Hi Bob, hope you're doing well these days.
On Mon, Jan 25, 2021 at 08:35:49AM +0000, Bob Brown wrote: > I have a collection of smallish internal-facing apps sitting on a server. > > I have been asked to 'secure' these apps. > > The apps currently: > + provide HTTP service to clients > + make use of a number of internal SOAP services > + use LDAP (Active Directory) for user authentication > > The various apps are written in Java, Groovy and Python. > > Rather than hack each app, I would like to take a more system-based approach > and completely interpose nginx between them and the rest of the world: I > would like to have the apps ONLY talk to nginx on localhost and have nginx > stand in for the apps. All (certificate) management will then be centralised. > I assume that nginx will be more efficient at handling SSL/TLS as well... > > I believe that I can use nginx (...there seem lots of example materials) to > handle: > > * reverse proxy https(from world) -> http(to localhost) for client access > * forward proxy SOAP(over http, from localhost) -> SOAP(over https, to > world) > with mutual authentication > > I am unsure of the LDAP->LDAPS aspect. > > Is this possible? Yes, it's possible. > Are there any HOWTO documents/pages/blogs/... detailing this? nginx has the ngx_http_auth_request_module and that's the recommend way to work with authentication requests. I'd recommend to take a look on an OSS solution, developed inside NGINX, for integration with LDAP service. Please take a look: https://github.com/nginxinc/nginx-ldap-auth > I have seen very few examples of how this might happen. > I tried to replicate: > https://jackiechen.blog/2019/01/24/nginx-sample-config-of-http-and-ldaps-reverse-proxy/ > > This gave me errors about ssl_certificate not being usable at the specific > location in the config file. I assume new versions of nginx use a slightly > different config file format? All versions of nginx use the same configuration file format. > Suggestions/thoughts gratefully received. -- Sergey Osokin _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
