驻旨专讗指讛讗指住讟注专 > 讘诇讗指讙 > 讗址讚诪讬谞讬住讟专讗址爪讬注 > Nginx Recipes: LDAP Authorization with Captcha

Nginx Recipes: LDAP Authorization with Captcha

爪讜 爪讜讙专讬讬讟谉 讚注专诇讜讬讘注谞讬砖 诪讬讟 拽讗址驻旨讟讟砖讗址, 诪讬专 讚讗址专驻挚谉 谞讙讬谞拽住 讗讜谉 讝讬讬址谉 驻旨诇讜讙讬谞住 注谞拽专讬驻旨讟讬讚-住注住讬注, 驻讗指专注诐-讗址专讬讬址谉, ctpp2, 驻注诇谉, ldap, 讻注讚注专讝-诪注专, auth_request, 砖讟注诇谉-诪讬住拽. (讗讬讱 讛讗指讘 爪讜讙注砖讟注诇讟 诇讬谞拽住 爪讜 诪讬讬谉 驻讗指专拽住, 讜讜讬讬址诇 讗讬讱 讙注诪讗讻讟 注讟诇注讻注 注谞讚注专讜谞讙注谉 讜讜讗指住 讝注谞注谉 谞讗指讱 谞讬砖讟 驻旨讜砖讟 讗讬谉 讚讬 讗指专讬讙讬谞注诇 专讬驻旨讗址讝讗址讟讗指专讬讝. 讗讬专 拽注谞注谉 讗讜讬讱 谞讜爪谉 驻讗址专讟讬拽.)

爪讜 讗指谞讛讬讬讘谉 诪讬讟, 诇讗指讝谉 住 砖讟注诇谉 

encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456";

讜讜讬讬址讟注专, 谞讗指专 讗讬谉 驻讗址诇, 讚讬住讬讬讘讗址诇 讚讬 讚注专诇讜讬讘注谞讬砖 讻注讚注专 

more_clear_input_headers Authorization;

讗讬爪讟 诪讬专 讘讗址砖讬爪谉 讗址诇抓 诪讬讟 讚注专诇讜讬讘注谞讬砖 

auth_request /auth;
location =/auth {
    internal;
    subrequest_access_phase on; # 褉邪蟹褉械褕邪械屑 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 褎邪蟹褍 胁 锌芯写蟹邪锌褉芯褋械
    auth_request off; # 薪械 懈褋锌芯谢褜蟹芯胁邪褌褜 邪胁褌芯褉懈蟹邪褑懈褞
    set_decode_base64 $auth_decode $cookie_auth; # 褉邪褋泻芯写懈褉褍械屑 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 泻褍泻褍
    set_decrypt_session $auth_decrypt $auth_decode; # 褉邪褋褕懈褎褉芯胁褘胁邪械屑 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 泻褍泻褍
    if ($auth_decrypt = "") { return 401 UNAUTHORIZED; } # 械褋谢懈 薪械 褍写邪谢芯褋褜 褉邪褋褕懈褎褉芯胁邪褌褜, 褌芯 蟹薪邪褔懈褌 锌芯谢褜蟹芯胁邪褌械谢褜 薪械 邪胁褌芯褉懈蟹芯胁邪薪
    more_set_input_headers "Authorization: Basic $auth_decrypt"; # 锌芯写屑械薪懈褌褜 邪胁褌芯褉懈蟹邪褑懈褞 薪邪 basic (褔褌芯斜褘 懈褋锌芯谢褜蟹芯胁邪褌褜 锌械褉械屑械薪薪褍褞 $remote_user)
    auth_basic_ldap_realm Auth; # 胁泻谢褞褔邪械屑 ldap 邪胁褌芯褉懈蟹邪褑懈褞
    auth_basic_ldap_url ldap://ldap.server.com; # 蟹邪写邪褢屑 邪写褉械褋
    auth_basic_ldap_bind_dn dn.server.com; # 蟹邪写邪褢屑 锌芯褋褌褎懈泻褋
    echo -n OK; # 锌芯谢褜蟹芯胁邪褌械谢褜 邪胁褌芯褉懈蟹芯胁邪薪
}

