Comments (6)
from nginx-ldap-auth.
Hi Vivek,
It's hard to say without understanding what requests are made and to which ports.
Clearly, the daemon does not see headers it expects; this means you are sending the request directly, or from a wrong location.Suggest to enable access logs in NGINX and check how his request is
processed. Are you trying to access backend directly instead of through NGINX?
Faisal
from nginx-ldap-auth.
Hi @faisal-memon,
Our project is to setup LDAP for a monitoring service(prometheus URL).
Initially we did a reverse proxy for prometheus using nginx and accessed the prometheus URL in the port 9981. Below is the nginx,conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 0.0.0.0:9981;
server_name localhost;
location / {
proxy_pass http://*****.bnymellon.com:9090/;
}
}
}
Now with the reverse proxy working. I am trying to setup LDAP for reverse proxied prometheus URL.
For adding LDAP, I cloned this project(nginx-ldap-auth). then built an image using the existing docker file available in this project.
Now made some changes to the nginx.conf to setup LDAP for prometheus and i ran it.
Issue is that Connection is not getting established to the LDAP server from the nginx. Below is my nginx.conf. Can you please let me know on the approach which i am working is fine or not.
Need you suggestions
error_log logs/error.log debug;
events { }
http {
proxy_cache_path cache/ keys_zone=auth_cache:10m;
# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
server 127.0.0.1:9000;
}
# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
listen 0.0.0.0:9981;
# Protected application
location / {
auth_request /auth-proxy;
# redirect 401 to login form
error_page 401 =200 /login;
proxy_pass http://****.bnymellon.com:9090/;
}
location /login {
proxy_pass http://****.bnymellon.com:9090/;
# Login service returns a redirect to the original URI
# and sets the cookie for the ldap-auth daemon
proxy_set_header X-Target $request_uri;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8888, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ols.bnym.net:1234";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=People,ou=Internal,o=mfc";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "uid=*****,ou=Directory,ou=Users,o=mfc";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "*****";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
}
from nginx-ldap-auth.
@faisal-memon Can you please advise
from nginx-ldap-auth.
There could be something wrong with your configuration or network. It would be useful to see logs from nginx-ldap-auth-daemon.py to see what address/hostname it is trying to connect exactly and why it fails.
from nginx-ldap-auth.
Feedback timeout.
from nginx-ldap-auth.
Related Issues (20)
- Unable to initiate TLS with LDAP site server
- Limit LDAP authentication to specific user or group HOT 4
- nginx.com reports a security vulnerability: Addressing Security Weaknesses in the NGINX LDAP Reference Implementation HOT 2
- Missing proxy_cache_key if README.md ? HOT 1
- Push image on docker hub HOT 2
- LDAP filter authorization
- Successfully installed the nginx-ldap-auth module but errors when i execute
- Is there any way we can avoid providing X-Ldap-BindPass as plain text. HOT 2
- Manage auth result (Session based or Token Based authentication) HOT 1
- Docker needs to expose port
- Stopped working with Actve Directory HOT 1
- $remote_user not showing up in access logs
- Docker image won't build (python-ldap issue) HOT 1
- /auth returning 200, but looping back to /login
- Query inject attack / security vulnerability HOT 5
- Error when search result DN contains unicode characters HOT 1
- Query inject attack / security vulnerability HOT 4
- Unable to push logs of py daemon to a separate file HOT 4
- For a company like nginx, this "reference implementation" is a shame HOT 1
- 401 unauthorized HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-ldap-auth.