proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; # (Required if using Microsoft Active Directory as the LDAP server) - # Set the LDAP template by uncommenting the following directive. - #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; + # Set the LDAP template with "(sAMAccountName=%(username)s)" + proxy_set_header X-Ldap-Template ""; # Optional, do not comment - # (May be required if using Microsoft Active Directory and + # (Set to "true" if using Microsoft Active Directory and # getting "In order to perform this operation a successful bind # must be completed on the connection." errror) - #proxy_set_header X-Ldap-DisableReferrals "true"; + proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment - # (Optional if using OpenLDAP as the LDAP server) Set the LDAP - # template by uncommenting the following directive and replacing - # '(cn=%(username)s)' which is the default set in - # nginx-ldap-auth-daemon.py. - #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; + # (Optional) + # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active + # Directory as the LDAP server. + # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server, + # which is the default set in nginx-ldap-auth-daemon.py. + proxy_set_header X-Ldap-Template ""; # Optional, do not comment - # (Optional) Set the realm name, by uncommenting the following - # directive and replacing 'Restricted' which is the default set - # in nginx-ldap-auth-daemon.py. - #proxy_set_header X-Ldap-Realm "Restricted"; + # (Optional) Set the realm name, e.g. "Restricred", which is the + # default set in nginx-ldap-auth-daemon.py. + proxy_set_header X-Ldap-Realm ""; # Optional, do not comment } } } From d364261db8f50a0ba748204ee043da9516349bb2 Mon Sep 17 00:00:00 2001 From: Liam Crilly Date: Tue, 12 Apr 2022 00:33:29 +0100 Subject: [PATCH 2/5] Security improvements --- README.md | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 531aff9..598769d 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ http { } -If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown: +If the authentication server runs Active Directory rather than OpenLDAP, set the following directive as shown: ``` proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; ``` @@ -121,51 +121,53 @@ In addition, the **X-Ldap-Template** header can be used to create complex LDAP s Suppose, your web resource should only be available for users from `group1` group. In such a case you can define `X-Ldap-Template` template as follows: -``` +```nginx proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))"; ``` The search filters can be combined from less complex filters using boolean operations and can be rather complex. -The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown: +The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, set the following directives to have an empty value, as shown: -
-#proxy_set_header X-CookieName "nginxauth";
-#proxy_set_header Cookie nginxauth=$cookie_nginxauth;
-
+```nginx +proxy_set_header X-CookieName ""; +proxy_set_header Cookie ""; +``` ## Customization ### Caching The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown: -
+```nginx
 http {
   ...
-  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
   ...
   server {
     ...
     location = /auth-proxy {
-      #proxy_cache auth_cache;
+      #proxy_cache auth_cache;
       # note that cookie is added to cache key
-      #proxy_cache_key "$http_authorization$cookie_nginxauth";
-      #proxy_cache_valid 200 10m;
+      #proxy_cache_key "$http_authorization$cookie_nginxauth";
+      #proxy_cache_valid 200 10m;
      }
    }
 }
-
+``` ### Optional LDAP Parameters -If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value: -
-proxy_set_header X-Ldap-Template "(cn=%(username)s)";
-
+If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, set the following directive as shown, and change the value: +```nginx +proxy_set_header X-Ldap-Template "(cn=%(username)s)"; +``` -If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive: -
-proxy_set_header X-Ldap-Realm "Restricted";
-
+If you want to change the realm name from the default value (**Restricted**), set the following directive: +```nginx +proxy_set_header X-Ldap-Realm "Restricted"; +``` + +> **Note:** All LDAP parameters must have a value, even optional ones. Use the empty string (`""`) for unused parameters (do not comment). ### Authentication Server From 3df1b7a9ea08d21f046c536a3d9911d098852fcf Mon Sep 17 00:00:00 2001 From: Liam Crilly Date: Tue, 12 Apr 2022 08:53:14 +0100 Subject: [PATCH 3/5] Typo in comment --- nginx-ldap-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf index ba69333..e6cbae3 100644 --- a/nginx-ldap-auth.conf +++ b/nginx-ldap-auth.conf @@ -117,7 +117,7 @@ http { # which is the default set in nginx-ldap-auth-daemon.py. proxy_set_header X-Ldap-Template ""; # Optional, do not comment - # (Optional) Set the realm name, e.g. "Restricred", which is the + # (Optional) Set the realm name, e.g. "Restricted", which is the # default set in nginx-ldap-auth-daemon.py. proxy_set_header X-Ldap-Realm ""; # Optional, do not comment } From 5e5d5b1b8669e633d906c678786411ac0ed61968 Mon Sep 17 00:00:00 2001 From: Liam Crilly Date: Tue, 12 Apr 2022 10:58:56 +0100 Subject: [PATCH 4/5] Security improvements --- README.md | 48 +++++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 598769d..820449d 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,9 @@ http { location = /auth-proxy { proxy_pass http://127.0.0.1:8888; + proxy_pass_request_body off; + proxy_pass_request_headers off; + proxy_set_header Content-Length ""; proxy_cache auth_cache; # Must match the name in the proxy_cache_path directive above proxy_cache_valid 200 10m; @@ -112,7 +115,7 @@ http { } -If the authentication server runs Active Directory rather than OpenLDAP, set the following directive as shown: +If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown: ``` proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; ``` @@ -121,53 +124,52 @@ In addition, the **X-Ldap-Template** header can be used to create complex LDAP s Suppose, your web resource should only be available for users from `group1` group. In such a case you can define `X-Ldap-Template` template as follows: -```nginx +``` proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))"; ``` The search filters can be combined from less complex filters using boolean operations and can be rather complex. -The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, set the following directives to have an empty value, as shown: +The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives, and enable the Authorization header as shown: -```nginx -proxy_set_header X-CookieName ""; -proxy_set_header Cookie ""; -``` +
+#proxy_set_header X-CookieName "nginxauth";
+#proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+proxy_set_header Authorization $http_authorization;
+
## Customization ### Caching The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown: -```nginx +
 http {
   ...