驻挚讗址专 讗指讟注专讬讬讝讚 讬讜讝注专讝 诪讬专 讜讜讬讬址讝谉 讗讬谞讛讗址诇讟 驻讜谉 讝讬讬注专 讟注拽注 

location / {
    alias html/$remote_user/;
}

讗讜谉 讗讜讬讘 注住 讗讬讝 拽讬讬谉 讚注专诇讜讬讘注谞讬砖, 诪讬专 讜讜讬讬址讝谉 讗址 讚注专诇讜讬讘注谞讬砖 驻讗指专注诐 诪讬讟 讗址 拽讗址驻旨讟讟砖讗址 

error_page 401 = @error401;
location @error401 {
    set_escape_uri $request_uri_escape $request_uri; # 泻芯写懈褉褍械屑 蟹邪锌褉芯褋
    return 303 /login?request_uri=$request_uri_escape; # 锌械褉械薪邪锌褉邪胁谢褟械屑 薪邪 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 褎芯褉屑褍 褋 泻邪锌褔械泄, 褋芯褏褉邪薪懈胁 蟹邪锌褉芯褋
}
location =/login {
    default_type "text/html; charset=utf-8"; # 蟹邪写邪褢屑 褌懈锌
    if ($request_method = GET) { # 械褋谢懈 褌芯谢褜泻芯 锌芯泻邪蟹邪褌褜 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 褎芯褉屑褍 褋 泻邪锌褔械泄
        template login.html.ct2; # 蟹邪写邪褢屑 褕邪斜谢芯薪
        ctpp2 on; # 胁泻谢褞褔邪械屑 褕邪斜谢芯薪懈蟹邪褌芯褉
        set_secure_random_alphanum $csrf_random 32; # 蟹邪写邪褢屑 褋谢褍褔邪泄薪芯械 csrf
        encrypted_session_expires 300; # 蟹邪写邪褢屑 胁褉械屑褟 卸懈蟹薪懈 csrf 5 屑懈薪褍褌 (5 * 60 = 300)
        set_encrypt_session $csrf_encrypt $csrf_random; # 蟹邪褕懈褎褉芯胁褘胁邪械屑 褋谢褍褔邪泄薪芯械 csrf
        set_encode_base64 $csrf_encode $csrf_encrypt; # 泻芯写懈褉褍械屑 蟹邪褕懈褎褉芯胁邪薪薪芯械 csrf
        add_header Set-Cookie "CSRF=$csrf_encode; Max-Age=300"; # 锌芯屑械褖邪械屑 蟹邪褕懈褎褉芯胁邪薪薪芯械 csrf 胁 泻褍泻褍 薪邪 5 屑懈薪褍褌 (5 * 60 = 300)
        return 200 "{"csrf":"$csrf_random"}"; # 胁芯蟹胁褉邪褖邪械屑 json 写谢褟 褕邪斜谢芯薪懈蟹邪褌芯褉邪
    } # 懈薪邪褔械 - 芯斜褉邪斜芯褌邪褌褜 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 褎芯褉屑褍 褋 泻邪锌褔械泄
    set_form_input $csrf_form csrf; # 锌芯谢褍褔邪械屑 csrf 懈蟹 褎芯褉屑褘
    set_unescape_uri $csrf_unescape $csrf_form; # 褉邪褋泻芯写懈褉褍械屑 csrf 懈蟹 褎芯褉屑褘
    set_decode_base64 $csrf_decode $cookie_csrf; # 褉邪褋泻芯写懈褉褍械屑 csrf 懈蟹 泻褍泻懈
    set_decrypt_session $csrf_decrypt $csrf_decode; # 褉邪褋褕懈褎褉芯胁褘胁邪械屑 csrf 懈蟹 泻褍泻懈
    if ($csrf_decrypt != $csrf_unescape) { return 303 $request_uri; } # 械褋谢懈 csrf 懈蟹 褎芯褉屑褘 薪械 褋芯胁锌邪写邪械褌 褋 csrf 懈蟹 泻褍泻懈, 褌芯 锌械褉械薪邪锌褉邪胁懈褌褜 薪邪 锌芯泻邪蟹 褎芯褉屑褘 褋薪芯胁邪
    set_form_input $captcha_form captcha; # 锌芯谢褍褔邪械屑 泻邪锌褔褍 懈蟹 褎芯褉屑褘
    set_unescape_uri $captcha_unescape $captcha_form; # 褉邪褋泻芯写懈褉褍械屑 泻邪锌褔褍 懈蟹 褎芯褉屑褘
    set_md5 $captcha_md5 "secret${captcha_unescape}${csrf_decrypt}"; # 褋褔懈褌邪械屑 md5
