The ldap‑auth daemon decodes the cookie, and sends the username and password to the LDAP server in an authentication request. NGINX Plus forwards the request to the ldap‑auth daemon (as in Step 2). ![]() The client retransmits its original request (from Step 1), this time including the cookie in the Cookie field of the HTTP header. It sets the httponly flag to prevent use of JavaScript to read or manipulate the cookie (protecting against the cross‑site scripting vulnerability). The backend daemon constructs a string of the format username: password, applies Base64 encoding, generates a cookie called nginxauth with its value set to the encoded string, and sends the cookie to the client. Per the code in the form, the client generates an HTTP POST request directed to /login, which NGINX Plus forwards to the backend daemon. The user fills in the Username and Password fields on the form and clicks the Login button. As configured by the error_page directive, NGINX sets the HTTP code on the login form to 200. The backend daemon sends the client a login form (the form is defined in the Python code for the daemon). It writes the original request URI to the X-Target header of the forwarded request. NGINX Plus forwards the request to which corresponds to the backend daemon. NGINX Plus (specifically, the http_auth_request module) forwards the request to the ldap‑auth daemon, which responds with HTTP code 401 because no credentials were provided. The flowchart below the steps summarizes the process.Ī client sends an HTTP request for a protected resource hosted on a server for which NGINX Plus is acting as reverse proxy. The details are determined by settings in the nf configuration file see Configuring the Reference Implementation below. Here’s a step‑by‑step description of the authentication process in the reference implementation. It can stand in for an actual HTTP application during testing, by prompting for user credentials and creating a cookie based on them. To make it easier to test the reference implementation, however, we’re providing a sample backend daemon, also written in Python, which listens on port 9000. We assume that if you’re interested in the reference implementation, you already have an application or other resources you want to protect by requiring authentication. To perform authentication, the http_auth_request module makes an HTTP subrequest to the ldap‑auth daemon, which acts as intermediary and interprets the subrequest for the LDAP server – it uses HTTP for communication with NGINX Plus and the appropriate API for communication with the LDAP server. How Authentication Works in the Reference Implementation The prerequisite http_auth_request module is included in both NGINX Plus packages and prebuilt NGINX binaries. ![]()
0 Comments
Leave a Reply. |