nginx_ldap_auth和自定义身份验证页面

时间:2019-02-14 16:18:36

标签: authentication nginx ldap external

我找到了一个nginx模块(https://github.com/nginxinc/nginx-ldap-auth),该模块允许使用ldap对用户进行身份验证。

我想用一个自定义的身份验证页面来适应它,该页面在后端服务器上不存在。我不了解所有的互动: 我应该在登录页面中创建一个cookie吗?如何将凭据传递到ldap守护程序?也许我想做的事不可能吗?我尝试这样做已经有几天了,现在我快要绝望了...

我一直在ldap守护程序上收到这些消息:

  

使用授权标头中的用户名/密码

     

“获取/ auth-proxy HTTP / 1.0” 401-

下面是启用了网站的网站/ mywebsite:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
        server_name mywebsite.com;

        ssl_certificate     /root/mywebsite.com.cer;
        ssl_certificate_key /root/mywebsite.com.key;

        ssl on;
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/oxidized.access.log;
        root /var/www/auth_ldap;
        index index.php index.html =404;

        # Pass PHP scripts to FastCGI server
        location ~ \.php$ {
          try_files $uri /index.php =404;
          fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;
        }

        location / {
          auth_request /auth-proxy;

          # redirect 401 to login form
          # Comment them out if using HTTP basic authentication.
          # or authentication popup won't show
          error_page 401 =200 /login;

          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Proto $scheme;

          proxy_pass          http://localhost:8888;
          proxy_read_timeout  90;

          proxy_redirect      http://localhost:8888 https://mywebsite.com;
        }


        location /login {
          alias /var/www/auth_ldap/login;
        }

        location = /auth-proxy {
          internal;

          # The ldap-auth daemon listens on port 8081, as set
          # in nginx-ldap-auth-daemon.py.
          # Change the IP address if the daemon is not running on
          # the same host as NGINX/NGINX Plus.
          proxy_pass http://127.0.0.1:8081;

          proxy_pass_request_body off;
          proxy_set_header Content-Length "";
          proxy_cache auth_cache;
          proxy_cache_valid 200 10m;

          # The following directive adds the cookie to the cache key
          proxy_cache_key "$http_authorization$cookie_nginxauth";

          # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
          # communicates with a LDAP server, passing in the following
          # parameters to specify which user account to authenticate. To
          # eliminate the need to modify the Python code, this file contains
          # 'proxy_set_header' directives that set the values of the
          # parameters. Set or change them as instructed in the comments.
          #
          # Parameter   Proxy header
          # ---------------------------
          # url         X-Ldap-URL
          # starttls    X-Ldap-Starttls
          # basedn      X-Ldap-BaseDN
          # binddn      X-Ldap-BindDN
          # bindpasswd  X-Ldap-BindPass
          # cookiename  X-CookieName
          # realm       X-Ldap-Realm
          # template    X-Ldap-Template

          # (Required) Set the URL and port for connecting to the LDAP server,
          # by replacing 'example.com'.
          # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
          proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";

          # (Optional) Establish a TLS-enabled LDAP session after binding to the
          # LDAP server.
          # This is the 'proper' way to establish encrypted TLS connections, see
          # http://www.openldap.org/faq/data/cache/185.html
          #proxy_set_header X-Ldap-Starttls "true";

          # (Required) Set the Base DN, by replacing the value enclosed in
          # double quotes.
          proxy_set_header X-Ldap-BaseDN   "dc=mywebsite,dc=com";

          # (Required) Set the Bind DN, by replacing the value enclosed in
          # double quotes.
          proxy_set_header X-Ldap-BindDN   "cn=some_users,ou=LDAP Users,ou=Users,dc=mywebsite,dc=com";

          # (Required) Set the Bind password, by replacing 'secret'.
          proxy_set_header X-Ldap-BindPass "secret";

          # (Required) The following directives set the cookie name and pass
          # it, respectively. They are required for cookie-based
          # authentication. Comment them out if using HTTP basic
          # authentication.
          proxy_set_header X-CookieName "nginxauth";
          proxy_set_header Cookie nginxauth=$cookie_nginxauth;

          # (Required if using Microsoft Active Directory as the LDAP server)
          # Set the LDAP template by uncommenting the following directive.
          proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

          # (May be required if using Microsoft Active Directory and
          # getting "In order to perform this operation a successful bind
          # must be completed on the connection." errror)
          #proxy_set_header X-Ldap-DisableReferrals "true";

          # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
          # template by uncommenting the following directive and replacing
          # '(cn=%(username)s)' which is the default set in
          # nginx-ldap-auth-daemon.py.
          #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

          # (Optional) Set the realm name, by uncommenting the following
          # directive and replacing 'Restricted' which is the default set
          # in nginx-ldap-auth-daemon.py.
          #proxy_set_header X-Ldap-Realm  "Restricted";
        }
}

以及登录页面示例:

<?php
  if(isset($_POST['submit']))
  {
    $_SESSION['username'] = $_POST['login'];
    $_SESSION['password'] = $_POST['password'];
    header('Location: /');
  }
?>
<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>Login with LDAP</title>
</head>

<body>
  <form method="post">
    <label for="login">Login:</label>
    <input type="text" name="login" />
    <label for="password">Password:</label>
    <input type="password" name="password" />
    <input type="submit" name="submit" value="Log in" />
  </form>
</body>

</html>

预先感谢您提供有关此主题的帮助。

2 个答案:

答案 0 :(得分:0)

我发现了如何将我的登录名/密码传递给NginX:但是,不是使用授权标头,而是使用cookie。

这是我的新nginx虚拟主机:

