- wangbin
- 2020-08-18
- IT
OpenLDAP(4):nginx接入OpenLDAP
一. 简介
OpenLDAP服务已经搭建好了,也用phpLDAPadmin创建完用户了,下面开始使用
先来nginx,这儿记录下
二. 重新编译nginx
nginx要接入OpenLDAP需要编译的时候有 --add-module=/usr/local/src/nginx-auth-ldap
install_nginx.sh
yum -y groupinstall "Development Tools"
yum -y install pcre pcre-devel openssl openssl-devel
html=`curl http://nginx.org/en/download.html`
url=`echo "${html}" | grep -o '/download/nginx.*\.tar\.gz'`
url="http://nginx.org"${url%%\">*}
# url:http://nginx.org/download/nginx-1.13.5.tar.gz
zip_file=${url##*/}
# zip_file:nginx-1.13.5.tar.gz
directory=${zip_file/.tar.gz/}
# directory:nginx-1.13.5
cd ~
wget ${url}
tar zxvf ${zip_file}
cd ${directory}
# clone nginx-auth-ldap.git
git clone https://github.com/kvspb/nginx-auth-ldap.git
# configure
./configure --with-pcre \
--with-stream_ssl_module \
--with-stream \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_addition_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_realip_module \
--with-http_realip_module \
--with-http_degradation_module \
--add-module=path_to_http_auth_ldap_module
make
make install
ln -fs /usr/local/nginx/sbin/nginx /usr/local/bin/nginx三. nginx配置
nginx.conf
http {
ldap_server openldap {
url ldap://localhost:389/DC=wangbin,DC=io?cn?sub?(objectClass=person);
binddn "cn=admin,dc=wangbin,dc=io";
binddn_passwd "123456";
group_attribute memberuid;
#group_attribute uniquemember;
#group_attribute people;
group_attribute_is_dn on;
require valid_user;
}
}http下新增
ldap_server openldapfiles.conf
# files.wangbin.io
server {
listen 50081;
listen [::]:50081;
listen 50443 ssl http2;
listen [::]:50443 ssl http2;
server_name files.wangbin.io;
# ssl
ssl_certificate /vps/save/certificate/acme/*.wangbin.io/fullchain.cer;
ssl_certificate_key /vps/save/certificate/acme/*.wangbin.io/*.wangbin.io.key;
ssl_trusted_certificate /vps/save/certificate/acme/*.wangbin.io/fullchain.cer;
# ecc
ssl_certificate /vps/save/certificate/acme/*.wangbin.io_ecc/fullchain.cer;
ssl_certificate_key /vps/save/certificate/acme/*.wangbin.io_ecc/*.wangbin.io.key;
# # Basic HTTP authentication
# auth_basic "nginx basic http authentication for files.wangbin.io";
# auth_basic_user_file /vps/save/certificate/htpasswd/http-htpasswd;
auth_ldap "Forbidden";
auth_ldap_servers openldap;
# log
access_log /vps/logs/nginx/today/wangbin.io/files.wangbin.io/access-files.wangbin.io.log wangbin;
error_log logs/error.log;
root /vps/hosts/files;
index index.html index.htm index.php;
location ~ ^(.*)/$ {
charset utf-8;
autoindex on;
autoindex_localtime on; #显示的文件时间为文件的服务器时间
autoindex_exact_size off; #改为off后,显示出文件的大概大小,单位是kB或者MB或者GB
# https://lantian.pub/article/modify-website/nginx-ldap-authentication.lantian/
# add_after_body和ldap冲突,这儿禁用
# add_after_body /autoindex.html;
add_after_body "";
}
# 禁止访问.svn目录,防止svn信息泄漏,必加项
location ~ ^(.*)\/\.svn\/ {
deny all;
}
}server下新增
auth_ldap "Forbidden";
auth_ldap_servers openldap;五. 防火墙
这儿用的是本地的OpenLDAP服务,如果使用远程的需要服务器机器开放389或者636端口
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload 六. 总结
这样就可以了,后面有新的接入再记录
赶紧试试吧
参考: