error_log logs/error.log debug; events { } http { proxy_cache_path cache/ keys_zone=auth_cache:10m; upstream backend { server 127.0.0.1:9000; } server { listen 127.0.0.1:8080; server_name localhost; location / { auth_request /auth-proxy; # redirect 401 and 403 to login form error_page 401 =200 /login; error_page 403 =200 /login; proxy_pass http://backend/; } location /login { proxy_pass http://backend/login; # login service will return a redirect for user to original URI # and set cookie for auth daemon proxy_set_header X-TARGET $request_uri; } location = /auth-proxy { internal; # authorization daemon listens here proxy_pass http://127.0.0.1:8888; proxy_pass_request_body off; proxy_set_header Content-Length ""; #proxy_set_header X-Ldap-URL "ldaps://example.com:636"; #proxy_set_header X-Ldap-BaseDN "ou=Users,dc=test,dc=local"; # user to search in directory, default is 'cn=anonymous' #proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; # and password, default is no password #proxy_set_header X-Ldap-BindPass "secret"; # Template to search for users: 'username' will be replaced # default is for OpenLDAP: # proxy_set_header X-Ldap-Template "(cn=%(username)s)"; # this one works for MS Active Directory # proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)"; # realm to present during basic auth, default is 'Restricted' #proxy_set_header X-Ldap-Realm "PrivateArea"; # if form is used, pass cookie and its name proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; proxy_cache auth_cache; # note that cookie is added to cache key #proxy_cache_key "$http_authorization$cookie_nginxauth"; #proxy_cache_valid 200 403 10m; } } }