nginx集成LDAP

安装

git clone https://github.com/kvspb/nginx-auth-ldap.git
wget http://nginx.org/download/nginx-1.18.0.tar.gz
yum -y install openldap-devel pcre-devel openssl-devel
tar -zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0/
./configure --prefix=/opt/nginx \
--add-module=/root/nginx-auth-ldap-master --add-module=/root/ngx_http_geoip2_module-master \
--with-http_addition_module --with-http_stub_status_module --with-http_realip_module \
--with-http_ssl_module --with-http_v2_module \
--with-http_gunzip_module --with-http_gzip_static_module
make
make install

配置

user  root;
worker_processes  auto;

worker_rlimit_nofile 102400;
events {
    worker_connections  10240;
    multi_accept on;
    use epoll;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
                      
    set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    sendfile       on;
    tcp_nopush     on;
    keepalive_timeout  65;
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 32k;
    gzip_comp_level 2;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.";
    client_max_body_size 100m;
    client_body_buffer_size 50m;

    ldap_server openldap {
        url ldap://172.21.16.179:389/cn=accounts,dc=o,dc=test,dc=com?uid?sub?(objectClass=person);
        binddn "uid=keycloakbot,cn=users,cn=accounts,dc=o,dc=test,dc=com";
        binddn_passwd "12345678";
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
    }

    include /opt/nginx/conf/conf.d/*.conf;
}

conf.d/prometheus.conf

#prod prometheus
server {
    listen 19090;
    server_name 47.115.78.17;

    proxy_set_header X-Forwarded-For $remote_addr;

    location / {
         auth_ldap "test SSO";
         auth_ldap_servers openldap;
         #auth_basic "test PROD WARNING";
         #auth_basic_user_file /opt/nginx/passwd.db;
         proxy_pass         http://172.23.13.67:31269;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_read_timeout  1200s;
    }
}