红联Linux门户
Linux帮助

debian8.4(jessie)配置nginx1.10.0+LDAP来授权

发布时间:2016-09-26 09:40:58来源:linux网站作者:rainysia
服务器是debian8.4(jessie), x86_64bit, 需要对某些页面进行auth保护, 要求用公司提供的LDAP server.
这里实验我用docker来安装debian8.4和nginx 1.10.0, 下面是Dockerfile
 
FROM debian:8.4
MAINTAINER rainysia "rainysia#gmail.com"
# Define some variables.
ENV NGINX_VERSION release-1.10.0
# Install needed packages, compile and install.
# Remove unused packages and cleanup some directories.
RUN \
apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
git \
gcc \
make \
libpcre3-dev \
zlib1g-dev \
libldap2-dev \
libssl-dev \
wget \
vim \
python-pip  \
ldap-utils \
openssh-client && \
pip install ldap3 && \
mkdir /var/log/nginx && \
mkdir /etc/nginx && \
cd /tmp && \
git clone https://github.com/kvspb/nginx-auth-ldap.git && \
git clone https://github.com/nginx/nginx.git && \
cd /tmp/nginx && \
git checkout tags/${NGINX_VERSION} && \
./auto/configure \
--add-module=/tmp/nginx-auth-ldap \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-pcre \
--with-debug \
--conf-path=/etc/nginx/nginx.conf \ 
--sbin-path=/usr/sbin/nginx \ 
--pid-path=/var/log/nginx/nginx.pid \ 
--error-log-path=/var/log/nginx/error.log \ 
--http-log-path=/var/log/nginx/access.log && \ 
make install && \
apt-get purge -y \
git \
gcc \
make \
libpcre3-dev \
zlib1g-dev \
libldap2-dev \
libssl-dev \
wget && \
apt-get autoremove -y && \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /usr/src/* && \
rm -rf /tmp/* && \
rm -rf /usr/share/doc/* && \
rm -rf /usr/share/man/* && \
rm -rf /usr/share/locale/*
ADD nginx.conf /etc/nginx/nginx.conf
# Expose ports.
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
 
nginx.conf文件如下:
#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
events {
worker_connections  1024;
}
http {
include       mime.types;
default_type  application/octet-stream;
auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;
ldap_server LDAP1 {
url "ldap://cdccc03.domain.org:3268/dc=domain,dc=org?sAMAccountName?sub?";
binddn "domain_account@domain.org";
binddn_passwd "domain_account_passwd";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
satisfy any;
group_attribute member;
group_attribute_is_dn on;
#require group "OU=people,DC=domain,DC=org";
require valid_user;
}
gzip                 on;
sendfile             on;
tcp_nopush           on;
tcp_nodelay          on;
keepalive_timeout    65;
types_hash_max_size  2048;
client_max_body_size 2000m;
access_log /var/log/access.log;
error_log /var/log/error.log;
server {
listen      80;
server_name localhost;
charset     utf-8;
auth_ldap "Please enter your domain username";
auth_ldap_servers LDAP1;
index index.html index.htm index.php;
root /var/www;
location / {
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
index index.html index.htm index.php;
try_files $uri $uri/ /index.php?$args;
}
}
}
 
解释下, 上面的nginx.conf里面, 公司的LDAP server 其中一台LDAP server是cdccc03.domain.org, 端口是3268, dc是domain和org
binddn这里填写一个公司的用户帐号, 比如tester@domain.org,
binddn_passwd 这里填写密码,
 
然后运行docker:
docker run -tid --name nginx8089 -p 8089:80  \
-v /docker-config/nginx_ldap.conf:/etc/nginx/conf.d/default.conf \
-v /docker-config/index.html:/var/www/index.html \ cdkdc.domain.org:5000/nginx_ldap:latest
 
这里我把容器的80端口映射到宿主机的8089端口, 并且把nginx_ldap.conf挂载进容器.
访问后, 弹出需要授权, 输入帐号,密码后成功显示页面.
debian8.4(jessie)配置nginx1.10.0+LDAP来授权
可以通过docker exec -ti nginx8089 cat /var/log/nginx/error.log 来查看授权失败的日志.
 
本文永久更新地址:http://www.linuxdiyf.com/linux/24485.html