diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..24684bf
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2014-2015 Nginx, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c062d1d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,156 @@
+# nginx-ldap-auth
+
+Reference implementation of method for authenticating users on behalf of servers proxied by NGINX or NGINX Plus
+
+## Description
+
+**Note:** For ease of reading, this document refers to [NGINX Plus](http://www.nginx.com/products/), but it also applies to [open source NGINX](http://www.nginx.org/en). The prerequisite [ngx_http_auth_request_module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module is included both in [NGINX Plus packages](http://cs.nginx.com/repo_setup) and [prebuilt open source NGINX binaries](http://nginx.org/en/linux_packages.html).
+
+The ngx-ldap-auth software is a reference implementation of a method for authenticating users who request protected resources from servers proxied by NGINX Plus. It includes a daemon (*ldap-auth*) that communicates with an authentication server, and a sample daemon that stands in for an actual back-end server during testing, by generating an authentication cookie based on the user’s credentials. The daemons are written in Python for use with a Lightweight Directory Access Protocol (LDAP) authentication server (OpenLDAP or Microsoft Windows Active Directory 2003 and 2012).
+
+The ldap-auth daemon, which mediates between NGINX Plus and the LDAP server, is intended to serve as a model for "connector" daemons written in other languages, for different authentication systems, or both. [NGINX, Inc. Professional Services](http://nginx.com/services/) is available to assist with such adaptations.
+
+
+
+For a step-by-step description of the authentication process in the reference implementation, see [NGINX Plus and NGINX Can Authenticate Application Users](https://nginx.com/blog/nginx-plus-authenticate-users#ldap-auth-flow).
+
+## Installation and Configuration
+
+The NGINX Plus configuration file that is provided with the reference implementation configures all components other than the LDAP server (that is, NGINX Plus, the client, the ldap-auth daemon, and the back-end daemon) to run on the same host, which is adequate for testing purposes. The LDAP server can also run on that host during testing.
+
+In an actual deployment, the back-end application and authentication server typically each run on a separate host, with NGINX Plus on a third host. The ldap-auth daemon does not consume many resources in most situations, so it can run on the NGINX Plus host or another host of your choice.
+
+To install and configure the reference implementation, perform the following steps.
+
+1. Create a clone of the GitHub repository (**nginx-ldap-auth**).
+
+1. If NGINX Plus is not already running, install it according to the [instructions for your operating system](https://cs.nginx.com/repo_setup).
+
+1. If an LDAP authentication server is not already running, install and configure one. By default the ldap-auth daemon communicates with OpenLDAP, but can be configured to work with Active Directory.
+
+ If you are using the LDAP server only to test the reference implementation, you can use the [OpenLDAP server Docker image](https://github.com/osixia/docker-openldap) that is available on GitHub, or you can set up a server in a virtual environment using instructions such as [How To Install and Configure a Basic LDAP Server on an Ubuntu 12.04 VPS](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps).
+
+1. On the host where the ldap-auth daemon is to run, install the following additional software. We recommend using the versions that are distributed with the operating system, instead of downloading the software from an open source repository.
+
+ - Python version 2. Version 3 is not supported.
+ - The Python LDAP module, **python-ldap** (created by the [python-ldap.org](http://www.python-ldap.org) open source project).
+
+1. Copy the following files from your repository clone to the indicated hosts:
+ - **nginx-ldap-auth.conf** – NGINX Plus configuration file, which contains the minimal set of directives for testing the reference implementation. Install on the NGINX Plus host (in the **/etc/nginx/conf.d** directory if using the conventional configuration scheme). To avoid configuration conflicts, remember to move or rename any default configuration files installed with NGINX Plus.
+ - **nginx-ldap-auth-daemon.py** – Python code for the ldap-auth daemon. Install on the host of your choice.
+ - **nginx-ldap-auth-daemon-ctl.sh** – Sample shell script for starting and stopping the daemon. Install on the same host as the ldap-auth daemon.
+ - **backend-sample-app.py** – Python code for the daemon that during testing stands in for a real back-end application server. Install on the host of your choice.
