Nginx 结合Python Ldap认证用于Kibana权限登陆

参考及依赖

https://github.com/nginxinc/nginx-ldap-authhttp://nginx.org/nginx-1.14.2http_auth_request_module
nginx-ldap-auth
python2.7python-ldap

Nginx支持ldap

1. 部署nginx，注意需要http_auth_request_module支持

wget http://nginx.org/download/nginx-1.14.2.tar.gz
tar zxvf nginx-1.14.2.tar.gzcd nginx-1.14.2
./configure --with-http_auth_request_module
make
make install
/usr/local/nginx/sbin/nginx

1. 配置nginx,注意ldap配置
   cat /usr/local/nginx/conf/nginx.conf

user                  nobody nobody;
worker_processes auto;#worker_cpu_affinity auto;worker_rlimit_nofile 65535;

error_log             logs/error.log;
pid                   logs/nginx.pid;

events {    use epoll;    #reuse_port on;   #used in tengine and linux kernel >= 3.9
    accept_mutex off;  #used in nginx
    worker_connections  65535;
}

http {    include                     mime.types;
    default_type                application/octet-stream;
    server_tokens               off;

    log_format      main        '$remote_addr - $remote_user [$time_local] "$request" '
                                '$status $request_time $body_bytes_sent "$http_referer" '
                                '"$http_user_agent" "$http_x_forwarded_for"|body: $request_body';

    sendfile                    on;
    tcp_nopush                  on;
    tcp_nodelay                 on;
    keepalive_timeout           60;

    gzip                        on;
    gzip_vary                   on;
    gzip_comp_level             5;
    gzip_buffers                16 4k;
    gzip_min_length             1000;
    gzip_proxied                any;
    gzip_disable                "msie6";
    gzip_types                  text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;

    open_file_cache max=1000    inactive=20s;
    open_file_cache_valid       30s;
    open_file_cache_min_uses    2;
    open_file_cache_errors      on;

    client_max_body_size        50m;    
    #缓存可以减少ldap验证频率，不然每个页面都需要ldap验证一次
    #你不在乎的话，不要缓存也是没有任何问题的 
    proxy_cache_path cache/ keys_zone=auth_cache:10m;#kibananupstream kibana_server {
    server 10.2.8.44:5601;
}

server {
    listen 5601;
    server_name localhost;
    access_log logs/kibanan_access.log main;
    error_log logs/kibanan_error.log debug;    #后端程序，也就是kubernetes-dashboard
    location / {
        auth_request /auth-proxy;        #nginx接收到nginx-ldap-auth-daemon.py返回的401和403都会重新跳转到登录页面
        error_page 401 403 =200 /login;

        proxy_pass http://kibana_server;
    }    #登录页面，由backend-sample-app.py提供，跑在同一台机器的8082端口(默认不是8082端口)
    location /login {
        proxy_pass http://127.0.0.1:9000/login;
        proxy_set_header X-Target $request_uri;
    }

    location = /auth-proxy {
        internal;
        proxy_pass http://127.0.0.1:8888;     #nginx-ldap-auth-daemon.py运行端口
        #缓存设置
        proxy_cache auth_cache;
        proxy_cache_key "$http_authorization$cookie_nginxauth";
        proxy_cache_valid 200 403 10m;
        
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";        #最最重要的ldap配置，请务必按照贵公司的ldap配置如下四项，我在这一步卡了好久，就是ldap配置不对
        #这些配置都会通过http头部传递给nginx-ldap-auth-daemon.py脚本
        proxy_set_header X-Ldap-URL      "ldap://10.2.150.11:389";
        proxy_set_header X-Ldap-BaseDN   "ou=People,dc=yiche,dc=org";
        proxy_set_header X-Ldap-BindDN   "cn=OPITUser,ou=OuterUser,dc=che,dc=org";
        proxy_set_header X-Ldap-BindPass "opit@minminmsn";
        proxy_set_header X-Ldap-Template "(uid=%(username)s)";

        proxy_set_header X-CookieName "nginxauth";
        proxy_set_header Cookie nginxauth=$cookie_nginxauth;
    }
}
}

Python Ldap认证

wget https://github.com/nginxinc/nginx-ldap-auth/archive/0.0.4.tar.gztar zxvf 0.0.4.tar.gz
python nginx-ldap-auth-daemon.py &

后端登陆跳转页面

默认页面只能测试，这里需要大概改下才能使用
vim backend-sample-app.py
python backend-sample-app.py &
backend-sample-app.py其中html=``````修改后如下

<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf8"/><title>login</title></head><style>*{margin:0;padding:0;}.login{width:400px;height:220px;margin:0 auto;position:absolute;left:35%;top:25%;
}.login_title{color: #000000;font: bold 14px/37px Arial,Helvetica,sans-serif;height: 37px;padding-left: 35px;text-align: left;
}.login_cont {    background: none repeat scroll 0 0 #FFFFFF;    border: 1px solid #B8B7B7;    height: 152px;    padding-top: 30px;
}.form_table {    float: left;    margin-top: 10px;    table-layout: fixed;    width: 100%;
}.form_table th {    color: #333333;    font-weight: bold;    padding: 5px 8px 5px 0;    text-align: right;    white-space: nowrap;
}.form_table td {    color: #717171;    line-height: 200%;    padding: 6px 0 5px 10px;    text-align: left;
}.login_cont input.submit {    background-position: 0 -37px;    height: 29px;    margin: 10px 14px 0 0;    width: 38px;
}</style><body>
    <div class="login">
        <div class="login_cont">
            <form action='/login' method='post'>
                <table class="form_table">
                    <col width="60px" />
                    <col />
                        <p align="center">  欢迎登陆kibana管理平台</p>
                        <p align="center">  请使用邮箱账户密码登陆</p>
                    <tr>
                        <th>用户名:</th><td><input class="normal" type="text" name="username" alt="请填写用户名" /><th>@zhidaoauto.com</th></td>
                    </tr>
                    <tr>
                        <th>密   码:</th><td><input class="normal" type="password" name="password" alt="请填写密码" /></td>
                    </tr>
                    <tr>
                        <th></th><td><input class="submit" type="submit" value="登录" /><input class="submit" type="reset" value="取消" /></td>
                    </tr>
                </table>
                    <input type="hidden" name="target" value="TARGET">
            </form>
        </div>
    </div></body></html>

登陆测试

http://10.2.8.24:5601/

作者：三杯水Plus
链接：https://www.jianshu.com/p/b96391e0c486