vivekbny
commented
5 years ago Closed vivekbny closed 5 years ago
faisal-memon
commented
5 years ago Hi Vivek,
It's hard to say without understanding what requests are made and to which ports. Clearly, the daemon does not see headers it expects; this means you are sending the request directly, or from a wrong location.Suggest to enable access logs in NGINX and check how his request is processed. Are you trying to access backend directly instead of through NGINX?
Faisal
vivekbny
commented
5 years ago Hi @faisal-memon,
Our project is to setup LDAP for a monitoring service(prometheus URL).
Initially we did a reverse proxy for prometheus using nginx and accessed the prometheus URL in the port 9981. Below is the nginx,conf worker_processes 1;
events { worker_connections 1024; }
http { server { listen 0.0.0.0:9981; server_name localhost;
location / {
proxy_pass http://*****.bnymellon.com:9090/;
}
}}
Now with the reverse proxy working. I am trying to setup LDAP for reverse proxied prometheus URL.
For adding LDAP, I cloned this project(nginx-ldap-auth). then built an image using the existing docker file available in this project.
Now made some changes to the nginx.conf to setup LDAP for prometheus and i ran it.
Issue is that Connection is not getting established to the LDAP server from the nginx. Below is my nginx.conf. Can you please let me know on the approach which i am working is fine or not.
Need you suggestions
error_log logs/error.log debug;
events { }
http { proxy_cache_path cache/ keys_zone=auth_cache:10m;
# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
server 127.0.0.1:9000;
}
# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
listen 0.0.0.0:9981;
# Protected application
location / {
auth_request /auth-proxy;
# redirect 401 to login form
error_page 401 =200 /login;
proxy_pass http://****.bnymellon.com:9090/;
}
location /login {
proxy_pass http://****.bnymellon.com:9090/;
# Login service returns a redirect to the original URI
# and sets the cookie for the ldap-auth daemon
proxy_set_header X-Target $request_uri;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8888, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ols.bnym.net:1234";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=People,ou=Internal,o=mfc";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "uid=*****,ou=Directory,ou=Users,o=mfc";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "*****";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}}
vivekbny
commented
5 years ago @faisal-memon Can you please advise
faisal-memon
commented
5 years ago There could be something wrong with your configuration or network. It would be useful to see logs from nginx-ldap-auth-daemon.py to see what address/hostname it is trying to connect exactly and why it fails.
vl-homutov
commented
5 years ago Feedback timeout.
Hi @faisal-memon ,
I am from BNYMellon. We are trying to setup nginx-ldap for our one of our service.
I cloned the project from git repo. Then built an image using the existing docker file and started the nginxldap service. docker run -d -p 9000:80 -v /null/nginx.conf:/etc/nginx/nginx.conf nginxldap
When i checked the logs it shows - Start listening on 0.0.0.0:8888... When i enter the username and pwd - it shows 13/Aug/2018 11:30:58] LDAP baseDN is not set! in logs
Attaching my nginx.conf (Which has all the connection details).
Your help is really appreciated.
Thanks, Vivek