参考及依赖
1 2 3 4 5 6 7 https://github.com/nginxinc/nginx-ldap-auth http://nginx.org/ nginx-1.14.2 http_auth_request_module nginx-ldap-auth python2.7 python-ldap
Nginx支持ldap
部署nginx,注意需要http_auth_request_module支持
1 2 3 4 5 6 7 wget http://nginx.org/download/nginx-1.14.2.tar.gz tar zxvf nginx-1.14.2.tar.gz cd nginx-1.14.2 ./configure --with-http_auth_request_module make make install /usr/local/nginx/sbin/nginx
配置nginx,注意ldap配置 cat /usr/local/nginx/conf/nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 user nobody nobody; worker_processes auto; #worker_cpu_affinity auto; worker_rlimit_nofile 65535; error_log logs/error.log; pid logs/nginx.pid; events { use epoll; #reuse_port on; #used in tengine and linux kernel >= 3.9 accept_mutex off; #used in nginx worker_connections 65535; } http { include mime.types; default_type application/octet-stream; server_tokens off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $request_time $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"|body: $request_body'; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; gzip on; gzip_vary on; gzip_comp_level 5; gzip_buffers 16 4k; gzip_min_length 1000; gzip_proxied any; gzip_disable "msie6"; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json; open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; client_max_body_size 50m; #缓存可以减少ldap验证频率,不然每个页面都需要ldap验证一次 #你不在乎的话,不要缓存也是没有任何问题的 proxy_cache_path cache/ keys_zone=auth_cache:10m; #kibanan upstream kibana_server { server 10.2.8.44:5601; } server { listen 5601; server_name localhost; access_log logs/kibanan_access.log main; error_log logs/kibanan_error.log debug; #后端程序,也就是kubernetes-dashboard location / { auth_request /auth-proxy; #nginx接收到nginx-ldap-auth-daemon.py返回的401和403都会重新跳转到登录页面 error_page 401 403 =200 /login; proxy_pass http://kibana_server; } #登录页面,由backend-sample-app.py提供,跑在同一台机器的8082端口(默认不是8082端口) location /login { proxy_pass http://127.0.0.1:9000/login; proxy_set_header X-Target $request_uri; } location = /auth-proxy { internal; proxy_pass http://127.0.0.1:8888; #nginx-ldap-auth-daemon.py运行端口 #缓存设置 proxy_cache auth_cache; proxy_cache_key "$http_authorization$cookie_nginxauth"; proxy_cache_valid 200 403 10m; proxy_pass_request_body off; proxy_set_header Content-Length ""; #最最重要的ldap配置,请务必按照贵公司的ldap配置如下四项,我在这一步卡了好久,就是ldap配置不对 #这些配置都会通过http头部传递给nginx-ldap-auth-daemon.py脚本 proxy_set_header X-Ldap-URL "ldap://192.168.88.88:389"; proxy_set_header X-Ldap-BaseDN "ou=People,dc=che,dc=org"; proxy_set_header X-Ldap-BindDN "cn=OPITUser,ou=OuterUser,dc=che,dc=org"; proxy_set_header X-Ldap-BindPass "opit@minminmsn"; proxy_set_header X-Ldap-Template "(uid=%(username)s)"; proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; } } }
Python Ldap认证
1 2 3 wget https://github.com/nginxinc/nginx-ldap-auth/archive/0.0.4.tar.gz tar zxvf 0.0.4.tar.gz python nginx-ldap-auth-daemon.py &
后端登陆跳转页面
默认页面只能测试,这里需要大概改下才能使用 vim backend-sample-app.py python backend-sample-app.py & backend-sample-app.py其中html=``````修改后如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf8"/> <title>login</title> </head> <style> *{margin:0;padding:0;} .login{ width:400px; height:220px; margin:0 auto; position:absolute; left:35%; top:25%; } .login_title{ color: #000000; font: bold 14px/37px Arial,Helvetica,sans-serif; height: 37px; padding-left: 35px; text-align: left; } .login_cont { background: none repeat scroll 0 0 #FFFFFF; border: 1px solid #B8B7B7; height: 152px; padding-top: 30px; } .form_table { float: left; margin-top: 10px; table-layout: fixed; width: 100%; } .form_table th { color: #333333; font-weight: bold; padding: 5px 8px 5px 0; text-align: right; white-space: nowrap; } .form_table td { color: #717171; line-height: 200%; padding: 6px 0 5px 10px; text-align: left; } .login_cont input.submit { background-position: 0 -37px; height: 29px; margin: 10px 14px 0 0; width: 38px; } </style> <body> <div class="login"> <div class="login_cont"> <form action='/login' method='post'> <table class="form_table"> <col width="60px" /> <col /> <p align="center"> 欢迎登陆kibana管理平台</p> <p align="center"> 请使用邮箱账户密码登陆</p> <tr> <th>用户名:</th><td><input class="normal" type="text" name="username" alt="请填写用户名" /><th>@minminmsn.com</th></td> </tr> <tr> <th>密 码:</th><td><input class="normal" type="password" name="password" alt="请填写密码" /></td> </tr> <tr> <th></th><td><input class="submit" type="submit" value="登录" /><input class="submit" type="reset" value="取消" /></td> </tr> </table> <input type="hidden" name="target" value="TARGET"> </form> </div> </div> </body> </html>
登陆测试 http://192.168.88.188:5601/
