Home > Enterprise >  NGINX - Limit access to folder to a list of user from ldap authentication
NGINX - Limit access to folder to a list of user from ldap authentication

Time:10-13

A have an nginx reverse proxy behind ldap authentication. I can read username in php from variable $_SERVER['PHP_AUTH_USER']. I think this means that username is passed from ldap to nginx and than to php.
Is it possible in nginx configuration to allow access to a folder only to a list of users?

UPDATE
In nginx the user is stored in $remote_user variable. Is it possible to compare $remote_user with a list of users stored in a file? And then deny or allow access to a folder?

UPDATE
Probably I have to use map directive, for example:

map $remote_user $allowed_user {
    default 0;
    user1   1;
    user2   1;
}

and then test it in the appropriate location:

location /folder/ {
    if($allowed_user != 1){
        return 403;
    }
    proxy_pass http://site;
}

but when I do sudo nginx -t, I receive the following error:

nginx: [emerg] unknown directive "if($allowed_user" in /etc/nginx/nginx.conf:104
nginx: configuration file /etc/nginx/nginx.conf test failed

CodePudding user response:

You can do it via map directive (please note that map translate definitions block should be placed in the http context outside the server block):

map $remote_user $deny
    username1  0;
    username2  0;
    ...
    usernameN  0;
    default    1;
}

server {
    ...
    location /folder/ {
        if ($deny) { return 403; }
        ...
    }
}

You can pre-generate users list in the above form (username1 0; username 2 0; ...) and then include this list to the nginx configuration:

map $remote_user $deny {
    include /path/userlist.txt;
    default 1;
}

Whenever this user list file get changed you'd need to reload nginx configuration (nginx -s reload).

  • Related