Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
10
Replies

[Unresolved] Duo security with nginx proxy

davama
Level 1
Level 1

‎07-18-2018 07:47 AM

Hello,

I am new to the DUO products but interested in what you have available.

So far i’ve been able to install and configure the duo_pam for ssh access with no issues. I also have a the “DUO Access 30 day trial edition” with Openldap Directory Sync. 23 days left.

We have several internal web services hosted behind a nginx proxy using the ldap module for authentication.

Web Applications:
cgit
graylog
oxidized

This has worked well for simple user/pass authentication but it would be great to be able to somehow have DUO handle the auth part.

0 Helpful
10 Replies 10

davama
Level 1
Level 1

‎07-20-2018 08:58 AM

Have been in contact with Duo Security Support Team. Looks like they misunderstood what i was seeking. They had me install LDAP Proxy application (no issues there). But that did not help in reaching the goal, securing nginx proxyed web services with duo

So bottom line: They DO NOT have duo integration with nginx.

Their last email reply:

Unfortunately I have no previous tickets on a setup like this so we would not have anything to go from setup wise.

how unfortunate

-dave

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to davama

‎07-26-2018 07:26 AM

@davama,

When you tried LDAP authentication from nginx to the Duo proxy server did you receive an LDAP exceptions.IndexError event at authentication? We’re aware that in some configurations nginx using LDAP tags the Duo Authentication Proxy doesn’t support (0x4e is the specific one I’ve seen).

Updating the proxy to support additional LDAP tags isn’t currently on our roadmap. But, if your exception also mentions 0x4e (LDAPCompare Request), are you intentionally trying to do an attribute value comparison, and could it not do a check that uses the DN (or do no comparison at all)?

Duo, not DUO.
0 Helpful

davama
Level 1
Level 1

‎07-26-2018 08:05 AM

@DuoKristina

did you receive an LDAP exceptions.IndexError event at authentication?

No

Below are logs of a successful ldap auth from the nginx ldap module to the duo ldap proxy

nginx.conf
...
location /directory {
	#access_log  /var/log/nginx/firmwares-access.log main;
	#error_log /var/log/nginx/firmwares-error.log debug;

	auth_ldap "Nah ah ah; you didnt say the magic word";
	auth_ldap_servers ldap_local;

