It might be worth emphasizing in the README.md file that, as the example python daemon accepts both headers and CLI parameters, it is necessary to ensure that a user could not send X-Ldap-* parameters to override the default settings.
Typically, in a scenario where one would run the python daemon passing it against a single LDAP, they might be tempted to use LI parameters and discard the proxy_set_header X-Ldap-URL "ldap://example.com"; line in nginx. In this situation, as far as I understand, any user could send a custom X-Ldap-URL to switch the ldap backend against which to check credentials.
Wouldn't it be safer to write it the example nginx configuration this way instead (both in example conf file and in README)?
http {
...
server {
...
location = /auth-proxy {
proxy_pass http://127.0.0.1:8888;
# Do not pass request headers to ensure end user cannot override LDAP settings.
proxy_pass_request_headers off;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Pass back the Authorization header (whitelist-like)
proxy_set_header Authorization $http_authorization;
# Use any useful X-Ldap-* set_header directives here
...
}
}
}
lcrilly
commented
2 years ago
Hi,
It might be worth emphasizing in the README.md file that, as the example python daemon accepts both headers and CLI parameters, it is necessary to ensure that a user could not send
X-Ldap-*parameters to override the default settings.Typically, in a scenario where one would run the python daemon passing it against a single LDAP, they might be tempted to use LI parameters and discard the
proxy_set_header X-Ldap-URL "ldap://example.com";line in nginx. In this situation, as far as I understand, any user could send a customX-Ldap-URLto switch the ldap backend against which to check credentials.Wouldn't it be safer to write it the example nginx configuration this way instead (both in example conf file and in README)?
Best