Apache reverse proxy (mod_proxy) with Basic authentication via LDAP (mod_authnz_ldap)
docker build -t httpd-ldap-rproxy
docker run -p 443:443 -e LDAP_URI="ldap://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=*)" \
-e PROXY_URI="http://www.example.com" -e SERVERNAME="ldap-protected.www.example.com" \
-e HTTPS_PEM_CERT="$(cat $TLS_CERTIFICATE)" -e HTTPS_PEM_KEY="$(cat $TLS_CERTIFICATE_KEY)" \
httpd-ldap-rproxy
Variable | Mandatory | Default | Description |
---|---|---|---|
LISTEN_PORT |
yes | 80 |
Specifies the port the apache server will listen to. |
PROXY_URI |
yes | Specifies the parameter for apache's ProxyPass and ProxyPassReverse directives. | |
SERVERNAME |
no | localhost.localdomain |
Specifies the parameter for apache's ServerName directive. Must match HTTPS_PEM_CERT cn |
BASIC_AUTH_STRING |
no | LDAP Authentication |
Specifies the parameter for apache's AuthName directive. |
HTTPS_CERT_PEM |
no | Apache's SSL/TLS PEM certificate text. If given needs HTTPS_KEY_PEM to be set too. If not given SSL will be disabled. |
|
HTTPS_KEY_PEM |
no | Apache's SSL/TLS PEM certificate key text." | |
NO_VERIFY_SERVER_CERT |
no | If set skips server certificate verification. | |
DHPARAM_PEM |
yes | Apache's SSL/TLS PEM DHParameter." | |
CUSTOM_APACHE_CONFIG |
no | Specifies custom parameters to be appended to the apache virtualhost configuration. | |
LDAP_URI |
yes | Specifies the URI of the LDAP server, as documented here. | |
LDAP_BIND_DN |
no | Specifies the DN used for search, as documented here. Not allowed if LDAP_BIND_USER_PATTERN is set. | |
LDAP_BIND_PASSWORD |
no | Specifies the Password used for bind of the LDAP server, as documented here. | |
LDAPS_CACERT_PEM |
no | LDAP CA Certificate. | |
LDAP_BIND_USER_PATTERN |
no | Specifies the parameter for apache's AuthLDAPInitialBindPattern. Also sets AuthLDAPInitialBindAsUser, AuthLDAPSearchAsUser and AuthLDAPCompareAsUser to "on" | |
SOCACHE_TIMEOUT |
no | If set enables authn_socache_module with the specified value as parameter to the AuthnCacheTimeout directive. | |
PROXY_URI |
yes | Specifies the parameter for apache's ProxyPass and ProxyPassReverse directives. | |
REQUIRE_COND |
no | Require valid-user |
Apache Require directives, will be enclosed in a . |
LOGLEVEL |
no | warn |
Specifies the parameter for apache's LogLevel. |
DISPLAY_CONFIG |
no | If set display the templated configuration before starting apache | |
ENABLE_WEBSOCKET |
no | yes |
If set to yes enables mod_proxy_wstunnel |
ENABLE_XFF_LOG |
no | yes |
If set to yes log X-forward-for instead of client-IP |
The variables requiring PEM certificates/keys must contain the certificate text including the newlines.
If invoking docker via command line:
-e LDAPS_CACERT_PEM="-----BEGIN CERTIFICATE-----\n...\n..."
-e LDAPS_CACERT_PEM="$(cat $TLS_CERTIFICATE_FILE)"
If using docker-compose, in the docker-compose.yml
file:
environment:
LDAPS_CACERT_PEM: |
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----