	alias /home/dvmacias;
	autoindex on;
}

Logs from duo-auth:
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] S<-C LDAPMessage(id=2L, value=LDAPSearchRequest(baseObject='dc=datacom,dc=net', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='objectClass'), assertionValue=BEROctetString(value='person')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='uid'), assertionValue=BEROctetString(value='dvmacias'))]), attributes=['1.1']))
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] C->S LDAPMessage(id=89, value=LDAPSearchRequest(baseObject='dc=datacom,dc=net', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='objectClass'), assertionValue=BEROctetString(value='person')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='uid'), assertionValue=BEROctetString(value='dvmacias'))]), attributes=['1.1']))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=89L, value=L■■■■(objectName='uid=dvmacias,ou=People,dc=datacom,dc=net', attributes=[])
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2L, value=L■■■■(objectName='uid=dvmacias,ou=People,dc=datacom,dc=net', attributes=[])
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=89L, value=LDAPSearchResultDone(resultCode=0L))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2L, value=LDAPSearchResultDone(resultCode=0L))
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] S<-C LDAPMessage(id=3L, value=LDAPSearchRequest(baseObject='ou=Group,dc=datacom,dc=net', scope=1, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='cn'), assertionValue=BEROctetString(value='config')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='member'), assertionValue=BEROctetString(value='uid=dvmacias,ou=People,dc=datacom,dc=net'))]), attributes=['1.1']))
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] C->S LDAPMessage(id=90, value=LDAPSearchRequest(baseObject='ou=Group,dc=datacom,dc=net', scope=1, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='cn'), assertionValue=BEROctetString(value='config')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value='member'), assertionValue=BEROctetString(value='uid=dvmacias,ou=People,dc=datacom,dc=net'))]), attributes=['1.1']))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=90L, value=L■■■■(objectName='cn=config,ou=Group,dc=datacom,dc=net', attributes=[])
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=3L, value=L■■■■(objectName='cn=config,ou=Group,dc=datacom,dc=net', attributes=[])
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=90L, value=LDAPSearchResultDone(resultCode=0L))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=3L, value=LDAPSearchResultDone(resultCode=0L))
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] S<-C LDAPMessage(id=4L, value=LDAPBindRequest(version=3, dn='uid=dvmacias,ou=People,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:06+0000 [DuoAutoLdapServer,19,10.196.63.163] C->S LDAPMessage(id=91, value=LDAPBindRequest(version=3, dn='uid=dvmacias,ou=People,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=91L, value=LDAPBindResponse(resultCode=0L))
2018-07-19T15:37:06+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fa22132a150>
2018-07-19T15:37:06+0000 [Uninitialized] C->S LDAPMessage(id=92, value=LDAPBindRequest(version=3, dn='cn=authuser,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=92L, value=LDAPBindResponse(resultCode=0L))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C->S LDAPMessage(id=93, value=LDAPSearchRequest(baseObject='uid=dvmacias,ou=People,dc=datacom,dc=net', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='ObjectClass'), assertionValue=LDAPAssertionValue(value='posixAccount'))]), attributes=('uid',)))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=93L, value=L■■■■(objectName='uid=dvmacias,ou=People,dc=datacom,dc=net', attributes=[('uid', ['dvmacias'])])
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=93L, value=LDAPSearchResultDone(resultCode=0L))
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] C->S LDAPMessage(id=94, value=LDAPUnbindRequest())
2018-07-19T15:37:06+0000 [_ADServiceClientProtocol,client] http POST to https://■■■■:443/rest/v1/preauth: user=dvmacias
2018-07-19T15:37:06+0000 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2018-07-19T15:37:06+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fa22132a150>
2018-07-19T15:37:06+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 10.196.63.163:33872] Got preauth result for dvmacias: u'auth'
2018-07-19T15:37:06+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■:443/rest/v1/auth: auto=push1&factor=auto&ipaddr=0.0.0.0&user=dvmacias
2018-07-19T15:37:06+0000 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/auth>
2018-07-19T15:37:06+0000 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2018-07-19T15:37:10+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 10.196.63.163:33872] Duo authentication returned 'allow': 'Success. Logging you in...'
2018-07-19T15:37:10+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 10.196.63.163:33872] Success. Logging you in...
2018-07-19T15:37:10+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] S->C LDAPMessage(id=4L, value=LDAPBindResponse(resultCode=0L))
2018-07-19T15:37:10+0000 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>
2018-07-19T15:37:10+0000 [DuoAutoLdapServer,19,10.196.63.163] S<-C LDAPMessage(id=5L, value=LDAPBindRequest(version=3, dn='cn=authuser,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:10+0000 [DuoAutoLdapServer,19,10.196.63.163] [Request from 10.196.63.163:33872] Attempt to bindRequest multiple times in the same LDAP connection.  Disconnecting.
2018-07-19T15:37:10+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fa221594b50>
2018-07-19T15:37:20+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fa221594c10>
2018-07-19T15:37:20+0000 [DuoAutoLdapServer,20,10.196.63.163] S<-C LDAPMessage(id=1L, value=LDAPBindRequest(version=3, dn='cn=authuser,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:20+0000 [Uninitialized] C->S LDAPMessage(id=95, value=LDAPBindRequest(version=3, dn='cn=authuser,dc=datacom,dc=net', auth='*****', sasl=False))
2018-07-19T15:37:20+0000 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=95L, value=LDAPBindResponse(resultCode=0L))
2018-07-19T15:37:20+0000 [_ADServiceClientProtocol,client] [Request from 10.196.63.163:33882] Primary bind exempted from 2FA
2018-07-19T15:37:20+0000 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=1L, value=LDAPBindResponse(resultCode=0L))

