djangoproject.com | python.org | nginx.org
version seven.
  http://demongin.org
demongin.org - nginx 1.4.7 with nginx-auth-ldap on CentOS

nginx 1.4.7 with nginx-auth-ldap on CentOS

How to compile and install nginx 1.4.7 with Valery's nginx-auth-ldap module and proxy to a python cgi server in CentOS.


Friday, March 21, 2014 | Careerism, Programming

If you look at my "recently used" emojis, it's like, heart, alien, poop, kiss, smile, pizza, rainbow. Those are the ones I always use.

Sonny John Moore

So, the latest twist with my hobby server at the job is that I've got to hide it behind an LDAP basic auth.

I will not go into specifics, but let it suffice that adding credential-checking has been the price of fame: as my hobby project has caught on, it was determined by my fearless leader that persons lacking an LDAP credential should be excluded from taking advantage of my project.

Since I run nginx, which does not have an off-the-rack LDAP authentication module (e.g. something like Apache's mod_ldap), this required just a little bit of hackery and the use of a module called "nginx-auth-ldap.


Background Literature

Before getting started, I recommend reviewing three resources: Once you've given those a skim, you should have a basic idea of the order of operations:
  1. Compile and install nginx with the module
  2. Update your nginx.conf and your server/location configs
  3. Start the server

Compile and Install nginx

Assuming that you haven't already installed nginx from a package (e.g. using yum) and you're working with a blank slate, you can follow the steps below.

When I did this on my work VM, I started out with a system where a previous install had to be removed and I lost a lot of time/sanity troubleshooting mystery seg faults caused by left-over bits of the previous install that I had not fully removed. If you are doing something similar, you are going to want to make sure that you're not overwriting/sharing directories with that previous install.

At any rate, downloading, configuring and installing (with make) is pretty straightforward, assuming that you don't have a previous install in your way.

Personally, I like to do this kind of stuff as root, in root's "home" directory: <code class="removed"></code> Some things to note about this piece: At any rate, you've got nginx installed now, and you've got support for LDAP authentication. Now you've got to modify your conf files.


Configuration File Updates

This can get a little tricky.

Personally, I found the documentation on the http-auth-ldap GitHub a little ambiguous about where the various auth_ldap directives belong, so what I will do here is c/p all of my config files in full and then comment on the salient bits.

/usr/local/nginx/conf/nginx.conf

<code class="removed"></code> One major thing to note about this:

/usr/local/nginx/conf/sites-available/001_toc_homepage

<code class="removed"></code> This is where the magic happens. Notable features:

At this point, you're ready to start the server manually and try it out. My experience of this is that the module logs the majority of issues connecting to the LDAP server as some kind of timeout.

At the end of the day, as long as you're not getting seg faults, you're going to get some logging in the access and error logs: that's ultimately what's going to get you through whatever issues you've still got at this point.


Start the Server

Sometimes I like to write my own init scripts, but I typically prefer to copy them from other people, especially when I'm on an unfamiliar OS.

In this case, I copied the one from the SliceHost tutorial I mentioned above.

I made a couple of extremely trivial modifications, and ended up with this:

/etc/init.d/nginx

<code class="removed"></code> Adding the init script to my init routine (e.g. using chkconfig) is not something that I wanted to do (for various reasons beyond the scope of this write-up), but the SliceHost article has a walkthrough below the script, if you're looking for a leg-up.

Note: If you try to run the init script and you get this: <code class="removed"></code> ...then you forgot to create an nginx user (or never had one, etc.).

The fastest/cheapest way to make an effective, safe user is probably this: <code class="removed"></code>