    if ($captcha_md5 != $cookie_captcha) { return 303 $request_uri; } # 械褋谢懈 md5 薪械 褋芯胁锌邪写邪械褌 褋 泻邪锌褔械泄 懈蟹 泻褍泻懈, 褌芯 锌械褉械薪邪锌褉邪胁懈褌褜 薪邪 锌芯泻邪蟹 褎芯褉屑褘 褋薪芯胁邪
    set_form_input $username_form username; # 锌芯谢褍褔邪械屑 谢芯谐懈薪 懈蟹 褎芯褉屑褘
    set_form_input $password_form password; # 锌芯谢褍褔邪械屑 锌邪褉芯谢褜 懈蟹 褎芯褉屑褘
    set_unescape_uri $username_unescape $username_form; # 褉邪褋泻芯写懈褉褍械屑 谢芯谐懈薪 懈蟹 褎芯褉屑褘
    set_unescape_uri $password_unescape $password_form; # 褉邪褋泻芯写懈褉褍械屑 锌邪褉芯谢褜 懈蟹 褎芯褉屑褘
    encrypted_session_expires 2592000; # 蟹邪写邪褢屑 胁褉械屑褟 卸懈蟹薪懈 褋械褋褋懈懈 30 写薪械泄 (30 * 24 * 60 * 60 = 2592000)
    set $username_password "$username_unescape:$password_unescape"; # 蟹邪写邪褢屑 basic 邪胁褌芯褉懈蟹邪褑懈褞
    set_encode_base64 $username_password_encode $username_password; # 泻芯写懈褉褍械屑 basic 邪胁褌芯褉懈蟹邪褑懈褞
    set_encrypt_session $auth_encrypt $username_password_encode; # 蟹邪褕懈褎褉芯胁褘胁邪械屑 basic 邪胁褌芯褉懈蟹邪褑懈褞
    set_encode_base64 $auth_encode $auth_encrypt; # 泻芯写懈褉褍械屑 蟹邪褕懈褎褉芯胁邪薪薪褍褞 basic 邪胁褌芯褉懈蟹邪褑懈褞
    add_header Set-Cookie "Auth=$auth_encode; Max-Age=2592000"; # 锌芯屑械褖邪械屑 蟹邪褕懈褎褉芯胁邪薪薪褍褞 basic 邪胁褌芯褉懈蟹邪褑懈褞 胁 邪胁褌芯褉懈蟹邪褑懈芯薪薪褍褞 泻褍泻褍 薪邪 30 写薪械泄 (30 * 24 * 60 * 60 = 2592000)
    set $arg_request_uri_or_slash $arg_request_uri; # 泻芯锌懈褉褍械屑 蟹邪锌褉芯褋 懈蟹 邪褉谐褍屑械薪褌邪
    set_if_empty $arg_request_uri_or_slash "/"; # 械褋谢懈 邪褉谐褍屑械薪褌 薪械 蟹邪写邪薪, 褌芯 薪邪褔邪谢芯
    set_unescape_uri $request_uri_unescape $arg_request_uri_or_slash; # 褉邪褋泻芯写懈褉褍械屑 蟹邪锌褉芯褋
    return 303 $request_uri_unescape; # 锌械褉械薪邪锌褉邪胁谢褟械屑 薪邪 褋芯褏褉邪薪褢薪薪褘泄 蟹邪锌褉芯褋
}

login.html

<html>
    <body>
        <form method="post">
            <input type="hidden" name="csrf" value="<TMPL_var csrf>" />
            username: <input type="text" name="username" placeholder="Enter User Name..." /><br />
            password: <input type="password" name="password" /><br />
            captcha: <img src="/captcha?csrf=<TMPL_var csrf>"/><input type="text" name="captcha" autocomplete="off" /><br />
            <input type="submit" name="submit" value="submit" />
        </form>
    </body>
</html>

诪拽讜专: www.habr.com

诇讬讬讙谉 讗址 讘讗址诪注专拽讜谞讙