Support Nginx >= 1.23, files to build a deb package and README revisions

README.md

@@ -1,5 +1,5 @@
-# LDAP Authentication module for nginx
-LDAP module for nginx which supports authentication against multiple LDAP servers.
+# LDAP Authentication module for Nginx
+LDAP module for Nginx which supports authentication against multiple LDAP servers.
 
 # How to install
 
@@ -18,21 +18,47 @@ Check HTTP_AUTH_LDAP options
 
 ## Linux
 
-```bash
-cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git   
+Clone this repo or download the ZIP archive.
+
+Install `libssl` and `libldap2` headers (on Debian/Ubuntu: `apt install libssl-dev libldap2-dev`).
+
+You can build this module as an SO, statically compile it into the main `nginx` binary or, if using Debian/Ubuntu, build
+and install the deb package.
+
+### Build as an SO
+
+- Obtain the Nginx source (on Debian/Ubuntu this can be done with `apt-get source nginx`)
+- cd /path/to/nginx/source
+```sh
+./configure `nginx -V` --with-compat --add-dynamic-module=/path/to/nginx-auth-ldap/source
+cp objs/ngx_http_auth_ldap_module.so /usr/share/nginx/modules/ngx_http_auth_ldap_module.so
+```
+- Add the below config to Nginx so that it loads the module:
+```nginx
+load_module modules/ngx_http_auth_ldap_module.so;
 ```
 
-in nginx source folder
+### Build & install the deb package
 
-```bash
+```sh
+sudo apt install build-essential dpkg-dev libssl-dev libldap2-dev
+cd /path/to/nginx-auth-ldap/source
+dpkg-buildpackage -b -uc
+sudo dpkg -i ../libnginx-mod-http-auth-ldap_1.0.0-1_amd64.deb
+```
+
+### Statically link into Nginx
+
+```sh
+cd /path/to/nginx/source
 ./configure --add-module=path_to_http_auth_ldap_module
 make install
 ```
 