-  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
   ...
   server {
     ...
     location = /auth-proxy {
-      #proxy_cache auth_cache;
+      #proxy_cache auth_cache;
       # note that cookie is added to cache key
-      #proxy_cache_key "$http_authorization$cookie_nginxauth";
-      #proxy_cache_valid 200 10m;
+      #proxy_cache_key "$http_authorization$cookie_nginxauth";
+      #proxy_cache_valid 200 10m;
      }
    }
 }
-```
+
### Optional LDAP Parameters -If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, set the following directive as shown, and change the value: -```nginx -proxy_set_header X-Ldap-Template "(cn=%(username)s)"; -``` +If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value: +
+proxy_set_header X-Ldap-Template "(cn=%(username)s)";
+
-If you want to change the realm name from the default value (**Restricted**), set the following directive: -```nginx -proxy_set_header X-Ldap-Realm "Restricted"; -``` - -> **Note:** All LDAP parameters must have a value, even optional ones. Use the empty string (`""`) for unused parameters (do not comment). +If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive: +
+proxy_set_header X-Ldap-Realm "Restricted";
+
### Authentication Server From 763f23b29785d96dc2dafbc68524b393eef212f6 Mon Sep 17 00:00:00 2001 From: Liam Crilly Date: Tue, 12 Apr 2022 10:59:26 +0100 Subject: [PATCH 5/5] Security improvements --- nginx-ldap-auth.conf | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf index e6cbae3..d9b1854 100644 --- a/nginx-ldap-auth.conf +++ b/nginx-ldap-auth.conf @@ -47,6 +47,7 @@ http { proxy_pass http://127.0.0.1:8888; proxy_pass_request_body off; + proxy_pass_request_headers off; proxy_set_header Content-Length ""; proxy_cache auth_cache; proxy_cache_valid 200 10m; @@ -78,10 +79,10 @@ http { proxy_set_header X-Ldap-URL "ldap://example.com"; # (Optional) Establish a TLS-enabled LDAP session after binding to the - # LDAP server. Set the value to "true: to enable. + # LDAP server. # This is the 'proper' way to establish encrypted TLS connections, see # http://www.openldap.org/faq/data/cache/185.html - proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment + #proxy_set_header X-Ldap-Starttls "true"; # (Required) Set the Base DN, by replacing the value enclosed in # double quotes. @@ -96,30 +97,33 @@ http { # (Required) The following directives set the cookie name and pass # it, respectively. They are required for cookie-based - # authentication. Set to empty value if using HTTP basic - # authentication (do not comment). + # authentication. Comment them out if using HTTP basic + # authentication. proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; - # (Required if using Microsoft Active Directory as the LDAP server) - # Set the LDAP template with "(sAMAccountName=%(username)s)" - proxy_set_header X-Ldap-Template ""; # Optional, do not comment + # (Optional) Uncomment if using HTTP basic authentication + #proxy_set_header Authorization $http_authorization; - # (Set to "true" if using Microsoft Active Directory and + # (Required if using Microsoft Active Directory as the LDAP server) + # Set the LDAP template by uncommenting the following directive. + #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; + + # (May be required if using Microsoft Active Directory and # getting "In order to perform this operation a successful bind # must be completed on the connection." errror) - proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment + #proxy_set_header X-Ldap-DisableReferrals "true"; - # (Optional) - # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active - # Directory as the LDAP server. - # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server, - # which is the default set in nginx-ldap-auth-daemon.py. - proxy_set_header X-Ldap-Template ""; # Optional, do not comment + # (Optional if using OpenLDAP as the LDAP server) Set the LDAP + # template by uncommenting the following directive and replacing + # '(cn=%(username)s)' which is the default set in + # nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; - # (Optional) Set the realm name, e.g. "Restricted", which is the - # default set in nginx-ldap-auth-daemon.py. - proxy_set_header X-Ldap-Realm ""; # Optional, do not comment + # (Optional) Set the realm name, by uncommenting the following + # directive and replacing 'Restricted' which is the default set + # in nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Realm "Restricted"; } } }