Security improvements

      location = /auth-proxy {

         proxy_pass http://<strong>127.0.0.1</strong>:8888;

         proxy_pass_request_body off;

         proxy_pass_request_headers off;

         proxy_set_header Content-Length "";

         proxy_cache <strong>auth_cache</strong>; # Must match the name in the proxy_cache_path directive above

         proxy_cache_valid 200 <strong>10m</strong>;

}

</pre>

If the authentication server runs Active Directory rather than OpenLDAP, set the following directive as shown:

If the authentication server runs Active Directory rather than OpenLDAP, uncomment the following directive as shown:

```

proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

```

Suppose, your web resource should only be available for users from `group1` group.

In such a case you can define `X-Ldap-Template` template as follows:

```nginx

```

proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))";

```

The search filters can be combined from less complex filters using boolean operations and can be rather complex.

The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, set the following directives to have an empty value, as shown:

The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives, and enable the Authorization header as shown:

```nginx

proxy_set_header X-CookieName "";

proxy_set_header Cookie "";

```

<pre>

<strong>#</strong>proxy_set_header X-CookieName "nginxauth";

<strong>#</strong>proxy_set_header Cookie nginxauth=$cookie_nginxauth;

<strong>proxy_set_header Authorization $http_authorization;</strong>

</pre>

## Customization

### Caching

The **nginx-ldap-auth.conf** file enables caching of both data and credentials. To disable caching, comment out the four `proxy_cache*` directives as shown:

```nginx

<pre>

http {

  ...

  #proxy_cache_path cache/ keys_zone=auth_cache:10m;

  <strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;

  ...

  server {

    ...

    location = /auth-proxy {

      #proxy_cache auth_cache;

      <strong>#</strong>proxy_cache auth_cache;

      # note that cookie is added to cache key

      #proxy_cache_key "$http_authorization$cookie_nginxauth";

      #proxy_cache_valid 200 10m;

      <strong>#</strong>proxy_cache_key "$http_authorization$cookie_nginxauth";

      <strong>#</strong>proxy_cache_valid 200 10m;

     }

   }

}

```

</pre>

### Optional LDAP Parameters

If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, set the following directive as shown, and change the value:

```nginx

proxy_set_header X-Ldap-Template "(cn=%(username)s)";

```

If you want to change the realm name from the default value (**Restricted**), set the following directive:

```nginx

proxy_set_header X-Ldap-Realm "Restricted";

```

If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:

<pre>

proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";

</pre>

> **Note:** All LDAP parameters must have a value, even optional ones. Use the empty string (`""`) for unused parameters (do not comment).

If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:

<pre>

proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";

</pre>

### Authentication Server