+
+1. Modify the NGINX Plus configuration file as described in [Required Modifications to the NGINX Plus Configuration File](#required-mods) below. For information about customizing your deployment, see [Customization](#customization) below. We recommend running the `nginx -t` command after making your changes to verify that the file is syntactically valid.
+
+1. Start NGINX Plus. If it is already running, run the following command to reload the configuration file:
+ root# nginx -s reload
+
+1. Run the following commands to start the ldap-auth daemon and the back-end daemon.
+ root# nginx-ldap-auth-daemon-ctl.sh start
+ root# python backend-sample-app.py
+
+1. To test the reference implementation, use a web browser to access **http://*nginx-server-address*:8081**. Verify that the browser presents a login form. After you fill out the form and submit it, verify that the server returns the expected response to valid credentials. The sample back-end daemon returns this:
+Hello, world! Requested URL: URL
+
+
+### Required Modifications to the NGINX Plus Configuration File
+
+
+Modify the **nginx-ldap-auth.conf** file, by changing values as appropriate for your deployment for the terms shown in bold font in the following configuration.
+
+For detailed instructions, see [Configuring the Reference Implementation](https://nginx.com/blog/nginx-plus-authenticate-users#configure) in the [NGINX Plus and NGINX Can Authenticate Application Users](https://nginx.com/blog/nginx-plus-authenticate-users) blog post. The **nginx-ldap-auth.conf** file includes detailed instructions (in comments not shown here) for setting the `proxy-set-header` directives; for information about other directives, see the [NGINX reference documentation](http://nginx.org/en/docs/).
+
+http {
+ ...
+ proxy_cache_path cache/ keys_zone=auth_cache:10m;
+
+ upstream backend {
+ server 127.0.0.1:9000;
+ }
+
+ server {
+ listen 127.0.0.1:8081;
+
+ location = /auth-proxy {
+ proxy_pass http://127.0.0.1:8888;
+ proxy_cache auth_cache; # Must match the name in the proxy_cache_path directive above
+ proxy_cache_valid 200 403 10m;
+
+ # URL and port for connecting to the LDAP server
+ proxy_set_header X-Ldap-URL "ldaps://example.com:636";
+
+ # Base DN
+ proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
+
+ # Bind DN
+ proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
+
+ # Bind password
+ proxy_set_header X-Ldap-BindPass "secret";
+ }
+ }
+}
+
+If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown:
+
+```
+proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
+```
+
+The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown:
+
+#proxy_set_header X-CookieName "nginxauth";
+#proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+
+## Customization
+### Caching
+
+The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown:
+
+http {
+ ...
+ #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+ ...
+ server {
+ ...
+ location = /auth-proxy {
+ #proxy_cache auth_cache;
+ # note that cookie is added to cache key
+ #proxy_cache_key "$http_authorization$cookie_nginxauth";
+ #proxy_cache_valid 200 403 10m;
+ }
+ }
+}
+
+### Optional LDAP Parameters
+
+If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
+
+proxy_set_header X-Ldap-Template "(cn=%(username)s)";
+
+If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
+
+proxy_set_header X-Ldap-Realm "Restricted";
+
+### Authentication Server
+
+To modify the ldap-auth daemon to communicate with a different (non-LDAP) type of authentication server, write a new authentication-handler class to replace `LDAPAuthHandler` in the **ngx-ldap-auth-daemon.py** script.
+
+## Compatibility
+
+The auth daemon was tested against default configurations of the following LDAP servers:
+
+
+- [OpenLDAP](http://www.openldap.org/)
+- Microsoft Windows Server Active Directory 2003
+- Microsoft Windows Server Active Directory 2012
+
+
+## Limitations
+
+The back-end daemon uses Base64 encoding on the username and password in the cookie. Base64 is a very weak form of scrambling, rendering the credentials vulnerable to extraction and misuse. We strongly recommend using a more sophisticated algorithm in your actual back-end application.
