search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
739 stars 253 forks source link

After introducing LDAP my websocket connection is no more working #190

Open manas86 opened 7 years ago

manas86 commented 7 years ago

Hi All,

Before introducing ldap to my nginx, I was working with normal htp password and all working fine including my websocket. but as soon as I introduced ldap websocket is throwing ws-messaging.html:107 WebSocket connection to 'wss://XXXXXX/ws?books=xxxx' failed: Error during WebSocket handshake: Unexpected response code: 400​ Please see configuration during the htp password:


> 
> error_log  /var/log/nginx/error.log;
> 
> #Specifies the file where server logs.
> #pid        logs/nginx.pid;
> #nginx will write its master process ID(PID).
> events {
>   worker_connections  1024;
> }
> 
> http {
>   include       mime.types;
>   default_type  application/octet-stream;
> 
>   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
>                     '$status $body_bytes_sent "$http_referer" '
>                     '"$http_user_agent" "$http_x_forwarded_for"';
>   access_log  /var/log/nginx/access.log  main;
>   sendfile        on;
>   keepalive_timeout  65;
>   
> 
>   server {
>     listen 8443 ssl;
> 
>     ssl_certificate     /etc/nginx/certs/example.crt;
>     ssl_certificate_key /etc/nginx/certs/example.key;
>     ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
>     ssl_ciphers         HIGH:!aNULL:!MD5;
> 
>     location / {
>       auth_basic "Restricted Content";
>       auth_basic_user_file /etc/nginx/pass/.htpasswd;
>       root   html;
>       index  index.html index.htm;
>     }
>     location /ws {
>       auth_basic "Restricted Content";
>       auth_basic_user_file /etc/nginx/pass/.htpasswd;
> 
>       resolver $NAMESERVER valid=10s;
>       proxy_pass http://$BLADE_LOCATION$is_args$args;
>       proxy_http_version 1.1;
>       proxy_set_header Upgrade $http_upgrade;
>       proxy_set_header Connection "upgrade";
>       proxy_read_timeout 3600s;
>     }
> 
>     # redirect server error pages to the static page /50x.html
>     #
>     error_page   500 502 503 504  /50x.html;
>     location = /50x.html {
>       root   /usr/share/nginx/html;
>     }
>   }
> }

Please see the configuration after introduction to ldap:

> #user  nobody;
> #Referes to single threaded process. Generally set to be equal to the number of CPUs or cores.
> error_log  /var/log/nginx/error.log debug;
> 
> #Specifies the file where server logs.
> #pid        logs/nginx.pid;
> #nginx will write its master process ID(PID).
> events {
>   worker_connections  1024;
> }
> 
> http {
>   include       mime.types;
>   default_type  application/octet-stream;
> 
>   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
>                     '$status $body_bytes_sent "$http_referer" '
>                     '"$http_user_agent" "$http_x_forwarded_for"';
> 
>   access_log  /var/log/nginx/access.log  main;
>   error_log   /var/log/nginx/error.log  debug;
>   sendfile        on;
>   keepalive_timeout  65;
> 
>   timeout during which a keep-alive client connection will stay open.
> 
>   ldap_server ldapServer {
>       url "ldaps://XXXX/ou=XX,dc=XX,dc=XX,dc=net?sAMAccountName?sub?(objectClass=person)";
>       binddn "CN=XX,OU=Apps,OU=Service Accounts,OU=XX,OU=Tenants,DC=adXXDC=XX,DC=net" ;
>       binddn_passwd XXX;
>       group_attribute uniquemember;
>       group_attribute_is_dn on;
>       require valid_user;
>       require valid_user;
>     }
> 
> 
>   server {
>     listen 8443 ssl;
> 
>     ssl_certificate     /etc/nginx/certs/example.crt;
>     ssl_certificate_key /etc/nginx/certs/example.key;
>     ssl_stapling on;
>     ssl_stapling_verify on;
>     resolver 8.8.8.8 8.8.4.4 valid=300s;
>     resolver_timeout 10s;
> 
>     ssl_prefer_server_ciphers On;
>     ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
>     ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
> 
> 
>     location / {
>       auth_ldap "Forbidden";
>       auth_ldap_servers ldapServer;
> 
>       root   /build;
>       index  index.html index.htm;
>     }
>     location /ws {
>       auth_ldap "Forbidden";
>       auth_ldap_servers ldapServer;
> 
>       resolver $NAMESERVER valid=10s;
>       proxy_pass http://$BLADE_LOCATION$is_args$args;
>       proxy_http_version 1.1;
>       proxy_set_header Upgrade $http_upgrade;
>       proxy_set_header Connection "upgrade";
>       proxy_read_timeout 3600s;
>     }
>     location = /favicon.ico {
>             log_not_found off;
>             access_log off;
>     }
> 
>     # redirect server error pages to the static page /50x.html
>     #
>     error_page   500 502 503 504  /50x.html;
>     location = /50x.html {
>       root   /usr/share/nginx/html;
>         }
>     }
> }

So can anyone help me why htp pwd is working while after introduction of ldap the same is throwing me the the error ?

puncha commented 6 years ago

I encountered the same issue