가상 머신에 Docker를 설정하고 FreeIPA 서버와 nginx-ldap-auth-daemon을 위한 두 개의 컨테이너를 시작했습니다. 나는 제공된 지침을 따랐습니다.https://github.com/nginxinc/nginx-ldap-auth#required-modsNginx에서 LDAP 인증을 구성합니다.
/user 위치를 추가하여 ngixn-ldap-auth.conf 파일을 변경한 후 문제가 발생했습니다. localhost:8081/user 페이지에 접속하면 인증창이 나타납니다. 자격 증명을 입력하고 Enter를 누르면 인증 창이 다시 나타나고 페이지에 나타날 것으로 예상되는 메시지가 나타나지 않습니다.
문제를 해결하기 위해 nginx.conf 파일에 /user 위치를 추가하고 nginx-ldap-auth.conf 파일에 주석 처리했습니다. 그런 다음 Nginx를 다시 시작했습니다. 하지만 다시 localhost:8081/user 페이지에 접속하여 인증 데이터를 입력하면 "502 Bad Gateway" 오류가 발생하고 localhost:8081/login 페이지로 리디렉션됩니다.
구성:
cat /etc/nginx/conf.d/nginx-ldap-auth.conf
#error_log logs/error.log debug;
#events { }
#http {
proxy_cache_path cache/ keys_zone=auth_cache:10m;
# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
server 127.0.0.1:9000;
}
# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
listen 8081;
root /var/www/html;
# Protected application
location / {
auth_request /auth-proxy;
# redirect 401 to login form
# Comment them out if using HTTP basic authentication.
# or authentication popup won't show
error_page 401 =200 /login;
proxy_pass http://backend/;
}
location /login {
proxy_pass http://backend/login;
# Login service returns a redirect to the original URI
# and sets the cookie for the ldap-auth daemon
proxy_set_header X-Target $request_uri;
}
# location /user {
# auth_request /auth-proxy;
# index index.user.html;
# proxy_pass http://backend;
# }
location = /auth-proxy {
internal;
# The ldap-auth daemon listens on port 8888, as set
# in nginx-ldap-auth-daemon.py.
# Change the IP address if the daemon is not running on
# the same host as NGINX/NGINX Plus.
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_pass_request_headers off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
# The following directive adds the cookie to the cache key
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://127.0.0.2";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "CN=users,CN=compat,dc=ipa,dc=test,dc=local";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BindDN "CN=admin,dc=ipa,dc=test,dc=local";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "password";
Бычковский Сергей, [05.07.2023 13:31]
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
#proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=users,cn=accounts,dc=ipa,dc=test,dc=local))";
# (Optional) Uncomment if using HTTP basic authentication
#proxy_set_header Authorization $http_authorization;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (May be required if using Microsoft Active Directory and
# getting "In order to perform this operation a successful bind
# must be completed on the connection." errror)
#proxy_set_header X-Ldap-DisableReferrals "true";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
}
#}
grep -v '^$\|^#' /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
server_name localhost;
root /var/www/html;
location /user {
auth_request /auth-proxy;
index index.user.html;
proxy_pass http://backend;
}
}
}
이 문제를 어떻게 해결할 수 있나요?