+
+## License
+
+The reference implementation is subject to the same 2-clause BSD license as the open source NGINX software.
diff --git a/backend-sample-app.py b/backend-sample-app.py
new file mode 100755
index 0000000..367fd54
--- /dev/null
+++ b/backend-sample-app.py
@@ -0,0 +1,137 @@
+#!/bin/sh
+''''which python2 >/dev/null && exec python2 "$0" "$@" # '''
+''''which python >/dev/null && exec python "$0" "$@" # '''
+
+# Copyright (C) 2014-2015 Nginx, Inc.
+
+# Example of an application working on port 9000
+# To interact with nginx-ldap-auth-daemon this application
+# 1) accepts GET requests on /login and responds with a login form
+# 2) accepts POST requests on /login, sets a cookie, and responds with redirect
+
+import sys, os, signal, base64, Cookie, cgi, urlparse
+from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
+
+Listen = ('localhost', 9000)
+
+import threading
+from SocketServer import ThreadingMixIn
+class AuthHTTPServer(ThreadingMixIn, HTTPServer):
+ pass
+
+class AppHandler(BaseHTTPRequestHandler):
+
+ def do_GET(self):
+
+ url = urlparse.urlparse(self.path)
+
+ if url.path.startswith("/login"):
+ return self.auth_form()
+
+ self.send_response(200)
+ self.end_headers()
+ self.wfile.write('Hello, world! Requested URL: ' + self.path + '\n')
+
+
+ # send login form html
+ def auth_form(self, target = None):
+
+ # try to get target location from header
+ if target == None:
+ target = self.headers.get('X-Target')
+
+ # form cannot be generated if target is unknown
+ if target == None:
+ self.log_error('target url is not passed')
+ self.send_response(500)
+ return
+
+ html="""
+
+
+
+
+ Auth form example
+
+
+
+
+"""
+
+ self.send_response(200)
+ self.end_headers()
+ self.wfile.write(html.replace('TARGET', target))
+
+
+ # processes posted form and sets the cookie with login/password
+ def do_POST(self):
+
+ # prepare arguments for cgi module to read posted form
+ env = {'REQUEST_METHOD':'POST',
+ 'CONTENT_TYPE': self.headers['Content-Type'],}
+
+ # read the form contents
+ form = cgi.FieldStorage(fp = self.rfile, headers = self.headers,
+ environ = env)
+
+ # extract required fields
+ user = form.getvalue('username')
+ passwd = form.getvalue('password')
+ target = form.getvalue('target')
+
+ if user != None and passwd != None and target != None:
+
+ # form is filled, set the cookie and redirect to target
+ # so that auth daemon will be able to use information from cookie
+
+ self.send_response(302)
+
+ # WARNING WARNING WARNING
+ #
+ # base64 is just an example method that allows to pack data into
+ # a cookie. You definitely want to perform some encryption here
+ # and share a key with auth daemon that extracts this information
+ #
+ # WARNING WARNING WARNING
+ enc = base64.b64encode(user + ':' + passwd)
+ self.send_header('Set-Cookie', 'nginxauth=' + enc + '; httponly')
+
+ self.send_header('Location', target)
+ self.end_headers()
+
+ return
+
+ self.log_error('some form fields are not provided')
+ self.auth_form(target)
+
+
+ def log_message(self, format, *args):
+ if len(self.client_address) > 0:
+ addr = BaseHTTPRequestHandler.address_string(self)
+ else:
+ addr = "-"
+
+ sys.stdout.write("%s - - [%s] %s\n" % (addr,
+ self.log_date_time_string(), format % args))
+
+ def log_error(self, format, *args):
+ self.log_message(format, *args)
+
+
+def exit_handler(signal, frame):
+ sys.exit(0)
+
+if __name__ == '__main__':
+ server = AuthHTTPServer(Listen, AppHandler)
+ signal.signal(signal.SIGINT, exit_handler)
+ server.serve_forever()
diff --git a/nginx-ldap-auth-daemon-ctl.sh b/nginx-ldap-auth-daemon-ctl.sh
new file mode 100755
index 0000000..2d289da
--- /dev/null
+++ b/nginx-ldap-auth-daemon-ctl.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+CMD=nginx-ldap-auth-daemon.py
+
+if [ ! -f "$CMD" ]; then
+ echo "Please run '$0' from the same directory where '$CMD' file resides"
+ exit 1
+fi
+
+# some versions of start-stop-daemon (i.e. ubuntu) require absolute path
+CMD=$PWD/$CMD
+
+PIDFILE=./nginx-ldap-auth-daemon.pid
+
+case $1 in
+ "start")
+ start-stop-daemon -S -x $CMD -b -m -p $PIDFILE
+ ;;
+ "stop")
+ start-stop-daemon -K -p $PIDFILE
+ ;;
+ *)
+ echo "Usage: $0 "
+ ;;
+esac
diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
new file mode 100755
index 0000000..a854bcf
--- /dev/null
+++ b/nginx-ldap-auth-daemon.py
@@ -0,0 +1,226 @@
+#!/bin/sh
+''''which python2 >/dev/null && exec python2 "$0" "$@" # '''
+''''which python >/dev/null && exec python "$0" "$@" # '''
+
+# Copyright (C) 2014-2015 Nginx, Inc.
