nginx-ldap-auth.conf

error_log logs/error.log debug;

events { }

http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;

    # The back-end daemon listens on port 9000 as implemented
    # in backend-sample-app.py.
    # Change the IP address if the daemon is not running on the
    # same host as NGINX/NGINX Plus.
    upstream backend {
        server 127.0.0.1:9000;
    }

    # NGINX/NGINX Plus listen on port 8081 for requests that require
    # authentication. Change the port number as appropriate.
    server {
        listen 8081;

        # Protected application
        location / {
            auth_request /auth-proxy;

            # redirect 401 to login form
            # Comment them out if using HTTP basic authentication.
            # or authentication popup won't show
            error_page 401 =200 /login;

            proxy_pass http://backend/;
        }

        location /login {
            proxy_pass http://backend/login;
            # Login service returns a redirect to the original URI
            # and sets the cookie for the ldap-auth daemon
            proxy_set_header X-Target $request_uri;
        }

        location = /auth-proxy {
            internal;

            # The ldap-auth daemon listens on port 8888, as set
            # in nginx-ldap-auth-daemon.py.
            # Change the IP address if the daemon is not running on
            # the same host as NGINX/NGINX Plus.
            proxy_pass http://127.0.0.1:8888;

            proxy_pass_request_body off;
            proxy_pass_request_headers off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;

            # The following directive adds the cookie to the cache key
            proxy_cache_key "$http_authorization$cookie_nginxauth";

            # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
            # communicates with a LDAP server, passing in the following
            # parameters to specify which user account to authenticate. To
            # eliminate the need to modify the Python code, this file contains
            # 'proxy_set_header' directives that set the values of the
            # parameters. Set or change them as instructed in the comments.
            #
            #    Parameter      Proxy header
            #    -----------    ----------------
            #    url            X-Ldap-URL
            #    starttls       X-Ldap-Starttls
            #    basedn         X-Ldap-BaseDN
            #    binddn         X-Ldap-BindDN
            #    bindpasswd     X-Ldap-BindPass
            #    cookiename     X-CookieName
            #    realm          X-Ldap-Realm
            #    template       X-Ldap-Template

            # (Required) Set the URL and port for connecting to the LDAP server,
            # by replacing 'example.com'.
            # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
            proxy_set_header X-Ldap-URL      "ldap://example.com";

            # (Optional) Establish a TLS-enabled LDAP session after binding to the
            # LDAP server.
            # This is the 'proper' way to establish encrypted TLS connections, see
            # http://www.openldap.org/faq/data/cache/185.html
            #proxy_set_header X-Ldap-Starttls "true";

            # (Required) Set the Base DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BaseDN   "cn=Users,dc=test,dc=local";

            # (Required) Set the Bind DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";

            # (Required) Set the Bind password, by replacing 'secret'.
            proxy_set_header X-Ldap-BindPass "secret";

            # (Required) The following directives set the cookie name and pass
            # it, respectively. They are required for cookie-based
            # authentication. Comment them out if using HTTP basic
            # authentication.
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;

            # (Optional) Uncomment if using HTTP basic authentication
            #proxy_set_header Authorization $http_authorization;

            # (Required if using Microsoft Active Directory as the LDAP server)
            # Set the LDAP template by uncommenting the following directive.
            #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

            # (May be required if using Microsoft Active Directory and
            # getting "In order to perform this operation a successful bind
            # must be completed on the connection." errror)
            #proxy_set_header X-Ldap-DisableReferrals "true";

            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
            # template by uncommenting the following directive and replacing
            # '(cn=%(username)s)' which is the default set in
            # nginx-ldap-auth-daemon.py.
            #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

            # (Optional) Set the realm name, by uncommenting the following
            # directive and replacing 'Restricted' which is the default set
            # in nginx-ldap-auth-daemon.py.
            #proxy_set_header X-Ldap-Realm    "Restricted";
        }
    }
}