How to use NGINX as LDAP -> LDAPS forward proxy
Sergey A. Osokin
osa at freebsd.org.ru
Mon Jan 25 14:18:26 UTC 2021
Hi Bob,
hope you're doing well these days.
On Mon, Jan 25, 2021 at 08:35:49AM +0000, Bob Brown wrote:
> I have a collection of smallish internal-facing apps sitting on a server.
>
> I have been asked to 'secure' these apps.
>
> The apps currently:
> + provide HTTP service to clients
> + make use of a number of internal SOAP services
> + use LDAP (Active Directory) for user authentication
>
> The various apps are written in Java, Groovy and Python.
>
> Rather than hack each app, I would like to take a more system-based approach
> and completely interpose nginx between them and the rest of the world: I
> would like to have the apps ONLY talk to nginx on localhost and have nginx
> stand in for the apps. All (certificate) management will then be centralised.
> I assume that nginx will be more efficient at handling SSL/TLS as well...
>
> I believe that I can use nginx (...there seem lots of example materials) to handle:
>
> * reverse proxy https(from world) -> http(to localhost) for client access
> * forward proxy SOAP(over http, from localhost) -> SOAP(over https, to world)
> with mutual authentication
>
> I am unsure of the LDAP->LDAPS aspect.
>
> Is this possible?
Yes, it's possible.
> Are there any HOWTO documents/pages/blogs/... detailing this?
nginx has the ngx_http_auth_request_module and that's the recommend way to work
with authentication requests. I'd recommend to take a look on an OSS solution,
developed inside NGINX, for integration with LDAP service. Please take a look:
https://github.com/nginxinc/nginx-ldap-auth
> I have seen very few examples of how this might happen.
> I tried to replicate: https://jackiechen.blog/2019/01/24/nginx-sample-config-of-http-and-ldaps-reverse-proxy/
>
> This gave me errors about ssl_certificate not being usable at the specific
> location in the config file. I assume new versions of nginx use a slightly
> different config file format?
All versions of nginx use the same configuration file format.
> Suggestions/thoughts gratefully received.
--
Sergey Osokin
More information about the nginx
mailing list