+
+import sys, os, signal, base64, ldap, Cookie
+from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
+
+Listen = ('localhost', 8888)
+#Listen = "/tmp/auth.sock" # Also uncomment lines in 'Requests are
+ # processed with UNIX sockets' section below
+
+# -----------------------------------------------------------------------------
+# Different request processing models: select one
+# -----------------------------------------------------------------------------
+# Requests are processed in separate thread
+import threading
+from SocketServer import ThreadingMixIn
+class AuthHTTPServer(ThreadingMixIn, HTTPServer):
+ pass
+# -----------------------------------------------------------------------------
+# Requests are processed in separate process
+#from SocketServer import ForkingMixIn
+#class AuthHTTPServer(ForkingMixIn, HTTPServer):
+# pass
+# -----------------------------------------------------------------------------
+# Requests are processed with UNIX sockets
+#import threading
+#from SocketServer import ThreadingUnixStreamServer
+#class AuthHTTPServer(ThreadingUnixStreamServer, HTTPServer):
+# pass
+# -----------------------------------------------------------------------------
+
+class AuthHandler(BaseHTTPRequestHandler):
+
+ # Return True if request is processed and response sent, otherwise False
+ # Set ctx['user'] and ctx['pass'] for authentication
+ def do_GET(self):
+
+ ctx = self.ctx
+
+ ctx['action'] = 'input parameters check'
+ for k, v in self.get_params().items():
+ ctx[k] = self.headers.get(v[0], v[1])
+ if ctx[k] == None:
+ self.auth_failed(ctx, 'required "%s" header was not passed' % k)
+ return True
+
+ ctx['action'] = 'performing authorization'
+ auth_header = self.headers.get('Authorization')
+ auth_cookie = self.get_cookie(ctx['cookiename'])
+
+ if auth_cookie != None and auth_cookie != '':
+ auth_header = "Basic " + auth_cookie
+ self.log_message("using username/password from cookie %s" %
+ ctx['cookiename'])
+ else:
+ self.log_message("using username/password from authorization header")
+
+ if auth_header is None or not auth_header.lower().startswith('basic '):
+
+ self.send_response(401)
+ self.send_header('WWW-Authenticate', 'Basic realm=' + ctx['realm'])
+ self.send_header('Cache-Control', 'no-cache')
+ self.end_headers()
+
+ return True
+
+ ctx['action'] = 'decoding credentials'
+
+ try:
+ auth_decoded = base64.b64decode(auth_header[6:])
+ user, passwd = auth_decoded.split(':', 2)
+
+ except:
+ self.auth_failed(ctx)
+ return True
+
+ ctx['user'] = user
+ ctx['pass'] = passwd
+
+ # Continue request processing
+ return False
+
+ def get_cookie(self, name):
+ cookies = self.headers.get('Cookie')
+ if cookies:
+ authcookie = Cookie.BaseCookie(cookies).get(name)
+ if authcookie:
+ return authcookie.value
+ else:
+ return None
+ else:
+ return None
+
+
+ # Log the error and complete the request with appropriate status
+ def auth_failed(self, ctx, errmsg = None):
+
+ msg = 'Error while ' + ctx['action']
+ if errmsg:
+ msg += ': ' + errmsg
+
+ ex, value, trace = sys.exc_info()
+
+ if ex != None:
+ msg += ": " + str(value)
+
+ if ctx.get('url'):
+ msg += ', server="%s"' % ctx['url']
+
+ if ctx.get('user'):
+ msg += ', login="%s"' % ctx['user']
+
+ self.log_error(msg)
+ self.send_response(403)
