Geekly articles weekly

Resep Nginx: otorisasi LDAP dengan captcha

Untuk menyiapkan otorisasi dengan captcha, kita perlu nginx sendiri dan pluginsnya sesi terenkripsi , form-input , ctpp2 , echo , ldap , header-more , auth_request , set-misc . (Saya memberi tautan ke garpu saya, karena saya membuat beberapa perubahan yang tidak dapat didorong ke repositori asli sejauh ini. Anda juga dapat menggunakan gambar yang sudah jadi .)

Untuk memulai, mari kita atur

encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456";

Selanjutnya, untuk berjaga-jaga, nonaktifkan header otorisasi

 more_clear_input_headers Authorization;

Sekarang kami melindungi semuanya dengan otorisasi

 auth_request /auth; location =/auth { internal; subrequest_access_phase on; #      auth_request off; #    set_decode_base64 $auth_decode $cookie_auth; #    set_decrypt_session $auth_decrypt $auth_decode; #    if ($auth_decrypt = "") { return 401 UNAUTHORIZED; } #    ,      more_set_input_headers "Authorization: Basic $auth_decrypt"; #    basic (   $remote_user) auth_basic_ldap_realm Auth; #  ldap  auth_basic_ldap_url ldap://ldap.server.com; #   auth_basic_ldap_bind_dn dn.server.com; #   echo -n OK; #   }

Untuk pengguna yang berwenang, kami menampilkan konten dari folder mereka

 location / { alias html/$remote_user/; }

Dan dengan tidak adanya otorisasi, kami menunjukkan formulir otorisasi dengan captcha

 error_page 401 = @error401; location @error401 { set_escape_uri $request_uri_escape $request_uri; #   return 303 /login?request_uri=$request_uri_escape; #      ,   } location =/login { default_type "text/html; charset=utf-8"; #   if ($request_method = GET) { #        template login.html.ct2; #   ctpp2 on; #   set_secure_random_alphanum $csrf_random 32; #   csrf encrypted_session_expires 300; #    csrf 5  (5 * 60 = 300) set_encrypt_session $csrf_encrypt $csrf_random; #   csrf set_encode_base64 $csrf_encode $csrf_encrypt; #   csrf add_header Set-Cookie "CSRF=$csrf_encode; Max-Age=300"; #   csrf    5  (5 * 60 = 300) return 200 "{\"csrf\":\"$csrf_random\"}"; #  json   } #  -      set_form_input $csrf_form csrf; #  csrf   set_unescape_uri $csrf_unescape $csrf_form; #  csrf   set_decode_base64 $csrf_decode $cookie_csrf; #  csrf   set_decrypt_session $csrf_decrypt $csrf_decode; #  csrf   if ($csrf_decrypt != $csrf_unescape) { return 303 $request_uri; } #  csrf      csrf  ,       set_form_input $captcha_form captcha; #     set_unescape_uri $captcha_unescape $captcha_form; #     set_md5 $captcha_md5 "secret${captcha_unescape}${csrf_decrypt}"; #  md5 if ($captcha_md5 != $cookie_captcha) { return 303 $request_uri; } #  md5      ,       set_form_input $username_form username; #     set_form_input $password_form password; #     set_unescape_uri $username_unescape $username_form; #     set_unescape_uri $password_unescape $password_form; #     encrypted_session_expires 2592000; #     30  (30 * 24 * 60 * 60 = 2592000) set $username_password "$username_unescape:$password_unescape"; #  basic  set_encode_base64 $username_password_encode $username_password; #  basic  set_encrypt_session $auth_encrypt $username_password_encode; #  basic  set_encode_base64 $auth_encode $auth_encrypt; #   basic  add_header Set-Cookie "Auth=$auth_encode; Max-Age=2592000"; #   basic      30  (30 * 24 * 60 * 60 = 2592000) set $arg_request_uri_or_slash $arg_request_uri; #     set_if_empty $arg_request_uri_or_slash "/"; #    ,   set_unescape_uri $request_uri_unescape $arg_request_uri_or_slash; #   return 303 $request_uri_unescape; #     }

login.html

 <html> <body> <form method="post"> <input type="hidden" name="csrf" value="<TMPL_var csrf>" /> username: <input type="text" name="username" placeholder="Enter User Name..." /><br /> password: <input type="password" name="password" /><br /> captcha: <img src="/captcha?csrf=<TMPL_var csrf>"/><input type="text" name="captcha" autocomplete="off" /><br /> <input type="submit" name="submit" value="submit" /> </form> </body> </html>

Source: https://habr.com/ru/post/id456600/

More articles:


All Articles