nginx反向代理NTLM的windows AD身份验证
Kerberos v5 & NTLM 协议进行身份验证
nginx社区版不支持NTLM反向代理,而nginx plus则支持
社区版nginx可编译安装第三方模块nginx-htlm-module
nginx-ntlm-module
The NTLM module allows proxying requests with NTLM Authentication. The upstream connection is bound to the client connection once the client sends a request with the "Authorization" header field value starting with "Negotiate" or "NTLM". Further client requests will be proxied through the same upstream connection, keeping the authentication context.
How to use
Syntax: ntlm [connections];
Default: ntlm 100;
Context: upstream
upstream http_backend {
server 127.0.0.1:8080;
ntlm;
}
server {
...
location /http/ {
proxy_pass http://http_backend;
# next 2 settings are required for the keepalive to work properly
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
The connections parameter sets the maximum number of connections to the upstream servers that are preserved in the cache.
Syntax: ntlm_timeout timeout;
Default: ntlm_timeout 60s;
Context: upstream
Sets the timeout during which an idle connection to an upstream server will stay open.
Build
Follow the instructions from Building nginx from Sources and add the following line to the configure command
./configure \
--add-module=../nginx-ntlm-module
To build this as dynamic module run this command
./configure \
--add-dynamic-module=../nginx-ntlm-module
Tests
In order to run the tests you need nodejs and perl installed on your system
# install the backend packages
npm install -C t/backend
# instal the test framework
cpan Test::Nginx
# set the path to your nginx location
export PATH=/opt/local/nginx/sbin:$PATH
prove -r t
Acknowledgments
- This module is using most of the code from the original nginx keepalive module.
- DO NOT USE THIS IN PRODUCTION. Nginx Plus has support for NTLM.
Authors
- Gabriel Hodoroaga (hodo.dev)
浙公网安备 33010602011771号