+ self.end_headers()
+
+ def get_params(self):
+ return {}
+
+ def log_message(self, format, *args):
+ if len(self.client_address) > 0:
+ addr = BaseHTTPRequestHandler.address_string(self)
+ else:
+ addr = "-"
+
+ sys.stdout.write("%s - %s [%s] %s\n" % (addr, self.ctx['user'],
+ self.log_date_time_string(), format % args))
+
+ def log_error(self, format, *args):
+ self.log_message(format, *args)
+
+
+# Verify username/password against LDAP server
+class LDAPAuthHandler(AuthHandler):
+
+ # Parameters to put into self.ctx from the HTTP header of auth request
+ def get_params(self):
+ return {
+ # parameter header default
+ 'realm': ('X-Ldap-Realm', 'Restricted'),
+ 'url': ('X-Ldap-URL', None),
+ 'basedn': ('X-Ldap-BaseDN', None),
+ 'template': ('X-Ldap-Template', '(cn=%(username)s)'),
+ 'binddn': ('X-Ldap-BindDN', 'cn=anonymous'),
+ 'bindpasswd': ('X-Ldap-BindPass', ''),
+ 'cookiename': ('X-CookieName', '')
+ }
+
+ # GET handler for the authentication request
+ def do_GET(self):
+
+ ctx = dict()
+ self.ctx = ctx
+
+ ctx['action'] = 'initializing basic auth handler'
+ ctx['user'] = '-'
+
+ if AuthHandler.do_GET(self):
+ # request already processed
+ return
+
+ ctx['action'] = 'empty password check'
+ if not ctx['pass']:
+ self.auth_failed(ctx, 'attempt to use empty password')
+ return
+
+ try:
+ ctx['action'] = 'initializing LDAP connection'
+ ldap_obj = ldap.initialize(ctx['url']);
+
+ # See http://www.python-ldap.org/faq.shtml
+ # uncomment, if required
+ # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
+
+ ctx['action'] = 'binding as search user'
+ ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
+
+ ctx['action'] = 'preparing search filter'
+ searchfilter = ctx['template'] % { 'username': ctx['user'] }
+
+ self.log_message(('searching on server "%s" with base dn ' + \
+ '"%s" with filter "%s"') %
+ (ctx['url'], ctx['basedn'], searchfilter))
+
+ ctx['action'] = 'running search query'
+ results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE,
+ searchfilter, ['objectclass'], 1)
+
+ ctx['action'] = 'verifying search query results'
+ if len(results) < 1:
+ self.auth_failed(ctx, 'no objects found')
+ return
+
+ ctx['action'] = 'binding as an existing user'
+ ldap_dn = results[0][0]
+ ctx['action'] += ' "%s"' % ldap_dn
+ ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)
+
+ self.log_message('Auth OK for user "%s"' % (ctx['user']))
+
+ # Successfully authenticated user
+ self.send_response(200)
+ self.end_headers()
+
+ except:
+ self.auth_failed(ctx)
+
+def exit_handler(signal, frame):
+ global Listen
+
+ if isinstance(Listen, basestring):
+ try:
+ os.unlink(Listen)
+ except:
+ ex, value, trace = sys.exc_info()
+ sys.stderr.write('Failed to remove socket "%s": %s\n' %
+ (Listen, str(value)))
+ sys.exit(0)
+
+if __name__ == '__main__':
+ server = AuthHTTPServer(Listen, LDAPAuthHandler)
+ signal.signal(signal.SIGINT, exit_handler)
+ server.serve_forever()
diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf
new file mode 100644
index 0000000..a232361
--- /dev/null
+++ b/nginx-ldap-auth.conf
@@ -0,0 +1,110 @@
+error_log logs/error.log debug;
+
+events { }
+
+http {
+ proxy_cache_path cache/ keys_zone=auth_cache:10m;
+
+ # The back-end daemon listens on port 9000 as implemented
+ # in backend-sample-app.py.
