在 NGINX 中抑制应用程序的 LDAP 身份验证
suppress the LDAP authentification for an application in NGINX
我使用 NginX 对应用程序进行身份验证,例如使用 LDAP (described here) 的 myapp1 和 myapp2。我的配置文件如下所示:
ldap_server myapp1{
url ldaps://....;
binddn "CN=user,OU=t accounts,DC=dom,DC=uk";
binddn_passwd ...;
group_attribute member;
group_attribute_is_dn on;
max_down_retries_count 5;
satisfy any;
Require valid-user;
}
ldap_server myapp2{
url ldaps://....;
binddn "CN=user,OU=t accounts,DC=dom,DC=uk";
binddn_passwd ...;
group_attribute member;
group_attribute_is_dn on;
max_down_retries_count 5;
satisfy any;
Require valid-user;
}
效果很好。现在,我想取消 myapp2 的身份验证,换句话说,如果用户在浏览器中调用 myapp2 的 url 地址,用户将不会被要求进行身份验证,而是直接进入 url,而只是为了 myapp2。这可能吗?
更新: 我发现 nginx.conf 还有另一部分,即代理部分:
location /myapp1/ {
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
可能我必须更改 location 部分的内容?
我终于找到了解决方案。
问题是,nginx.conf 开头是一个附加部分。这些应该整合到第二部分 location /myapp/ { ....}。因此来自:
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp1;
auth_ldap_servers myapp2;
#comment:
# the special part for every app
location /myapp1/ {
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
到
location /myapp1/ {
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
我使用 NginX 对应用程序进行身份验证,例如使用 LDAP (described here) 的 myapp1 和 myapp2。我的配置文件如下所示:
ldap_server myapp1{
url ldaps://....;
binddn "CN=user,OU=t accounts,DC=dom,DC=uk";
binddn_passwd ...;
group_attribute member;
group_attribute_is_dn on;
max_down_retries_count 5;
satisfy any;
Require valid-user;
}
ldap_server myapp2{
url ldaps://....;
binddn "CN=user,OU=t accounts,DC=dom,DC=uk";
binddn_passwd ...;
group_attribute member;
group_attribute_is_dn on;
max_down_retries_count 5;
satisfy any;
Require valid-user;
}
效果很好。现在,我想取消 myapp2 的身份验证,换句话说,如果用户在浏览器中调用 myapp2 的 url 地址,用户将不会被要求进行身份验证,而是直接进入 url,而只是为了 myapp2。这可能吗?
更新: 我发现 nginx.conf 还有另一部分,即代理部分:
location /myapp1/ {
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
可能我必须更改 location 部分的内容?
我终于找到了解决方案。
问题是,nginx.conf 开头是一个附加部分。这些应该整合到第二部分 location /myapp/ { ....}。因此来自:
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp1;
auth_ldap_servers myapp2;
#comment:
# the special part for every app
location /myapp1/ {
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
到
location /myapp1/ {
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp1;
proxy_pass http://127.0.0.1:3838/myapp1/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
location /myapp2/ {
auth_ldap "please log in with windows login data";
auth_ldap_servers myapp2;
proxy_pass http://127.0.0.1:3838/myapp2/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}