search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

Re-Authentication prompts after 10-20 seconds #106

Closed Ginja closed 8 years ago

Ginja commented 8 years ago

I'm trying to use this module to protect a Consul Web UI, but after I authenticate to our AD I get prompted to re-authenticate after clicking several tabs. My config looks like below:

http {
...
  auth_ldap_cache_enabled on;
  auth_ldap_cache_expiration_time 3600000;
  auth_ldap_cache_size 1000;

  ldap_server dc01 {
    url "ldaps://dc1.domain.local:3269/DC=domain,DC=local?sAMAccountName?sub?(&(memberOf:1.2.840.113556.1.4.1941:=CN=Some%20User%20Group,OU=Some%2OU,OU=Some%OU,DC=domain,DC=local)(objectClass=person))";
    binddn "DOMAIN\user";
    binddn_passwd "password";
    require valid_user;
    connections 30;
  }
...
}
server {
...
  auth_ldap "Please enter your DOMAIN credentials";
  auth_ldap_servers dc01;
...
}

There's really nothing in the debug logs as far I could tell. The one thing that is missing when it re-prompts me after I change pages is this info:

2015/11/19 09:24:10 [debug] 6440#0: *88 http_auth_ldap: Username is "my.user"
2015/11/19 09:24:10 [debug] 6440#0: *88 posix_memalign: 000000000239A0F0:4096 @16
2015/11/19 09:24:10 [debug] 6440#0: *88 http_auth_ldap: Authentication loop (phase=0, iteration=0)
2015/11/19 09:24:10 [debug] 6440#0: *88 event timer add: 65: 10000:1447925060250
2015/11/19 09:24:10 [debug] 6440#0: *88 http_auth_ldap: request_timeout=10000
2015/11/19 09:24:10 [debug] 6440#0: *88 http_auth_ldap: Using cached outcome 1
2015/11/19 09:24:10 [debug] 6440#0: *88 http_auth_ldap: Authentication loop (phase=6, iteration=0)

Below are the debug logs when it re-prompts me:

2015/11/19 09:32:28 [debug] 6736#0: *58 http keepalive handler
2015/11/19 09:32:28 [debug] 6736#0: *58 malloc: 000000000166B060:1024
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL_read: 443
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL_read: -1
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL_get_error: 2
2015/11/19 09:32:28 [debug] 6736#0: *58 reusable connection: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 posix_memalign: 000000000162B0F0:4096 @16
2015/11/19 09:32:28 [debug] 6736#0: *58 event timer del: 66: 1447925609885
2015/11/19 09:32:28 [debug] 6736#0: *58 http process request line
2015/11/19 09:32:28 [debug] 6736#0: *58 http request line: "GET /v1/internal/ui/services?dc=kitchen&token= HTTP/1.1"
2015/11/19 09:32:28 [debug] 6736#0: *58 http uri: "/v1/internal/ui/services"
2015/11/19 09:32:28 [debug] 6736#0: *58 http args: "dc=kitchen&token="
2015/11/19 09:32:28 [debug] 6736#0: *58 http exten: ""
2015/11/19 09:32:28 [debug] 6736#0: *58 http process request header line
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Host: 127.0.0.1:8443"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Connection: keep-alive"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Accept: application/json, text/javascript, */*; q=0.01"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "X-Requested-With: XMLHttpRequest"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Referer: https://127.0.0.1:8443/"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Accept-Encoding: gzip, deflate, sdch"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header: "Accept-Language: en-US,en;q=0.8,gl;q=0.6"
2015/11/19 09:32:28 [debug] 6736#0: *58 http header done
2015/11/19 09:32:28 [debug] 6736#0: *58 generic phase: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 rewrite phase: 1
2015/11/19 09:32:28 [debug] 6736#0: *58 test location: "/"
2015/11/19 09:32:28 [debug] 6736#0: *58 test location: "v1/"
2015/11/19 09:32:28 [debug] 6736#0: *58 using configuration "/v1/"
2015/11/19 09:32:28 [debug] 6736#0: *58 http cl:-1 max:1048576
2015/11/19 09:32:28 [debug] 6736#0: *58 rewrite phase: 3
2015/11/19 09:32:28 [debug] 6736#0: *58 post rewrite phase: 4
2015/11/19 09:32:28 [debug] 6736#0: *58 generic phase: 5
2015/11/19 09:32:28 [debug] 6736#0: *58 generic phase: 6
2015/11/19 09:32:28 [debug] 6736#0: *58 generic phase: 7
2015/11/19 09:32:28 [debug] 6736#0: *58 access phase: 8
2015/11/19 09:32:28 [debug] 6736#0: *58 http finalize request: 401, "/v1/internal/ui/services?dc=kitchen&token=" a:1, c:1
2015/11/19 09:32:28 [debug] 6736#0: *58 http special response: 401, "/v1/internal/ui/services?dc=kitchen&token="
2015/11/19 09:32:28 [debug] 6736#0: *58 http set discard body
2015/11/19 09:32:28 [debug] 6736#0: *58 posix_memalign: 00000000016647D0:4096 @16
2015/11/19 09:32:28 [debug] 6736#0: *58 HTTP/1.1 401 Unauthorized
Server: nginx/1.9.5
Date: Thu, 19 Nov 2015 09:32:28 GMT
Content-Type: text/html
Content-Length: 596
Connection: keep-alive
WWW-Authenticate: Basic realm="Please enter your DOMAIN credentials"