+ # Change the IP address if the daemon is not running on the
+ # same host as NGINX/NGINX Plus.
+ upstream backend {
+ server 127.0.0.1:9000;
+ }
+
+ # NGINX/NGINX Plus listen on port 8081 for requests that require
+ # authentication. Change the port number as appropriate.
+ server {
+ listen 8081;
+
+ # Protected application
+ location / {
+ auth_request /auth-proxy;
+
+ # redirect 401 and 403 to login form
+ error_page 401 403 =200 /login;
+
+ proxy_pass http://backend/;
+ }
+
+ location /login {
+ proxy_pass http://backend/login;
+ # Login service returns a redirect to the original URI
+ # and sets the cookie for the ldap-auth daemon
+ proxy_set_header X-Target $request_uri;
+ }
+
+ location = /auth-proxy {
+ internal;
+
+ # The ldap-auth daemon listens on port 8888, as set
+ # in nginx-ldap-auth-daemon.py.
+ # Change the IP address if the daemon is not running on
+ # the same host as NGINX/NGINX Plus.
+ proxy_pass http://127.0.0.1:8888;
+
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_cache auth_cache;
+ proxy_cache_valid 200 403 10m;
+
+ # The following directive adds the cookie to the cache key
+ proxy_cache_key "$http_authorization$cookie_nginxauth";
+
+ # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
+ # communicates with an OpenLDAP server, passing in the following
+ # parameters to specify which user account to authenticate. To
+ # eliminate the need to modify the Python code, this file contains
+ # 'proxy_set_header' directives that set the values of the
+ # parameters. Set or change them as instructed in the comments.
+ #
+ # Parameter Proxy header
+ # ----------- ----------------
+ # basedn X-Ldap-BaseDN
+ # binddn X-Ldap-BindDN
+ # bindpasswd X-Ldap-BindPass
+ # cookiename X-CookieName
+ # realm X-Ldap-Realm
+ # template X-Ldap-Template
+ # url X-Ldap-URL
+
+ # (Required) Set the URL and port for connecting to the LDAP server,
+ # by replacing 'example.com' and '636'.
+ proxy_set_header X-Ldap-URL "ldaps://example.com:636";
+
+ # (Required) Set the Base DN, by replacing the value enclosed in
+ # double quotes.
+ proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
+
+ # (Required) Set the Bind DN, by replacing the value enclosed in
+ # double quotes.
+ proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
+
+ # (Required) Set the Bind password, by replacing 'secret'.
+ proxy_set_header X-Ldap-BindPass "secret";
+
+ # (Required) The following directives set the cookie name and pass
+ # it, respectively. They are required for cookie-based
+ # authentication. Comment them out if using HTTP basic
+ # authentication.
+ proxy_set_header X-CookieName "nginxauth";
+ proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+
+ # (Required if using Microsoft Active Directory as the LDAP server)
+ # Set the LDAP template by uncommenting the following directive.
+ #proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
+
+ # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
+ # template by uncommenting the following directive and replacing
+ # '(cn=%(username)s)' which is the default set in
+ # nginx-ldap-auth-daemon.py.
+ #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
+
+ # (Optional) Set the realm name, by uncommenting the following
+ # directive and replacing 'Restricted' which is the default set
+ # in nginx-ldap-auth-daemon.py.
+ #proxy_set_header X-Ldap-Realm "Restricted";
+ }
+ }
+}