Logs from openldap:
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=1 SRCH base="dc=datacom,dc=net" scope=2 deref=0 filter="(&(objectClass=person)(uid=dvmacias))"
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=1 SRCH attr=1.1
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=2 SRCH base="ou=Group,dc=datacom,dc=net" scope=1 deref=0 filter="(&(cn=config)(member=uid=dvmacias,ou=people,dc=datacom,dc=net))"
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=2 SRCH attr=1.1
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=3 BIND anonymous mech=implicit ssf=0
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=3 BIND dn="uid=dvmacias,ou=People,dc=datacom,dc=net" method=128
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=3 BIND dn="uid=dvmacias,ou=People,dc=datacom,dc=net" mech=SIMPLE ssf=0
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1034 op=3 RESULT tag=97 err=0 text=
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 fd=34 ACCEPT from IP=10.196.63.163:46786 (IP=10.196.63.163:389)
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=0 BIND dn="cn=authuser,dc=datacom,dc=net" method=128
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=0 BIND dn="cn=authuser,dc=datacom,dc=net" mech=SIMPLE ssf=0
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=0 RESULT tag=97 err=0 text=
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=1 SRCH base="uid=dvmacias,ou=People,dc=datacom,dc=net" scope=2 deref=0 filter="(&(|(&(?objectClass=user)(?objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(objectClass=posixAccount))"
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=1 SRCH attr=uid
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 19 15:37:06 duo2-lab slapd[6971]: conn=1035 fd=34 closed (connection lost)
Jul 19 15:37:10 duo2-lab slapd[6971]: conn=1034 fd=21 closed (connection lost)
Jul 19 15:37:20 duo2-lab slapd[6971]: conn=1036 fd=21 ACCEPT from IP=10.196.63.163:46794 (IP=10.196.63.163:389)
Jul 19 15:37:20 duo2-lab slapd[6971]: conn=1036 op=0 BIND dn="cn=authuser,dc=datacom,dc=net" method=128
Jul 19 15:37:20 duo2-lab slapd[6971]: conn=1036 op=0 BIND dn="cn=authuser,dc=datacom,dc=net" mech=SIMPLE ssf=0
Jul 19 15:37:20 duo2-lab slapd[6971]: conn=1036 op=0 RESULT tag=97 err=0 text=

Hmm… i was trying to upload something but couldnt
“new users cannot upload attachments”? interesting

0 Helpful

davama
Level 1
Level 1

‎07-26-2018 08:14 AM

ok… im not allowed to upload. that’s dumb

here is what i was trying to upload in text… (would have preferred pdfs )

Hello,

Thanks for getting back to me on this.
Have you attempted to start the authentication proxy?
Does it start without issue?
Attempt a authentication on the new port you specified.

Thanks
Nicco
Want to know what we're up to? Subscribe to our Release Notes in the Duo Community!
Duo Security Support Team - Support Page https://duo.com/support
 
 
ref:_00D70Mjg8._5000g1vD8fb:ref
 
 
 
 
 


ref:_00D70Mjg8._5000g1vD8fb:ref
...

[Message clipped]  View entire message

Thu, Jul 19, 11:27 AM (7 days ago)
to support

Have you attempted to start the authentication proxy? yes
Does it start without issue? it's good
Attempt a authentication on the new port you specified. yes
ldapsearch -xLLL -D uid=dvmacias,ou=people,dc=datacom,dc=net -w dvmacias -b dc=datacom,dc=net -h duo2-lab -p 390 uid=dvmacias dn
dn: uid=dvmacias,ou=People,dc=datacom,dc=net


Logs from duo-auth from auth above:

<redacted-see-previous-comment>


Logs from openldap

<redacted-see-previous-comment>


Thu, Jul 19, 11:31 AM (7 days ago)
to support

Ok ... i think im getting close. Thank again for the continued support Nicco.

I updated my nginx.conf file and pointed to my local duo2-lab:390 port and it gave me a push notification on my phone.
I accepted it but it didnt give me the page.
Still testing.
This is pretty exciting! :)
Thanks!


