111 lines
4.4 KiB
Plaintext
111 lines
4.4 KiB
Plaintext
error_log logs/error.log debug;
|
|
|
|
events { }
|
|
|
|
http {
|
|
proxy_cache_path cache/ keys_zone=auth_cache:10m;
|
|
|
|
# The back-end daemon listens on port 9000 as implemented
|
|
# in backend-sample-app.py.
|
|
# Change the IP address if the daemon is not running on the
|
|
# same host as NGINX/NGINX Plus.
|
|
upstream backend {
|
|
server 127.0.0.1:9000;
|
|
}
|
|
|
|
# NGINX/NGINX Plus listen on port 8081 for requests that require
|
|
# authentication. Change the port number as appropriate.
|
|
server {
|
|
listen 127.0.0.1:8081;
|
|
|
|
# Protected application
|
|
location / {
|
|
auth_request /auth-proxy;
|
|
|
|
# redirect 401 and 403 to login form
|
|
error_page 401 403 =200 /login;
|
|
|
|
proxy_pass http://backend/;
|
|
}
|
|
|
|
location /login {
|
|
proxy_pass http://backend/login;
|
|
# Login service returns a redirect to the original URI
|
|
# and sets the cookie for the ldap-auth daemon
|
|
proxy_set_header X-Target $request_uri;
|
|
}
|
|
|
|
location = /auth-proxy {
|
|
internal;
|
|
|
|
# The ldap-auth daemon listens on port 8888, as set
|
|
# in nginx-ldap-auth-daemon.py.
|
|
# Change the IP address if the daemon is not running on
|
|
# the same host as NGINX/NGINX Plus.
|
|
proxy_pass http://127.0.0.1:8888;
|
|
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_cache auth_cache;
|
|
proxy_cache_valid 200 403 10m;
|
|
|
|
# The following directive adds the cookie to the cache key
|
|
proxy_cache_key "$http_authorization$cookie_nginxauth";
|
|
|
|
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
|
|
# communicates with an OpenLDAP server, passing in the following
|
|
# parameters to specify which user account to authenticate. To
|
|
# eliminate the need to modify the Python code, this file contains
|
|
# 'proxy_set_header' directives that set the values of the
|
|
# parameters. Set or change them as instructed in the comments.
|
|
#
|
|
# Parameter Proxy header
|
|
# ----------- ----------------
|
|
# basedn X-Ldap-BaseDN
|
|
# binddn X-Ldap-BindDN
|
|
# bindpasswd X-Ldap-BindPass
|
|
# cookiename X-CookieName
|
|
# realm X-Ldap-Realm
|
|
# template X-Ldap-Template
|
|
# url X-Ldap-URL
|
|
|
|
# (Required) Set the URL and port for connecting to the LDAP server,
|
|
# by replacing 'example.com' and '636'.
|
|
proxy_set_header X-Ldap-URL "ldaps://example.com:636";
|
|
|
|
# (Required) Set the Base DN, by replacing the value enclosed in
|
|
# double quotes.
|
|
proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
|
|
|
|
# (Required) Set the Bind DN, by replacing the value enclosed in
|
|
# double quotes.
|
|
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
|
|
|
|
# (Required) Set the Bind password, by replacing 'secret'.
|
|
proxy_set_header X-Ldap-BindPass "secret";
|
|
|
|
# (Required) The following directives set the cookie name and pass
|
|
# it, respectively. They are required for cookie-based
|
|
# authentication. Comment them out if using HTTP basic
|
|
# authentication.
|
|
proxy_set_header X-CookieName "nginxauth";
|
|
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
|
|
|
|
# (Required if using Microsoft Active Directory as the LDAP server)
|
|
# Set the LDAP template by uncommenting the following directive.
|
|
#proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
|
|
|
|
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
|
|
# template by uncommenting the following directive and replacing
|
|
# '(cn=%(username)s)' which is the default set in
|
|
# nginx-ldap-auth-daemon.py.
|
|
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
|
|
|
|
# (Optional) Set the realm name, by uncommenting the following
|
|
# directive and replacing 'Restricted' which is the default set
|
|
# in nginx-ldap-auth-daemon.py.
|
|
#proxy_set_header X-Ldap-Realm "Restricted";
|
|
}
|
|
}
|
|
}
|