2015/11/19 09:32:28 [debug] 6736#0: *58 write new buf t:1 f:0 00000000016647F0, pos 00000000016647F0, size: 224 file: 0, size: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 http write filter: l:0 f:0 s:224
2015/11/19 09:32:28 [debug] 6736#0: *58 http output filter "/v1/internal/ui/services?dc=kitchen&token="
2015/11/19 09:32:28 [debug] 6736#0: *58 http copy filter: "/v1/internal/ui/services?dc=kitchen&token="
2015/11/19 09:32:28 [debug] 6736#0: *58 http postpone filter "/v1/internal/ui/services?dc=kitchen&token=" 00000000016649F8
2015/11/19 09:32:28 [debug] 6736#0: *58 write old buf t:1 f:0 00000000016647F0, pos 00000000016647F0, size: 224 file: 0, size: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 write new buf t:0 f:0 0000000000000000, pos 00000000006A0C80, size: 142 file: 0, size: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 write new buf t:0 f:0 0000000000000000, pos 00000000006A07A0, size: 52 file: 0, size: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 write new buf t:0 f:0 0000000000000000, pos 00000000006A0820, size: 402 file: 0, size: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 http write filter: l:1 f:0 s:820
2015/11/19 09:32:28 [debug] 6736#0: *58 http write filter limit 0
2015/11/19 09:32:28 [debug] 6736#0: *58 malloc: 00000000015F4B90:16384
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL buf copy: 224
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL buf copy: 142
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL buf copy: 52
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL buf copy: 402
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL to write: 820
2015/11/19 09:32:28 [debug] 6736#0: *58 SSL_write: 820
2015/11/19 09:32:28 [debug] 6736#0: *58 http write filter 0000000000000000
2015/11/19 09:32:28 [debug] 6736#0: *58 http copy filter: 0 "/v1/internal/ui/services?dc=kitchen&token="
2015/11/19 09:32:28 [debug] 6736#0: *58 http finalize request: 0, "/v1/internal/ui/services?dc=kitchen&token=" a:1, c:1
2015/11/19 09:32:28 [debug] 6736#0: *58 set http keepalive handler
2015/11/19 09:32:28 [debug] 6736#0: *58 http close request
2015/11/19 09:32:28 [debug] 6736#0: *58 http log handler
2015/11/19 09:32:28 [debug] 6736#0: *58 free: 000000000162B0F0, unused: 0
2015/11/19 09:32:28 [debug] 6736#0: *58 free: 00000000016647D0, unused: 3157
2015/11/19 09:32:28 [debug] 6736#0: *58 free: 000000000166B060
2015/11/19 09:32:28 [debug] 6736#0: *58 hc free: 0000000000000000 0
2015/11/19 09:32:28 [debug] 6736#0: *58 hc busy: 0000000000000000 0
2015/11/19 09:32:28 [debug] 6736#0: *58 free: 00000000015F4B90
2015/11/19 09:32:28 [debug] 6736#0: *58 reusable connection: 1
2015/11/19 09:32:28 [debug] 6736#0: *58 event timer add: 66: 65000:1447925613233
2015/11/19 09:32:28 [debug] 6736#0: *58 http empty handler

And finally, here is what I compiled NGINX with:

nginx version: nginx/1.9.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --user=nginx --group=nginx --pid-path=/var/run/nginx/nginx.pid --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --add-module=/opt/nginx-auth-ldap --with-pcre --with-file-aio --with-http_realip_module --with-debug --without-http_scgi_module --without-http_uwsgi_module --without-http_fastcgi_module

EDIT:

I think this has something to do with how Chrome is handling the authentication header, as I cannot reproduce this in Firefox. See this issue for more. Any suggestions are appreciated!

Ginja commented 8 years ago

This issue actually lies with the Consul Web UI and the response code it's returning for one of its pages. Closing.

VictorJ76 commented 6 years ago

I got a 401 after 5-10 minutes on every browsers