# TO ADD in nginx.conf, in the "http" block:
# proxy_cache_path cache/ keys_zone=auth_cache:10m;

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name mywebsite.com;

  ssl_certificate     /root/mywebsite.com.cer;
  ssl_certificate_key /root/mywebsite.com.key;

  ssl on;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
  ssl_prefer_server_ciphers on;

  access_log /var/log/nginx/oxidized.access.log;
  root /var/www/auth_ldap;
  index index.php index.html =404;

  # Pass PHP scripts to FastCGI server
  location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

  location / {
    auth_request /auth-proxy;

    # redirect 401 to login form
    # Comment them out if using HTTP basic authentication.
    # or authentication popup won't show
    error_page 401 =200 /login;

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass          http://localhost:8888;
    proxy_read_timeout  90;

    proxy_redirect      http://localhost:8888 https://mywebsite.com;
  }

  location /login {
    alias /var/www/auth_ldap/login;
  }

  location = /auth-proxy {
    internal;

    # The ldap-auth daemon listens on port 8081, as set
    # in nginx-ldap-auth-daemon.py.
    # Change the IP address if the daemon is not running on
    # the same host as NGINX/NGINX Plus.
    proxy_pass http://127.0.0.1:8081;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_cache auth_cache;
    proxy_cache_valid 200 10m;

    # The following directive adds the cookie to the cache key
    proxy_cache_key "$http_authorization$cookie_nginxauth";

    # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
    # communicates with a LDAP server, passing in the following
    # parameters to specify which user account to authenticate. To
    # eliminate the need to modify the Python code, this file contains
    # 'proxy_set_header' directives that set the values of the
    # parameters. Set or change them as instructed in the comments.
    #
    # Parameter   Proxy header
    # ---------------------------
    # url         X-Ldap-URL
    # starttls    X-Ldap-Starttls
    # basedn      X-Ldap-BaseDN
    # binddn      X-Ldap-BindDN
    # bindpasswd  X-Ldap-BindPass
    # cookiename  X-CookieName
    # realm       X-Ldap-Realm
    # template    X-Ldap-Template

    # (Required) Set the URL and port for connecting to the LDAP server,
    # by replacing 'example.com'.
    # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
    proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";

    # (Optional) Establish a TLS-enabled LDAP session after binding to the
    # LDAP server.
    # This is the 'proper' way to establish encrypted TLS connections, see
    # http://www.openldap.org/faq/data/cache/185.html
    #proxy_set_header X-Ldap-Starttls "true";

    # (Required) Set the Base DN, by replacing the value enclosed in
    # double quotes.
    proxy_set_header X-Ldap-BaseDN   "dc=mywebsite,dc=com";

    # (Required) Set the Bind DN, by replacing the value enclosed in
    # double quotes.
    proxy_set_header X-Ldap-BindDN   "cn=some_users,ou=Users,dc=mywebsite,dc=com";

    # (Required) Set the Bind password, by replacing 'secret'.
    proxy_set_header X-Ldap-BindPass "secret";

    # (Required) The following directives set the cookie name and pass
    # it, respectively. They are required for cookie-based
    # authentication. Comment them out if using HTTP basic
    # authentication.
    proxy_set_header X-CookieName "nginxauth";
    proxy_set_header Cookie nginxauth=$cookie_nginxauth;

    # (Required if using Microsoft Active Directory as the LDAP server)
    # Set the LDAP template by uncommenting the following directive.
    proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

    # (May be required if using Microsoft Active Directory and
    # getting "In order to perform this operation a successful bind
    # must be completed on the connection." errror)
    proxy_set_header X-Ldap-DisableReferrals "true";

    # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
    # template by uncommenting the following directive and replacing
    # '(cn=%(username)s)' which is the default set in
    # nginx-ldap-auth-daemon.py.
    #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

    # (Optional) Set the realm name, by uncommenting the following
    # directive and replacing 'Restricted' which is the default set
    # in nginx-ldap-auth-daemon.py.
    #proxy_set_header X-Ldap-Realm  "Restricted";
  }
}

以及身份验证页面:

<?php
  if(isset($_POST['submit']))
  {
    $auth = base64_encode($_POST['login'].':'.$_POST['password']);
    $expire = time() + 60 * 60 * 1; // 1 hour
    setcookie('nginxauth',$auth,$expire,'/');
    header('Location: /');
  }
?>
<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>Login with LDAP</title>
</head>

<body>
  <form method="post">
    <label for="login">Login:</label>
    <input type="text" name="login" />
    <label for="password">Password:</label>
    <input type="password" name="password" />
    <input type="submit" name="submit" value="Log in" />
  </form>
</body>

</html>

然后,出于记录目的,我修改了默认脚本nginx-ldap-auth-daemon.py(它将凭据发送到LDAP / AD服务器),因为cookie“ urlencode” base64“ login:password”字段(因此,“ =”成为“%3D”)。我必须导入“ urllib2”并解码cookie:

auth_cookie = urllib2.unquote(self.get_cookie(ctx['cookiename'])).decode('utf8')

我希望这将有助于人们实现nginx_ldap_auth。

致谢。

答案 1 :(得分:0)

基于表单的(自定义)身份验证可以使用nginx中的cookie来实现,并使其能够从配置文件中删除以下注释:

      proxy_set_header X-CookieName "nginxauth";
      proxy_set_header Cookie nginxauth=$cookie_nginxauth;

要启用基本身份验证,请对Cookie机制进行如下注释:

      #proxy_set_header X-CookieName "nginxauth";
      #proxy_set_header Cookie nginxauth=$cookie_nginxauth;

默认情况下,nginx-ldap-auth使用基于表单的身份验证。