Skip to content

fclmman/alpine-nginx-spnego

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 

Repository files navigation

Docker image with nginx and spnego negotiate auth module built in

Pull

docker pull fclmman/alpine-nginx-spnego

Usage:

For you to start with kerberos auth some manipulations are expected. Lets assume your host computer has a "host-linux" hostname, and your domain is "DOMAIN.LOCAL"

You will need do create a keytab file for your host computer. To do so you need to add a computer with "host-linux" to AD. Next, contact your domain controller administrator to create a SPN and generate a ketab file for you.

The command will look like

C:\Windows\system32>ktpass -princ HTTP/HOST-LINUX.domain.local@DOMAIN.LOCAL -mapuser host-linux-user@DOMAIN.LOCAL -pass yourpassword -cryptoAll -ptype KRB5_NT_PRINCIPAL -out C:\Temp\web.keytab

Once you got your keytab we can start with the container. I will provide an example with docker-compose.yml

version: "2"
services:
    nginx-spnego:
        image: fclmman/alpine-nginx-spnego
#map ports you will need
        ports:
            - 80:80
            - 5010:5010
            - 443:443
            - 8001:8001
#add volume with the keytab file
        volumes:
            - ./config:/home/spnego/config
            - ./config/nginx.conf:/etc/nginx/nginx.conf

Your nginx.conf and web.keytab should be in the ./config volume, as they should be available in container. Your nginx.conf will look like

http {
    #Whatever is there by default

    server {
        listen       80;
        server_name  localhost;
        
		#Here kerberos stuff starts
		auth_gss     on;
        auth_gss_realm DOMAIN.LOCAL;
		#Keytab file from the mounted folder
        auth_gss_keytab /home/spnego/config/web.keytab;
        auth_gss_service_name HTTP/HOST-LINUX.domain.local;
        auth_gss_allow_basic_fallback off;
		#Here kerberos stuff ends
		
        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

That's all. But you should know that kerberos is not working by IP, it supports hostname only

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published