 # Example configuration
 Define list of your LDAP servers with required user/group requirements:
 
-```bash
+```nginx
     http {
       ldap_server test1 {
         url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
@@ -55,7 +81,7 @@ Define list of your LDAP servers with required user/group requirements:
 ```
 
 And add required servers in correct order into your location/server directive:
-```bash
+```nginx
     server {
         listen       8000;
         server_name  localhost;
@@ -140,6 +166,6 @@ you'll basically need to run OpenSSL's c_rehash command in this directory.
 expected value: on, off
 
 LDAP library default is on. This option disables usage of referral messages from
-LDAP server. Usefull for authenticating against read only AD server without access
+LDAP server. Useful for authenticating against read only AD server without access
 to read write.
 

debian/changelog

@@ -0,0 +1,6 @@
+libnginx-mod-http-auth-ldap (1.0.0-1) experimental; urgency=medium
+
+  * First deb release
+  * Fix issue with Nginx >= 1.23
+
+ -- jesse <[email protected]>  Tue, 03 Oct 2023 11:55:53 +0100

debian/control

@@ -0,0 +1,22 @@
+Source: libnginx-mod-http-auth-ldap
+Section: httpd
+Priority: optional
+Maintainer: Jesse Portnoy <[email protected]>
+Build-Depends: debhelper-compat (= 13),
+               dh-sequence-nginx,
+	       libldap2-dev,
+	       libssl-dev,
+Standards-Version: 4.6.2
+Homepage: https://github.com/jessp01/nginx-auth-ldap
+Vcs-Git: https://github.com/jessp01/nginx-auth-ldap
+Vcs-Browser: https://github.com/jessp01/nginx-auth-ldap
+Rules-Requires-Root: no
+
+Package: libnginx-mod-http-auth-ldap
+Architecture: any
+Multi-Arch: foreign
+Depends: ${misc:Depends},
+         ${shlibs:Depends},
+Recommends: nginx,
+Description: LDAP authentication module for Nginx
+ The nginx_http_auth_ldap module enables authentication via LDAP.

debian/copyright

@@ -0,0 +1,26 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: ngx_http_auth_pam_module
+Upstream-Contact: Sergio Talens Oliag <[email protected]>
+Source: https://github.com/jessp01/nginx-auth-ldap
+
+License: BSD-2-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.

debian/debhelper-build-stamp

@@ -0,0 +1 @@
+libnginx-mod-http-auth-ldap

debian/files

@@ -0,0 +1,3 @@
+libnginx-mod-http-auth-ldap-dbgsym_1.0.0-1_amd64.deb debug optional automatic=yes
+libnginx-mod-http-auth-ldap_1.0.0-1_amd64.buildinfo httpd optional
+libnginx-mod-http-auth-ldap_1.0.0-1_amd64.deb httpd optional

debian/libnginx-mod-http-auth-ldap.postinst.debhelper

@@ -0,0 +1,28 @@
+# Automatically added by dh_nginx/UNDECLARED
+for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf  ; do
+	from=$(echo $confpair | cut -d: -f1)
+	to=$(echo $confpair | cut -d: -f2)
+
+	if [ -L /etc/nginx/modules-enabled/$to.removed ]; then
+		rm /etc/nginx/modules-enabled/$to.removed
+		removed_link=true
+	else
+		removed_link=false
+	fi
+
+	# Symlink on
+	# 1) Fresh installations
+	# 2) Reinstalls after automatic removes (preserve admin actions)
+	if [ -z "$2" -o "$removed_link" = "true" ]; then
+		ln -sf /usr/share/nginx/modules-available/$from \
+			/etc/nginx/modules-enabled/$to
+	fi
+done
+
+if [ "$1" = "configure" ] ; then
+	if which dpkg-trigger >/dev/null 2>&1 ; then
+		dpkg-trigger --no-await nginx-reload
+	fi
+
+fi
+# End automatically added section

debian/libnginx-mod-http-auth-ldap.postrm.debhelper

@@ -0,0 +1,30 @@
+# Automatically added by dh_nginx/UNDECLARED
+if [ "$1" = "purge" ] ; then
+	for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf  ; do
+		from=$(echo $confpair | cut -d: -f1)
+		to=$(echo $confpair | cut -d: -f2)
+
+		if [ -L /etc/nginx/modules-enabled/$to ]; then
+			rm /etc/nginx/modules-enabled/$to
+		fi
+		if [ -L /etc/nginx/modules-enabled/$to.removed ]; then
+			rm /etc/nginx/modules-enabled/$to.removed
+		fi
+	done
+fi
+
+if [ "$1" = "remove" ] ; then
+	for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf  ; do
+		from=$(echo $confpair | cut -d: -f1)
+		to=$(echo $confpair | cut -d: -f2)
+
+		if [ -L /etc/nginx/modules-enabled/$to ]; then
+			mv /etc/nginx/modules-enabled/$to /etc/nginx/modules-enabled/$to.removed
+		fi
+	done
+
+        if which dpkg-trigger >/dev/null 2>&1 ; then
+                dpkg-trigger --no-await nginx-reload
+        fi
+fi
+# End automatically added section

debian/libnginx-mod-http-auth-ldap.prerm.debhelper

@@ -0,0 +1,12 @@
+# Automatically added by dh_nginx/UNDECLARED
+if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then
+	for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf  ; do
+		from=$(echo $confpair | cut -d: -f1)
+		to=$(echo $confpair | cut -d: -f2)
+
+		if [ -L /etc/nginx/modules-enabled/$to ]; then
+			mv /etc/nginx/modules-enabled/$to /etc/nginx/modules-enabled/$to.removed
+		fi
+	done
+fi
+# End automatically added section

debian/libnginx-mod-http-auth-ldap.substvars

@@ -0,0 +1,3 @@
+misc:Depends=nginx-abi-1.24.0-1
+shlibs:Depends=libc6 (>= 2.14), libldap-2.5-0 (>= 2.5.4)
+misc:Pre-Depends=

debian/rules

@@ -0,0 +1,6 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/control

@@ -0,0 +1,6 @@
+Tests: generic
+Restrictions: allow-stderr isolation-container needs-root
+Depends: curl,
+         nginx,
+         nginx-core,
+         @,

debian/tests/generic

@@ -0,0 +1,73 @@
+#!/bin/sh
+# version 20221215
+
+# generic test that only verifies that nginx is running with the given
+# libnginx-... module
+# - after installation
+# - after nginx reload
+# - after nginx restart
+
+EX=0
+CURL_CMD="curl --max-time 60 --silent --fail -o /dev/null"
+
+#change directory to $AUTOPKGTEST_TMP
+cd "${AUTOPKGTEST_TMP}"
+
+echo -n "curl after installation: http status="
+if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then
+  echo "OK"
+else
+  EX=1
+  echo "FAILED"
+fi
+
+echo -n "nginx reload ... "
+if invoke-rc.d nginx reload; then
+  echo "OK"
+else
+  EX=1
+  echo "FAILED"
+fi
+sleep 5
+
+
+echo -n "curl after reload: http status="
+if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then
+  echo "OK"
+else
+  EX=1
+  echo "FAILED"
+fi
+
+echo -n "nginx restart ... "
+if invoke-rc.d nginx restart; then
+  echo "OK"
+else
+  EX=1
+  echo "FAILED"
+fi
+sleep 5
+
+echo -n "curl after restart: http status="
+if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then
+  echo "OK"
+else
+  EX=1
+  echo "FAILED"
+fi
+
+if [ ${EX} -ne 0 ]; then
+  echo "=== journalctl ==="
+  journalctl -n all -xu nginx.service || :
+
+  echo "=== error.log ==="
+  if [ `wc -l /var/log/nginx/error.log | cut -d ' ' -f1` -gt 100 ]; then
+    head -n 50 /var/log/nginx/error.log
+    echo '...'
+    tail -n 50 /var/log/nginx/error.log
+  else
+    cat /var/log/nginx/error.log
+  fi
+fi
+
+exit ${EX}

debian/watch

@@ -0,0 +1,6 @@
+version=4
+
+opts="\
+filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/@PACKAGE@-$1\.tar\.gz/,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\
+" https://github.com/jessp01/nginx-auth-ldap/tags .*/v?(\d\S+)\.tar\.gz

ngx_http_auth_ldap_module.c

@@ -1779,6 +1779,9 @@ ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm)
     }
 
     r->headers_out.www_authenticate->hash = 1;
+#if (nginx_version >= 1023000)
+    r->headers_out.www_authenticate->next = NULL;
+#endif
     r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
     r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate";
     r->headers_out.www_authenticate->value = *realm;