Attachments
Thu, Jul 19, 11:47 AM (7 days ago)
to support

So in a nutshell i cannot see my hosted web content when i type a correct user/pass and accept the push notification.
I am doing a simple directory index and securing that folder.
See attached files.


nginx.conf
...
location /directory {
	#access_log  /var/log/nginx/firmwares-access.log main;
	#error_log /var/log/nginx/firmwares-error.log debug;

	auth_ldap "Nah ah ah; you didnt say the magic word";
	auth_ldap_servers ldap_local;

	alias /home/dvmacias;
	autoindex on;
}

Logs from duo-auth:

<redacted-see-previous-comment>

Logs from openldap:

<redacted-see-previous-comment>


Im assuming it has something to do with my nginx config.
Any input?

Thank you,
dave

2 Attachments
0 Helpful

davama
Level 1
Level 1

‎07-26-2018 08:15 AM

And finally

Hello,

It sounds like your authentication with 2FA is working correctly now all you have to figure out is why your content is not showing up. After the authentication is complete, I would say that this would be a Nginx issue.


Thanks
Nicco
Want to know what we're up to? Subscribe to our Release Notes in the Duo Community!
Duo Security Support Team - Support Page https://duo.com/support
 
 
ref:_00D70Mjg8._5000g1vD8fb:ref
 
 
 
 
 


ref:_00D70Mjg8._5000g1vD8fb:ref
...

[Message clipped]  View entire message

Thu, Jul 19, 5:01 PM (7 days ago)
to support

Ok, well what i can tell you is that if i point my nginx_ldap module to my local openldap server i can authenticate perfectly fine with just username/password.

If i re point it to the duo ldap-proxy it does not.

Just to be clear.
I am trying to integrate DUO with nginx similarly as the duo_pam works. Has anyone done this before? If so, how?
Using the nginx_ldap module is not necessary for us. I am just interesting in combining ssh access and web access with one authentication portal. If that makes sense.

Thank you for the continued support.

Hello,

Unfortunately I have no previous tickets on a setup like this so we would not have anything to go from setup wise.

 
Thanks
Nicco
Want to know what we're up to? Subscribe to our Release Notes in the Duo Community!
Duo Security Support Team - Support Page https://duo.com/support
 
 
ref:_00D70Mjg8._5000g1vD8fb:ref
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to davama

‎07-26-2018 08:28 AM

Please don’t post sensitive information in the community forum. The admins have hidden your post.

Duo, not DUO.
0 Helpful

davama
Level 1
Level 1

‎07-26-2018 08:55 AM

ah, sorry about that… not sure which part is sensitive…i removed emails (if that was it)

thanks

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to davama

‎07-26-2018 09:31 AM

I think it was just between the email thread and the log files there was enough info that someone could call support to try impersonate you. It wouldn’t have worked, but why even keep the info out there?

So looks like the Duo proxy log and your openldap log show a series of successful searches and binds, and you approved the Duo 2FA request.

Looking at the emails, the issue then is that nginx doesn’t serve the expected content? Is there any nginx logging that might reveal what’s happening? Like, is it 401 or 403 -ing the access?

Duo, not DUO.
0 Helpful

davama
Level 1
Level 1
In response to DuoKristina

‎07-26-2018 09:55 AM

So what part should i remove? Would prefer to have this thread visible so that more ppl can chime in.

Regarding nginx logs, I would have to reinstall the duo stuff and try again.
But the page would just say “Secure Connection Failed”. I am willing to try again

The nginx_ldap_module is for user/pass authentication (single factor). I dont think it’s designed to handle 2FA. Which is why i was looking to see if DUO had some product like pam_unix that can interface with nginx. That way ssh and web access were the same.

nginx by default does not come with any auth modules, you have to install them yourself. It does a very good job though proxying your content.

Any plans on DUO to support nginx?

Also, i did notice this but not sure if it’s the path to my goal: Duo Web Two-Factor Authentication for Your Web Application | Duo Security

Thank you

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to davama

‎07-26-2018 11:29 AM

The Duo web page you linked to is for adding Duo/s inline browser-based authentication prompt to any web application. You could potentially add this to your nginx sites.

We also produce our own SSH & web reverse-proxy, the Duo Network Gateway.

We have no current plans to create any modules for nginx.

I’m not really sure what you’d need to remove… maybe all the logs? I’d suggest just posting again asking the community if anyone’s gotten it to work.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents