The SPNEGO HTTP Auth Extension for Nginx is a flexible authentication solution designed to extend the capabilities of the spnego-http-auth-nginx-module. It enhances Nginx’s authentication mechanism by providing additional user and group authentication features. This extension is particularly useful in environments where enhanced security and precise access control are required.
-
User Authentication: Validates users based on their usernames, ensuring that only authorized individuals can access specific resources.
-
Group Authentication: Offers the ability to authenticate users based on group membership, adding an extra layer of security and organizational control.
-
Integration with Active Directory: Utilizes connections to Active Directory (AD) servers for user and group verification, making it suitable for enterprise environments.
-
SPNEGO Support: Works in conjunction with the SPNEGO module, thus supporting Kerberos authentication mechanisms.
-
Python 3.9+
-
Python-GSSAPI’s requirements(See: pythongssapi/python-gssapi )
Configure GSS authentication.
auth_gss on; auth_gss_keytab /path/to/keytab;
Add location block for additional authentication.
location /auth/ { # (1)
internal; # (2)
proxy_set_header X-Remote-User $remote_user; # (3)
proxy_set_header X-Request-Uri $request-uri; # (4)
proxy_set_header X-Server-Port $server_port; # (5)
proxy_pass http://localhost:5000/auth/; # (6)
}
-
Define a location block for handling authentication requests.
-
Specify that this location is used for internal subrequests only.
-
Add a header to pass the remote user’s username to the proxy.
-
Add a header to pass the original request URI to the proxy.
-
Add a header to pass the server port to the proxy.
-
Forward the request to an authentication server running on localhost at port 5000.
Add location block for application.
location /.../ {
auth_request /auth/; # (1)
proxy_set_header X-Remote-User $remote_user; # (2)
proxy_pass https://example.com/.../; # (3)
}
-
Specify that this location requires additional authentication.
-
(Optional) Add a header to pass the remote user’s username to the proxy.
-
Forward the request to an application server.
Create a configuration file in JSON, and specify an array of usernames or the DN of groups allowed to access each URL, using the ports and URLs as keys. For URLs not specified in this file, access will not be restricted (access is allowed if authenticated via SPNEGO). Keys for URLs are matched based on a prefix match and longest match.
{
"443": {
"/app1/": {
"users": [
"user1",
"user2"
],
"groups": [
"CN=Managers,OU=Sales,DC=example,DC=com",
...
]
},
"/app2/": {
...
},
"/app2/admin/": {
...
},
...
},
"80": {
"/app1/": {
...
},
...
},
...
}Export the following environment variables and run the authentication server.
| Environment Variable | Description |
|---|---|
|
Active Directory server host |
|
Path to the ACL config file |
|
Path to the keytab file(same as |
|
LDAP search base used to search for group membership |
|
Server principal name, which can be obtained by running |
export AD_SERVER=ad.example.com export CONFIG_PATH=/path/to/config.json export KEYTAB_PATH=/path/to/keytab export LDAP_SEARCH_BASE=DC=example,DC=com export SERVER_PRINCIPAL_NAME=http/[email protected] gunicorn -b 127.0.0.1:5000 --daemon auth:app