nginx_ldap_auth 和自定义身份验证页面
nginx_ldap_auth and custom authentication page
我找到了一个允许使用 ldap 验证用户身份的 nginx 模块 (https://github.com/nginxinc/nginx-ldap-auth)。
我想用后端服务器上不存在的自定义身份验证页面对其进行调整。我不明白所有的互动:
我应该在登录页面中创建一个 cookie 吗?如何将凭据传递给 ldap 守护进程?也许我想做的事是不可能的?我已经尝试了几天,现在我几乎绝望了...
我一直在 ldap 守护程序上收到这些消息:
using username/password from authorization header
"GET /auth-proxy HTTP/1.0" 401 -
下面,sites-enabled/mywebsite:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mywebsite.com;
ssl_certificate /root/mywebsite.com.cer;
ssl_certificate_key /root/mywebsite.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/oxidized.access.log;
root /var/www/auth_ldap;
index index.php index.html =404;
# Pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location / {
auth_request /auth-proxy;
# redirect 401 to login form
# Comment them out if using HTTP basic authentication.
# or authentication popup won't show
error_page 401 =200 /login;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8888;
proxy_read_timeout 90;
proxy_redirect http://localhost:8888 https://mywebsite.com;
}
location /login {
alias /var/www/auth_ldap/login;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8081, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8081;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ---------------------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "dc=mywebsite,dc=com";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "cn=some_users,ou=LDAP Users,ou=Users,dc=mywebsite,dc=com";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (May be required if using Microsoft Active Directory and
# getting "In order to perform this operation a successful bind
# must be completed on the connection." errror)
#proxy_set_header X-Ldap-DisableReferrals "true";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
登录页面示例:
<?php
if(isset($_POST['submit']))
{
$_SESSION['username'] = $_POST['login'];
$_SESSION['password'] = $_POST['password'];
header('Location: /');
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login with LDAP</title>
</head>
<body>
<form method="post">
<label for="login">Login:</label>
<input type="text" name="login" />
<label for="password">Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Log in" />
</form>
</body>
</html>
在此先感谢您对该主题的任何帮助。
我找到了如何将我的 login/password 传递给 NginX:但是,不是使用授权 header,而是使用 cookie。
这是我的新 nginx 虚拟主机:
# TO ADD in nginx.conf, in the "http" block:
# proxy_cache_path cache/ keys_zone=auth_cache:10m;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mywebsite.com;
ssl_certificate /root/mywebsite.com.cer;
ssl_certificate_key /root/mywebsite.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/oxidized.access.log;
root /var/www/auth_ldap;
index index.php index.html =404;
# Pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location / {
auth_request /auth-proxy;
# redirect 401 to login form
# Comment them out if using HTTP basic authentication.
# or authentication popup won't show
error_page 401 =200 /login;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8888;
proxy_read_timeout 90;
proxy_redirect http://localhost:8888 https://mywebsite.com;
}
location /login {
alias /var/www/auth_ldap/login;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8081, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8081;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ---------------------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "dc=mywebsite,dc=com";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "cn=some_users,ou=Users,dc=mywebsite,dc=com";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (May be required if using Microsoft Active Directory and
# getting "In order to perform this operation a successful bind
# must be completed on the connection." errror)
proxy_set_header X-Ldap-DisableReferrals "true";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
以及认证页面:
<?php
if(isset($_POST['submit']))
{
$auth = base64_encode($_POST['login'].':'.$_POST['password']);
$expire = time() + 60 * 60 * 1; // 1 hour
setcookie('nginxauth',$auth,$expire,'/');
header('Location: /');
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login with LDAP</title>
</head>
<body>
<form method="post">
<label for="login">Login:</label>
<input type="text" name="login" />
<label for="password">Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Log in" />
</form>
</body>
</html>
然后,为了记录,我修改了默认脚本 nginx-ldap-auth-daemon.py(它将凭据发送到 LDAP/AD 服务器),因为 cookie "urlencode" base64 "login:password" 字段(因此,“=”变为“%3D”)。我必须导入 "urllib2" 并解码 cookie:
auth_cookie = urllib2.unquote(self.get_cookie(ctx['cookiename'])).decode('utf8')
我希望这会帮助人们实施 nginx_ldap_auth。
此致。
可以在 nginx 中使用 cookie 实现基于表单(自定义)的身份验证,并启用它从配置文件中删除如下注释:
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
要启用基本身份验证,请按如下方式注释 Cookie 机制:
#proxy_set_header X-CookieName "nginxauth";
#proxy_set_header Cookie nginxauth=$cookie_nginxauth;
默认情况下,基于表单的身份验证用于 nginx-ldap-auth。
我找到了一个允许使用 ldap 验证用户身份的 nginx 模块 (https://github.com/nginxinc/nginx-ldap-auth)。
我想用后端服务器上不存在的自定义身份验证页面对其进行调整。我不明白所有的互动: 我应该在登录页面中创建一个 cookie 吗?如何将凭据传递给 ldap 守护进程?也许我想做的事是不可能的?我已经尝试了几天,现在我几乎绝望了...
