I’m using two containers, the swag and ldap-auth from linuxserver.io. I’m new to swag and nginx and started to give it a try. I would like to use the login name from LDAP in my nginx ‘default.conf’ so that i can proxy_pass to a different application/container IP dependent on the login name from the LDAP. I’m not sure if this approach is correct, if not, please explain me the correct way to setup this.
This is my default.conf (with the pseudocode that describes what I want it to do):
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name webtoptest.*;
include /config/nginx/ssl.conf;
include /config/nginx/ldap-server.conf;
location / {
include /config/nginx/ldap-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_proto http;
set $upstream_port 3000;
Pseudocode:
if (ldap_login = test) {
set $upstream_app webtop1;
}
if (ldap_login = test2) {
set $upstream_app webtop2;
}
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_buffering off;
}
}
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;
and this is the example ldap-server.conf:
location /ldaplogin {
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 9000;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_set_header X-Target $request_uri;
}
location = /auth {
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 8888;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://ldap.forumsys.com:389";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "dc=example,dc=com";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
# If AD, use "root@test.local"
proxy_set_header X-Ldap-BindDN "cn=read-only-admin,dc=example,dc=com";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "password";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
proxy_set_header X-Ldap-Template "(uid=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}
I tried the $remote_user variable, but the value was never set. I tried a map because I heard that if clauses are not the way to go in nginx and can do some wierd stuff, but same result. I heard that the value of $remote_user is only set when http authentication is used, but how can i get the name from the ldap login?
I appreciate your help.
Thank you
Wosch