Is communication between nginx and ldap-auth encrypted?

[yzargari]

Hello,

I couldn't help but noticing that traffic between nginx and ldap-auth contains the most sensitive info (passwords) but nowhere in the docs I see any reference to whether if the channel is encrypted or not. I can only assume that it isn't, as I didn't provide certificate...

Anyone knows anything about it? Can I provide a certificate and enforce HTTPS?

Thanks!

[vl-homutov]

As you may see from configuration. proxy_pass to http url is used to communicate with auth daemon. This means no encryption is used. Since you are passing data between two processes on loopback interface, it doesn't make too much sense to use encryption. If you want to run services on different hosts, it makes sens to enable https, set up certificates, etc. Note you will have to touch daemon code to enable ssl server, provide it with certificates and corresponding settings like ciphers. On the nginx side, you have normal https client, so just change proxy_pass scheme to secure and setup client ssl as required.

[yzargari]

Thanks @vl-homutov I'm actually planning to run one ldap-auth daemon and use it from multiple nginx servers, so encrypting the traffic is important.

Would you accept a PR to add support in setting up HTTPS using args? (only if passed, ssl is added)

[vl-homutov]

Well, it will depend on impact, but in general, I have no objections for optional tls configuration for daemon, unless it complicates things unnecessary. Anyway, this project is an example implementation, feel free to do whatever you want and share results with everyone, even it may be possibly rejected.

[mclei-asw]

Why don't you just use nginx as SSL proxy to this service? So your nginx will communicate with another nginx, which is just a proxy to this service.

[tacerus]

@mclei-asw Using nginx to improve nginx - I love how I would have never thought of that. :-D