Nginx and LDAP Authentication

We want a little more control over some of our reverse proxies and wanted to place a little extra burden on the users as possible. To do this we chose to use the same passwords for authentication as we do everywhere else – hence LDAP.

Thankfully Nginx have decided to include the module gx_http_auth_request_module in both the Nginx Plus and Open Source.

The prerequisite http_auth_request module is included in both NGINX Plus packages and prebuilt NGINX binaries.
Nginx

The documentation on implementing this walks you through a reference implementation which can be long winded. I tried to make it simpler with this article.

First clone the source code of the reference model, we only need a few things from it.

git clone https://github.com/nginxinc/nginx-ldap-auth.git

Build the docker service daemon for the python to LDAP middleware.

cd ./nginx-ldap-auth
docker build -t nginx-ldap-auth-daemon

The example runs the docker image standalone, but you could add it into a docker-compose container set either on it’s own or with your Nginx service.

version: '3.2'

services:
  nginx-ldap-auth:
    image: nginx-ldap-auth-daemon
    ports:
      - "8888:8888"

If it’s in the same container as Nginx you don’t even need to expose the 8888 port.

Start the container set:

docker-compose up -d

All the configuration is done from within your sites nginx.conf where ever you use it – conf.d or sites-enabled. All we need is a proxy_cache_path directive in the http {} section. Then we add an auth_request and error_page handler into our location {} section. Followed by an auth-proxy location with X-Ldap- headers for our configuration, eg. in my sites-enabled/default file I add the following that relate to our LDAP setup:

proxy_cache_path cache/ keys_zone=auth_cache:10m;

server {
  ...
  location / {
    auth_request /auth-proxy;
    error_page 401 =200 /;
    try_files $uri $uri/ =404;
  }

  location = /auth-proxy {
    internal;
    proxy_pass http://localhost:8888;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_cache auth_cache;
    proxy_cache_valid 200 10m;
    proxy_cache_key "$http_authorization$cookie_nginxauth";
    proxy_set_header X-Ldap-URL "ldap://192.168.0.22";
    proxy_set_header X-Ldap-Starttls "true";
    proxy_set_header X-Ldap-BaseDN   "dc=domain,dc=tld";
    proxy_set_header X-Ldap-BindDN "cn=readonly,dc=domain,dc=tld";
    proxy_set_header X-Ldap-BindPass "SecretKey";
    proxy_set_header X-CookieName "nginxauth";
    proxy_set_header Cookie nginxauth=$cookie_nginxauth;
    proxy_set_header X-Ldap-Template "(uid=%(username)s)";
    #proxy_set_header X-Ldap-Realm    "Restricted";
  }

We’re using OpenLDAP and the uid attribute for username, you may be using cn or sAMAccountName.

With the docker nginx-ldap-auth container running restart/reload Nginx. When you visit your website you should get presented with an authentication dialog.

View the activity of your nginx-ldap-auth-daemon from the docker logs using:

docker-compose up -d && docker-compose logs -f

Stuff I'm Up To

Technical Ramblings