我一直在 ldap 守护程序上收到这些消息:
using username/password from authorization header
"GET /auth-proxy HTTP/1.0" 401 -
下面,sites-enabled/mywebsite:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mywebsite.com;
ssl_certificate /root/mywebsite.com.cer;
ssl_certificate_key /root/mywebsite.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/oxidized.access.log;
root /var/www/auth_ldap;
index index.php index.html =404;
# Pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location / {
auth_request /auth-proxy;
# redirect 401 to login form
# Comment them out if using HTTP basic authentication.
# or authentication popup won't show
error_page 401 =200 /login;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8888;
proxy_read_timeout 90;
proxy_redirect http://localhost:8888 https://mywebsite.com;
}
location /login {
alias /var/www/auth_ldap/login;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8081, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8081;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ---------------------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "dc=mywebsite,dc=com";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "cn=some_users,ou=LDAP Users,ou=Users,dc=mywebsite,dc=com";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (May be required if using Microsoft Active Directory and
# getting "In order to perform this operation a successful bind
# must be completed on the connection." errror)
#proxy_set_header X-Ldap-DisableReferrals "true";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
登录页面示例:
<?php
if(isset($_POST['submit']))
{
$_SESSION['username'] = $_POST['login'];
$_SESSION['password'] = $_POST['password'];
header('Location: /');
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login with LDAP</title>
</head>
<body>
<form method="post">
<label for="login">Login:</label>
<input type="text" name="login" />
<label for="password">Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Log in" />
</form>
</body>
</html>
在此先感谢您对该主题的任何帮助。
我找到了如何将我的 login/password 传递给 NginX:但是,不是使用授权 header,而是使用 cookie。
这是我的新 nginx 虚拟主机:
# TO ADD in nginx.conf, in the "http" block:
# proxy_cache_path cache/ keys_zone=auth_cache:10m;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mywebsite.com;
ssl_certificate /root/mywebsite.com.cer;
ssl_certificate_key /root/mywebsite.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/oxidized.access.log;
root /var/www/auth_ldap;
index index.php index.html =404;
# Pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location / {
auth_request /auth-proxy;
# redirect 401 to login form
# Comment them out if using HTTP basic authentication.
# or authentication popup won't show
error_page 401 =200 /login;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8888;
proxy_read_timeout 90;
proxy_redirect http://localhost:8888 https://mywebsite.com;
}
location /login {
alias /var/www/auth_ldap/login;
}
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8081, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8081;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ---------------------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ad.mywebsite.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "dc=mywebsite,dc=com";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "cn=some_users,ou=Users,dc=mywebsite,dc=com";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (May be required if using Microsoft Active Directory and
# getting "In order to perform this operation a successful bind
# must be completed on the connection." errror)
proxy_set_header X-Ldap-DisableReferrals "true";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
以及认证页面:
<?php
if(isset($_POST['submit']))
{
$auth = base64_encode($_POST['login'].':'.$_POST['password']);
$expire = time() + 60 * 60 * 1; // 1 hour
setcookie('nginxauth',$auth,$expire,'/');
header('Location: /');
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login with LDAP</title>
</head>
<body>
<form method="post">
<label for="login">Login:</label>
<input type="text" name="login" />
<label for="password">Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Log in" />
</form>
</body>
</html>
然后,为了记录,我修改了默认脚本 nginx-ldap-auth-daemon.py(它将凭据发送到 LDAP/AD 服务器),因为 cookie "urlencode" base64 "login:password" 字段(因此,“=”变为“%3D”)。我必须导入 "urllib2" 并解码 cookie:
auth_cookie = urllib2.unquote(self.get_cookie(ctx['cookiename'])).decode('utf8')
我希望这会帮助人们实施 nginx_ldap_auth。
此致。
可以在 nginx 中使用 cookie 实现基于表单(自定义)的身份验证,并启用它从配置文件中删除如下注释:
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
要启用基本身份验证,请按如下方式注释 Cookie 机制:
#proxy_set_header X-CookieName "nginxauth";
#proxy_set_header Cookie nginxauth=$cookie_nginxauth;
默认情况下,基于表单的身份验证用于 nginx-ldap-auth。