Nginx 结合Python Ldap认证用于Kibana权限登陆
参考及依赖
https://github.com/nginxinc/nginx-ldap-auth http://nginx.org/ nginx-1.14.2 http_auth_request_module nginx-ldap-auth python2.7 python-ldap
Nginx支持ldap
- 部署nginx,注意需要http_auth_request_module支持
wget http://nginx.org/download/nginx-1.14.2.tar.gz tar zxvf nginx-1.14.2.tar.gz cd nginx-1.14.2 ./configure --with-http_auth_request_module make make install /usr/local/nginx/sbin/nginx
- 配置nginx,注意ldap配置
cat /usr/local/nginx/conf/nginx.confuser nobody nobody; worker_processes auto; #worker_cpu_affinity auto; worker_rlimit_nofile 65535;
error_log logs/error.log;
pid logs/nginx.pid;
events {
use epoll;
#reuse_port on; #used in tengine and linux kernel >= 3.9
accept_mutex off; #used in nginx
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $request_time $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"|body: $request_body'; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; gzip on; gzip_vary on; gzip_comp_level 5; gzip_buffers 16 4k; gzip_min_length 1000; gzip_proxied any; gzip_disable "msie6"; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json; open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; client_max_body_size 50m; #缓存可以减少ldap验证频率,不然每个页面都需要ldap验证一次 #你不在乎的话,不要缓存也是没有任何问题的 proxy_cache_path cache/ keys_zone=auth_cache:10m;
#kibanan
upstream kibana_server {
server 10.2.8.44:5601;
}
server {
listen 5601;
server_name localhost;
access_log logs/kibanan_access.log main;
error_log logs/kibanan_error.log debug;
#后端程序,也就是kubernetes-dashboard location / { auth_request /auth-proxy; #nginx接收到nginx-ldap-auth-daemon.py返回的401和403都会重新跳转到登录页面 error_page 401 403 =200 /login; proxy_pass http://kibana_server; } #登录页面,由backend-sample-app.py提供,跑在同一台机器的8082端口(默认不是8082端口) location /login { proxy_pass http://127.0.0.1:9000/login; proxy_set_header X-Target $request_uri; } location = /auth-proxy { internal; proxy_pass http://127.0.0.1:8888; #nginx-ldap-auth-daemon.py运行端口 #缓存设置 proxy_cache auth_cache; proxy_cache_key "$http_authorization$cookie_nginxauth"; proxy_cache_valid 200 403 10m; proxy_pass_request_body off; proxy_set_header Content-Length ""; #最最重要的ldap配置,请务必按照贵公司的ldap配置如下四项,我在这一步卡了好久,就是ldap配置不对 #这些配置都会通过http头部传递给nginx-ldap-auth-daemon.py脚本 proxy_set_header X-Ldap-URL "ldap://10.2.150.11:389"; proxy_set_header X-Ldap-BaseDN "ou=People,dc=yiche,dc=org"; proxy_set_header X-Ldap-BindDN "cn=OPITUser,ou=OuterUser,dc=che,dc=org"; proxy_set_header X-Ldap-BindPass "opit@minminmsn"; proxy_set_header X-Ldap-Template "(uid=%(username)s)"; proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; }
}
}
> ### Python Ldap认证
wget https://github.com/nginxinc/nginx-ldap-auth/archive/0.0.4.tar.gz
tar zxvf 0.0.4.tar.gz
python nginx-ldap-auth-daemon.py &
> ### 后端登陆跳转页面 默认页面只能测试,这里需要大概改下才能使用 vim backend-sample-app.py python backend-sample-app.py & backend-sample-app.py其中html=``````修改后如下
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf8"/>
<title>login</title>
</head>
<style>
*{margin:0;padding:0;}
.login{
width:400px;
height:220px;
margin:0 auto;
position:absolute;
left:35%;
top:25%;
}
.login_title{
color: #000000;
font: bold 14px/37px Arial,Helvetica,sans-serif;
height: 37px;
padding-left: 35px;
text-align: left;
}
.login_cont {
background: none repeat scroll 0 0 #FFFFFF;
border: 1px solid #B8B7B7;
height: 152px;
padding-top: 30px;
}
.form_table {
float: left;
margin-top: 10px;
table-layout: fixed;
width: 100%;
}
.form_table th {
color: #333333;
font-weight: bold;
padding: 5px 8px 5px 0;
text-align: right;
white-space: nowrap;
}
.form_table td {
color: #717171;
line-height: 200%;
padding: 6px 0 5px 10px;
text-align: left;
}
.login_cont input.submit {
background-position: 0 -37px;
height: 29px;
margin: 10px 14px 0 0;
width: 38px;
}
</style>
<body>
<div class="login">
<div class="login_cont">
<form action='/login' method='post'>
<table class="form_table">
<col width="60px" />
<col />
<p align="center"> 欢迎登陆kibana管理平台</p>
<p align="center"> 请使用邮箱账户密码登陆</p>
<tr>
<th>用户名:</th><td><input class="normal" type="text" name="username" alt="请填写用户名" /><th>@zhidaoauto.com</th></td>
</tr>
<tr>
<th>密 码:</th><td><input class="normal" type="password" name="password" alt="请填写密码" /></td>
</tr>
<tr>
<th></th><td><input class="submit" type="submit" value="登录" /><input class="submit" type="reset" value="取消" /></td>
</tr>
</table>
<input type="hidden" name="target" value="TARGET">
</form>
</div>
</div>
</body>
</html>
> ### 登陆测试 http://10.2.8.24:5601/ ![](http://i2.51cto.com/images/blog/201812/24/2ec96017895b0be37676ff980fd50f 5af 5a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
- Nginx设置目录浏览(autoindex)、以及登录权限认证
- 访问项目域弹出浏览器原生登录框----Spring Security登陆认证 LDAP认证
- 同时采用DB和LDAP认证来登陆bugzilla
- 使用nginx 的反向代理 给 kibana加上basic的身份认证
- 使用外部LDAP用户认证后,DJANGO用户如何作登陆的操作?
- APACHE + LDAP 的权限认证配置方法
- shiro 权限认证框集成到spring中,实现登陆与权限拦截
- APACHE + LDAP 的权限认证配置方法
- python模块app登陆认证(M2Crypto数字证书加密)
- 登陆模块,这个是很重要的模块,有shiro和spring security专门的权限认证框架
- jenkins插件之权限认证相关插件Active Directory和LDAP
- 使用Python生成一张用于登陆验证的字符图片
- Python 操作LDAP实现用户统一认证密码修改功能
- 在 isilon 的 Samba 中接入 LDAP 认证并严格控制权限
- 项目中用到Shiro安全配置用于系统的登录和权限认证