Security improvements

README.md

@@ -90,6 +90,9 @@ http {
 
       location = /auth-proxy {
          proxy_pass http://<strong>127.0.0.1</strong>:8888;
+         proxy_pass_request_body off;
+         proxy_pass_request_headers off;
+         proxy_set_header Content-Length "";
          proxy_cache <strong>auth_cache</strong>; # Must match the name in the proxy_cache_path directive above
          proxy_cache_valid 200 <strong>10m</strong>;
 
@@ -112,7 +115,7 @@ http {
 }
 </pre>
 
-If the authentication server runs Active Directory rather than OpenLDAP, set the following directive as shown:
+If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown:
 ```
 proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
 ```
@@ -121,53 +124,52 @@ In addition, the **X-Ldap-Template** header can be used to create complex LDAP s
 
 Suppose, your web resource should only be available for users from `group1` group.
 In such a case you can define `X-Ldap-Template` template as follows:
-```nginx
+```
 proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))";
 ```
 
 The search filters can be combined from less complex filters using boolean operations and can be rather complex.
 
-The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, set the following directives to have an empty value, as shown:
+The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives, and enable the Authorization header as shown:
 
-```nginx
+<pre>
-proxy_set_header X-CookieName "";
+<strong>#</strong>proxy_set_header X-CookieName "nginxauth";
-proxy_set_header Cookie "";
+<strong>#</strong>proxy_set_header Cookie nginxauth=$cookie_nginxauth;
-```
+<strong>proxy_set_header Authorization $http_authorization;</strong>
+</pre>
 
 ## Customization
 ### Caching
 
 The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown:
-```nginx
+<pre>
 http {
   ...
-  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  <strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;
   ...
   server {
     ...
     location = /auth-proxy {
-      #proxy_cache auth_cache;
+      <strong>#</strong>proxy_cache auth_cache;
       # note that cookie is added to cache key
-      #proxy_cache_key "$http_authorization$cookie_nginxauth";
+      <strong>#</strong>proxy_cache_key "$http_authorization$cookie_nginxauth";
-      #proxy_cache_valid 200 10m;
+      <strong>#</strong>proxy_cache_valid 200 10m;
      }
    }
 }
-```
+</pre>
 
 ### Optional LDAP Parameters
 
-If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, set the following directive as shown, and change the value:
+If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
-```nginx
+<pre>
-proxy_set_header X-Ldap-Template "(cn=%(username)s)";
+proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";
-```
+</pre>
 
-If you want to change the realm name from the default value (**Restricted**), set the following directive:
+If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
-```nginx
+<pre>
-proxy_set_header X-Ldap-Realm "Restricted";
+proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";
-```
+</pre>
-
-> **Note:** All LDAP parameters must have a value, even optional ones. Use the empty string (`""`) for unused parameters (do not comment).
 
 ### Authentication Server
 

nginx-ldap-auth.conf

@@ -47,6 +47,7 @@ http {
             proxy_pass http://127.0.0.1:8888;
 
             proxy_pass_request_body off;
+            proxy_pass_request_headers off;
             proxy_set_header Content-Length "";
             proxy_cache auth_cache;
             proxy_cache_valid 200 10m;
@@ -78,10 +79,10 @@ http {
             proxy_set_header X-Ldap-URL      "ldap://example.com";
 
             # (Optional) Establish a TLS-enabled LDAP session after binding to the
-            # LDAP server. Set the value to "true: to enable.
+            # LDAP server.
             # This is the 'proper' way to establish encrypted TLS connections, see
             # http://www.openldap.org/faq/data/cache/185.html
-            proxy_set_header X-Ldap-Starttls ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-Starttls "true";
 
             # (Required) Set the Base DN, by replacing the value enclosed in
             # double quotes.
@@ -96,30 +97,33 @@ http {
 
             # (Required) The following directives set the cookie name and pass
             # it, respectively. They are required for cookie-based
-            # authentication. Set to empty value if using HTTP basic
+            # authentication. Comment them out if using HTTP basic
-            # authentication (do not comment).
+            # authentication.
             proxy_set_header X-CookieName "nginxauth";
             proxy_set_header Cookie nginxauth=$cookie_nginxauth;
 
-            # (Required if using Microsoft Active Directory as the LDAP server)
+            # (Optional) Uncomment if using HTTP basic authentication
-            # Set the LDAP template with "(sAMAccountName=%(username)s)"
+            #proxy_set_header Authorization $http_authorization;
-            proxy_set_header X-Ldap-Template ""; # Optional, do not comment
 
-            # (Set to "true"  if using Microsoft Active Directory and
+            # (Required if using Microsoft Active Directory as the LDAP server)
+            # Set the LDAP template by uncommenting the following directive.
+            #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
+
+            # (May be required if using Microsoft Active Directory and
             # getting "In order to perform this operation a successful bind
             # must be completed on the connection." errror)
-            proxy_set_header X-Ldap-DisableReferrals ""; # Optional, do not comment
+            #proxy_set_header X-Ldap-DisableReferrals "true";
 
-            # (Optional)
+            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
-            # Set to "(sAMAccountName=%(username)s)" if using Microsoft Active
+            # template by uncommenting the following directive and replacing
-            # Directory as the LDAP server.
+            # '(cn=%(username)s)' which is the default set in
-            # Set to "(cn=%(username)s)" if using OpenLDAP as the LDAP server,
+            # nginx-ldap-auth-daemon.py.
-            # which is the default set in nginx-ldap-auth-daemon.py.
+            #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
-            proxy_set_header X-Ldap-Template ""; # Optional, do not comment
 
-            # (Optional) Set the realm name, e.g. "Restricred", which is the
+            # (Optional) Set the realm name, by uncommenting the following
-            # default set in nginx-ldap-auth-daemon.py.
+            # directive and replacing 'Restricted' which is the default set
-            proxy_set_header X-Ldap-Realm ""; # Optional, do not comment
+            # in nginx-ldap-auth-daemon.py.
+            #proxy_set_header X-Ldap-Realm    "Restricted";
         }
     }
 }