public_git
/
nginx-ldap-auth
mirror of https://github.com/nginxinc/nginx-ldap-auth.git
1
0
Fork 1
Code Issues Releases Wiki Activity
nginx-ldap-auth/nginx-ldap-auth.conf

116 lines
4.6 KiB
Plaintext
Raw Blame History

error_log logs/error.log debug;
events { }
http {
proxy_cache_path cache/ keys_zone=auth_cache:10m;
# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
server 127.0.0.1:9000;
}
# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
listen 8081;
# Protected application
location / {
auth_request /auth-proxy;
# redirect 401 to login form
error_page 401 =200 /login;
proxy_pass http://backend/;
}
location /login {
proxy_pass http://backend/login;
# Login service returns a redirect to the original URI
# and sets the cookie for the ldap-auth daemon
proxy_set_header X-Target $request_uri;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8888, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with an OpenLDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cacertfile X-Ldap-CACertFile
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# url X-Ldap-URL
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com' and '636'.
proxy_set_header X-Ldap-URL "ldaps://example.com:636";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Optional) Path to a custom LDAPS CA certificate, only needed if
# the system ca bundle doesn't contain the custom CA Root certificate.
#proxy_set_header X-Ldap-CACertFile "/etc/pki/tls/certs/custom-ca-chain.pem";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
}
Reference in New Issue View Git Blame Copy Permalink