Nginx对接AD

    Nginx   ldap nginx  评论

安装NGINX

编译二进制nginx和第三方模块

1.初始化系统

下面配置的是阿里源

# 更换yum源
yum -y install wget vim
# 旧源备份
cd /etc/yum.repos.d
sudo mv CentOS-Base.repo CentOS-Base.repo.bak
# 修改为阿里源
sudo wget -O CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
# 安装epel repo源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# 其他
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
# 刷新缓存
yum clean all
yum makecache

# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#关闭 SELINUX
sed -i s#^SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config

2. 安装nginx和第三方模块nginx-auth-ldap

http://nginx.org/en/download.html 下载稳定版nginx-1.6.3.tar.gz到/usr/local/src下解压。

# 安装依赖包
yum -y install gcc gcc-c++ make libtool zlib zlib-devel openssl openssl-devel pcre pcre-devel git
# 添加第三方模块nginx-auth-ldap,需要安装openldap-devel
yum install openldap-devel -y
# 下载nginx-auth-ldap
cd /root/ && git clone https://github.com/kvspb/nginx-auth-ldap.git
# 下载nginx
cd /usr/local/src/ && wget http://nginx.org/download/nginx-1.19.4.tar.gz
# 解压nginx包
tar -zxvf nginx-1.19.4.tar.gz
# 编译nginx并添加第三方模块nginx-auth-ldap
cd /usr/local/src/ %% ./configure --prefix=/opt/nginx/ --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --add-module=/root/nginx-auth-ldap/ --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock

make && make install

# 创建软链到/usr/bin/
ln -s /opt/nginx/sbin/nginx /usr/bin/

2.1 常用编译选项说明

nginx大部分常用模块,编译时./configure –help以–without开头的都默认安装。

  • –prefix=PATH : 指定nginx的安装目录。默认 /usr/local/nginx
  • –conf-path=PATH : 设置nginx.conf配置文件的路径。nginx允许使用不同的配置文件启动,通过命令行中的-c选项。默认为prefix/conf/nginx.conf
  • –user=name: 设置nginx工作进程的用户。安装完成后,可以随时在nginx.conf配置文件更改user指令。默认的用户名是nobody。–group=name类似
  • –with-pcre : 设置PCRE库的源码路径,如果已通过yum方式安装,使用–with-pcre自动找到库文件。使用–with-pcre=PATH时,需要从PCRE网站下载pcre库的源码(版本4.4 – 8.30)并解压,剩下的就交给Nginx的./configure和make来完成。perl正则表达式使用在location指令和 ngx_http_rewrite_module模块中。
  • –with-zlib=PATH : 指定 zlib(版本1.1.3 – 1.2.5)的源码解压目录。在默认就启用的网络传输压缩模块ngx_http_gzip_module时需要使用zlib 。
  • –with-http_ssl_module : 使用https协议模块。默认情况下,该模块没有被构建。前提是openssl与openssl-devel已安装
  • –with-http_stub_status_module : 用来监控 Nginx 的当前状态
  • –with-http_realip_module : 通过这个模块允许我们改变客户端请求头中客户端IP地址值(例如X-Real-IP 或 X-Forwarded-For),意义在于能够使得后台服务器记录原始客户端的IP地址
  • –add-module=PATH : 添加第三方外部模块,如nginx-sticky-module-ng或缓存模块。每次添加新的模块都要重新编译(Tengine可以在新加入module时无需重新编译)

示例编译文件

./configure /
> --prefix=/usr /
> --sbin-path=/usr/sbin/nginx /
> --conf-path=/etc/nginx/nginx.conf /
> --error-log-path=/var/log/nginx/error.log /
> --http-log-path=/var/log/nginx/access.log /
> --pid-path=/var/run/nginx/nginx.pid  /
> --lock-path=/var/lock/nginx.lock /   
> --user=nginx /
> --group=nginx /
> --with-http_ssl_module /
> --with-http_stub_status_module /
> --with-http_gzip_static_module /
> --http-client-body-temp-path=/var/tmp/nginx/client/ /
> --http-proxy-temp-path=/var/tmp/nginx/proxy/ /
> --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ /
> --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi /
> --with-pcre=../pcre-7.8
> --with-zlib=../zlib-1.2.3

2.2 启动关闭nginx

## 检查配置文件是否正确
# /usr/local/nginx-1.6/sbin/nginx -t 
# ./sbin/nginx -V     # 可以看到编译选项
## 启动、关闭
# ./sbin/nginx        # 默认配置文件 conf/nginx.conf,-c 指定
# ./sbin/nginx -s stop
或 pkill nginx
## 重启,不会改变启动时指定的配置文件
# ./sbin/nginx -s reload
或 kill -HUP `cat /usr/local/nginx-1.6/logs/nginx.pid`

配置NGINX和对接AD

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # define ldap server
    ldap_server ad_1 {
      # user search base.
      url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
      # bind as
      binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
      # bind pw
      binddn_passwd <PUT Operator's PASSWORD HERE>;
      # group attribute name which contains member object
      group_attribute member;
      # search for full DN in member object
      group_attribute_is_dn on;
      # matching algorithm (any / all)
      satisfy any;
      # list of allowed groups
      require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
      require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com";
      # list of allowed users
      # require 'valid_user' cannot be used together with 'user' as valid user is a superset
      # require valid_user;
      require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
      require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
    }

}

server {
  listen       8081;
  server_name  localhost;

  location / {
    # adding ldap authentication
    auth_ldap "Closed content";
    auth_ldap_servers ad_1;

    root html;
    index index.html index.htm;
  }

  error_page   500 502 503 504  /50x.html;

  location = /50x.html {
    root html;
  }
}

参考链接

https://amos-x.com/index.php/amos/archives/centos7-nginx-ldap/

https://github.com/kvspb/nginx-auth-ldap

https://www.runoob.com/w3cnote/nginx-install-and-config.html

https://blog.csdn.net/qq_15071263/article/details/85688546

QiOld Man