FreeIPAによるNginx認証の問題

FreeIPAによるNginx認証の問題

仮想マシンにDockerを設定し、FreeIPAサーバーとnginx-ldap-auth-daemon用の2つのコンテナを起動しました。私は提供された指示に従いました。https://github.com/nginxinc/nginx-ldap-auth#required-modsNginxでLDAP認証を設定します。

/userの場所を追加してngixn-ldap-auth.confファイルを変更した後に問題が発生しました。 localhost:8081/userページにアクセスすると、認証ウィンドウが表示されます。資格情報を入力してEnterキーを押すと、認証ウィンドウが再び表示され、ページに表示されることを期待するメッセージは表示されません。

問題を解決するために、nginx.confファイルに/ userの場所を追加し、nginx-ldap-auth.confファイルにコメントアウトしました。その後、Nginxを再起動しました。ただし、再度 localhost:8081/user ページにアクセスして認証データを入力すると、「502 Bad Gateway」エラーが発生し、localhost:8081/login ページにリダイレクトされます。

構成:

cat /etc/nginx/conf.d/nginx-ldap-auth.conf
#error_log logs/error.log debug;

#events { }

#http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;

    # The back-end daemon listens on port 9000 as implemented
    # in backend-sample-app.py.
    # Change the IP address if the daemon is not running on the
    # same host as NGINX/NGINX Plus.
    upstream backend {
        server 127.0.0.1:9000;
    }

    # NGINX/NGINX Plus listen on port 8081 for requests that require
    # authentication. Change the port number as appropriate.
    server {
        listen 8081;
  root /var/www/html;
        # Protected application
        location / {
            auth_request /auth-proxy;

            # redirect 401 to login form
            # Comment them out if using HTTP basic authentication.
            # or authentication popup won't show
            error_page 401 =200 /login;
    
            proxy_pass http://backend/;
        }

        location /login {
            proxy_pass http://backend/login;
            # Login service returns a redirect to the original URI
            # and sets the cookie for the ldap-auth daemon
            proxy_set_header X-Target $request_uri;
  }
  

#  location /user {
#    auth_request /auth-proxy;
#    index index.user.html;
#    proxy_pass http://backend;
#  }



        location = /auth-proxy {
            internal;

            # The ldap-auth daemon listens on port 8888, as set
            # in nginx-ldap-auth-daemon.py.
            # Change the IP address if the daemon is not running on
            # the same host as NGINX/NGINX Plus.
            proxy_pass http://127.0.0.1:8888;

            proxy_pass_request_body off;
            proxy_pass_request_headers off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;

            # The following directive adds the cookie to the cache key
            proxy_cache_key "$http_authorization$cookie_nginxauth";

            # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
            # communicates with a LDAP server, passing in the following
            # parameters to specify which user account to authenticate. To
            # eliminate the need to modify the Python code, this file contains
            # 'proxy_set_header' directives that set the values of the
            # parameters. Set or change them as instructed in the comments.
            #
            #    Parameter      Proxy header
            #    -----------    ----------------
            #    url            X-Ldap-URL
            #    starttls       X-Ldap-Starttls
            #    basedn         X-Ldap-BaseDN
            #    binddn         X-Ldap-BindDN
            #    bindpasswd     X-Ldap-BindPass
            #    cookiename     X-CookieName
            #    realm          X-Ldap-Realm
            #    template       X-Ldap-Template

            # (Required) Set the URL and port for connecting to the LDAP server,
            # by replacing 'example.com'.
            # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
            proxy_set_header X-Ldap-URL      "ldap://127.0.0.2";

            # (Optional) Establish a TLS-enabled LDAP session after binding to the
            # LDAP server.
            # This is the 'proper' way to establish encrypted TLS connections, see
            # http://www.openldap.org/faq/data/cache/185.html
            #proxy_set_header X-Ldap-Starttls "true";

            # (Required) Set the Base DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BaseDN   "CN=users,CN=compat,dc=ipa,dc=test,dc=local";

            # (Required) Set the Bind DN, by replacing the value enclosed in
            # double quotes.
            proxy_set_header X-Ldap-BindDN   "CN=admin,dc=ipa,dc=test,dc=local";
            # (Required) Set the Bind password, by replacing 'secret'.
            proxy_set_header X-Ldap-BindPass "password";

Бычковский Сергей, [05.07.2023 13:31]
# (Required) The following directives set the cookie name and pass
            # it, respectively. They are required for cookie-based
            # authentication. Comment them out if using HTTP basic
            # authentication.
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;
      #proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=users,cn=accounts,dc=ipa,dc=test,dc=local))";

            # (Optional) Uncomment if using HTTP basic authentication
            #proxy_set_header Authorization $http_authorization;

            # (Required if using Microsoft Active Directory as the LDAP server)
            # Set the LDAP template by uncommenting the following directive.
            proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

            # (May be required if using Microsoft Active Directory and
            # getting "In order to perform this operation a successful bind
            # must be completed on the connection." errror)
            #proxy_set_header X-Ldap-DisableReferrals "true";

            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
            # template by uncommenting the following directive and replacing
            # '(cn=%(username)s)' which is the default set in
            # nginx-ldap-auth-daemon.py.
            #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

            # (Optional) Set the realm name, by uncommenting the following
            # directive and replacing 'Restricted' which is the default set
            # in nginx-ldap-auth-daemon.py.
            #proxy_set_header X-Ldap-Realm    "Restricted";
        }
    }
#}
grep -v '^$\|^#' /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
  worker_connections 768;
  # multi_accept on;
}
http {
  ##
  # Basic Settings
  ##
  sendfile on;
  tcp_nopush on;
  types_hash_max_size 2048;
  # server_tokens off;
  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  ##
  # SSL Settings
  ##
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
  ##
  # Logging Settings
  ##
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  ##
  # Gzip Settings
  ##
  gzip on;
  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  ##
  # Virtual Host Configs
  ##
  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
  server {
    server_name localhost;  
    root /var/www/html;
    location /user {
      auth_request /auth-proxy;
      index index.user.html;
      proxy_pass http://backend;
    }
  }  
  
}

この問題をどのように解決できますか?

関連情報