Giter VIP home page Giter VIP logo

Comments (6)

vivekbny avatar vivekbny commented on June 29, 2024

nginx.zip

from nginx-ldap-auth.

faisal-memon avatar faisal-memon commented on June 29, 2024

Hi Vivek,

It's hard to say without understanding what requests are made and to which ports.
Clearly, the daemon does not see headers it expects; this means you are sending the request directly, or from a wrong location.Suggest to enable access logs in NGINX and check how his request is
processed. Are you trying to access backend directly instead of through NGINX?

Faisal

from nginx-ldap-auth.

vivekbny avatar vivekbny commented on June 29, 2024

Hi @faisal-memon,

Our project is to setup LDAP for a monitoring service(prometheus URL).

Initially we did a reverse proxy for prometheus using nginx and accessed the prometheus URL in the port 9981. Below is the nginx,conf
worker_processes 1;

events {
worker_connections 1024;
}

http {
server {
listen 0.0.0.0:9981;
server_name localhost;

    location / {
        proxy_pass http://*****.bnymellon.com:9090/;
    }
}

}

Now with the reverse proxy working. I am trying to setup LDAP for reverse proxied prometheus URL.

For adding LDAP, I cloned this project(nginx-ldap-auth). then built an image using the existing docker file available in this project.

Now made some changes to the nginx.conf to setup LDAP for prometheus and i ran it.

Issue is that Connection is not getting established to the LDAP server from the nginx. Below is my nginx.conf. Can you please let me know on the approach which i am working is fine or not.

Need you suggestions

error_log logs/error.log debug;

events { }

http {
proxy_cache_path cache/ keys_zone=auth_cache:10m;

# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
    server 127.0.0.1:9000;
}

# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
    listen 0.0.0.0:9981;

    # Protected application
    location / {
        auth_request /auth-proxy;

        # redirect 401 to login form
        error_page 401 =200 /login;

        proxy_pass http://****.bnymellon.com:9090/;
    }

    location /login {
        proxy_pass http://****.bnymellon.com:9090/;
        # Login service returns a redirect to the original URI
        # and sets the cookie for the ldap-auth daemon
        proxy_set_header X-Target $request_uri;
    }

    location = /auth-proxy {
        internal;

        # The ldap-auth daemon listens on port 8888, as set
        # in nginx-ldap-auth-daemon.py.
        # Change the IP address if the daemon is not running on
        # the same host as NGINX/NGINX Plus.
        proxy_pass http://127.0.0.1:8888;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_cache auth_cache;
        proxy_cache_valid 200 10m;

        # The following directive adds the cookie to the cache key
        proxy_cache_key "$http_authorization$cookie_nginxauth";

        # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
        # communicates with a LDAP server, passing in the following
        # parameters to specify which user account to authenticate. To
        # eliminate the need to modify the Python code, this file contains
        # 'proxy_set_header' directives that set the values of the
        # parameters. Set or change them as instructed in the comments.
        #
        #    Parameter      Proxy header
        #    -----------    ----------------
        #    url            X-Ldap-URL
        #    starttls       X-Ldap-Starttls
        #    basedn         X-Ldap-BaseDN
        #    binddn         X-Ldap-BindDN
        #    bindpasswd     X-Ldap-BindPass
        #    cookiename     X-CookieName
        #    realm          X-Ldap-Realm
        #    template       X-Ldap-Template

        # (Required) Set the URL and port for connecting to the LDAP server,
        # by replacing 'example.com'.
        # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
        proxy_set_header X-Ldap-URL      "ldap://ols.bnym.net:1234";

        # (Optional) Establish a TLS-enabled LDAP session after binding to the
        # LDAP server.
        # This is the 'proper' way to establish encrypted TLS connections, see
        # http://www.openldap.org/faq/data/cache/185.html
        #proxy_set_header X-Ldap-Starttls "true";

        # (Required) Set the Base DN, by replacing the value enclosed in
        # double quotes.
        proxy_set_header X-Ldap-BaseDN   "cn=People,ou=Internal,o=mfc";

        # (Required) Set the Bind DN, by replacing the value enclosed in
        # double quotes.
        proxy_set_header X-Ldap-BindDN   "uid=*****,ou=Directory,ou=Users,o=mfc";

        # (Required) Set the Bind password, by replacing 'secret'.
        proxy_set_header X-Ldap-BindPass "*****";

        # (Required) The following directives set the cookie name and pass
        # it, respectively. They are required for cookie-based
        # authentication. Comment them out if using HTTP basic
        # authentication.
        proxy_set_header X-CookieName "nginxauth";
        proxy_set_header Cookie nginxauth=$cookie_nginxauth;

        # (Required if using Microsoft Active Directory as the LDAP server)
        # Set the LDAP template by uncommenting the following directive.
        #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

        # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
        # template by uncommenting the following directive and replacing
        # '(cn=%(username)s)' which is the default set in
        # nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

        # (Optional) Set the realm name, by uncommenting the following
        # directive and replacing 'Restricted' which is the default set
        # in nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Realm    "Restricted";
    }
}

}

from nginx-ldap-auth.

vivekbny avatar vivekbny commented on June 29, 2024

@faisal-memon Can you please advise

from nginx-ldap-auth.

faisal-memon avatar faisal-memon commented on June 29, 2024

There could be something wrong with your configuration or network. It would be useful to see logs from nginx-ldap-auth-daemon.py to see what address/hostname it is trying to connect exactly and why it fails.

from nginx-ldap-auth.

vl-homutov avatar vl-homutov commented on June 29, 2024

Feedback timeout.

from nginx-ldap-auth.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.