Remote_addr Empty Nginx Php
| install the packages |
| # yum install php-fpm php-ldap |
| then make sure php-fpm can create sessions |
| and change user and group to be nginx |
| see /etc/php-fpm.d/www.conf for more details |
| # sed -i -e 's/apache/nginx/g' /etc/php-fpm.d/www.conf |
| # sed -i -e 's/;catch_workers_output = yes/catch_workers_output = yes/' /etc/php-fpm.d/www.conf |
| # mkdir -p /var/lib/php/session |
| # chown -R nginx: /var/lib/php/session |
If you do not require the performance of nginx, then you may find a pragmatic solution is to just use apache. I use nginx as a reverse proxy in front of apache, but that introduces some additional issues with getting the REMOTEADDR passed to PHP (notably, modrpaf). Enables or disables buffering of responses from the FastCGI server. When buffering is enabled, nginx receives a response from the FastCGI server as soon as possible, saving it into the buffers set by the fastcgibuffersize and fastcgibuffers directives. If the whole response does not fit into memory, a part of it can be saved to a temporary file on the disk.
| <?php |
| functionforbidden() { |
| error_log('forbidden: ' . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']); |
| // avoid brute force attacks |
| sleep(rand(0, 3)); |
| // re-display login form |
| session_destroy(); |
| // don't give too much info (e.g. user does not exist / password is wrong) |
| Header('HTTP/1.0 403 Forbidden'); |
| die('Unauthorized.'); |
| } |
| functionauthenticate() { |
| error_log('authreq: ' . $_SERVER['REMOTE_ADDR']); |
| // mark that we saw the login box. |
| $_SESSION['AUTH'] = 1; |
| // browser shows login box |
| Header('WWW-Authenticate: Basic realm=LDAP credentials.'); |
| Header('HTTP/1.0 401 Unauthorized'); |
| die('Unauthorized.'); |
| } |
| functionldap_auth() { |
| $ldap_server = 'ldap://ldap.example.com/'; |
| $ldap_domain = 'dc=example,dc=com'; |
| $ldap_userbase = 'ou=Users,' . $ldap_domain; |
| $ldap_user = 'uid=' . $_SERVER['PHP_AUTH_USER'] . ',' . $ldap_userbase; |
| $ldap_pass = $_SERVER['PHP_AUTH_PW']; |
| // connect to ldap server |
| $ldapconn = ldap_connect($ldap_server) |
| or die('Could not connect to LDAP server.'); |
| ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3) ; |
| if ($ldapconn) { |
| // try to bind/authenticate against ldap |
| $ldapbind = @ldap_bind($ldapconn, $ldap_user, $ldap_pass) forbidden(); |
| // 'LDAP bind successful..'; |
| error_log('success: ' . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']); |
| } |
| ldap_close($ldapconn); |
| } |
| // no cache |
| session_cache_limiter('nocache'); |
| session_start( ); |
| header('Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0'); |
| header('Pragma: no-cache'); |
| header('Expires: 0'); |
| if (@$_SESSION['AUTH'] != 1) { |
| authenticate(); |
| } |
| if (empty($_SERVER['PHP_AUTH_USER'])) { |
| authenticate(); |
| } |
| // check credentials |
| ldap_auth(); |
| // Get requested file name |
| $path = $_SERVER['REQUEST_URI']; |
| error_log('serving: ' . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER'] . ', path: ' . $path); |
| header('Content-Type: ', true); |
| header('X-Accel-Redirect: /protected' . $path); |
| ?> |
| server { |
| listen80; |
| server_name _; |
| # all requests to /data will be intercepted by PHP script |
| # which may then decide to use X-Accel to serve |
| # /protected$request_uri, which is handled by /protected/data location |
| location/data/ { |
| fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; |
| fastcgi_param SCRIPT_FILENAME /path/to/scripts/ldap-auth.php; |
| fastcgi_param PHP_AUTH_USER $remote_user; |
| fastcgi_param PHP_AUTH_PW $http_authorization; |
| include fastcgi_params; |
| } |
| # |
| location/protected/data/ { |
| types { } |
| default_type text/plain; |
| internal; |
| autoindex on; |
| alias /path/to/protected/data/; |
| } |
commented Jul 11, 2014
Hello , Could you please let me know to where to put the ldap-auth.php ? |
commented Oct 25, 2014
put it where you want then adjust |
commented May 26, 2015
Hi, what about formbased auth in stead of popup dialog box? After successful login I want to be redirected to a different server instead of / |
commented Feb 13, 2019
thanks. this help me to use ldap with php-fpm |