Configuring SSO in Nginx, integration with Zabbix in Centos 8 / Rocky Linux

Centos 8 / Rocky Linux 1″ src=”https://itdraft.ru/static/uploads/2021/11/xmacos-monterey-bricked-macs-featured-800×400.jpg.webp.pagespeed.ic.LFg0y3geN6.webp” data-object-fit=”cover” srcset=”https://itdraft.ru/static/uploads/2021/11/xmacos-monterey-bricked-macs-featured-800×400.jpg.webp.pagespeed.ic.LFg0y3geN6.webp 800w, https://itdraft.ru/static/uploads/2021/11/xmacos-monterey-bricked-macs-featured-800×400.jpg-300×150.webp.pagespeed.ic.eK8Bnpnn-0.webp 300w” sizes=”(max-width: 800px) 100vw, 800px” title=”Configuring SSO in Nginx, integration with Zabbix in Centos 8 / Rocky Linux 2″ data-pagespeed-url-hash=”1443373465″ onload=”pagespeed.CriticalImages.checkImageForCriticality(this);”>

Single sign-on SSO is an authentication method that allows a user to switch from one system to another, not associated with the first system, without re-authenticating.

Preparation

Initial data:

  • Zabbix + Nginx is already installed on the server
  • LDAP authorization is configured in Zabbix, users from AD

Installing the necessary packages for building Nginx from sources

$ sudo dnf -y install tar gcc unzip gcc-c++ make pcre-devel zlib-devel curl wget git openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed gperftools-devel redhat-rpm-config

Building the dynamic Spnego module

Checking the Nginx version

$ nginx -v
nginx version: nginx/1.20.1

Download the sources for Nginx (our installed version) and unpack them

$ cd /tmp
$ wget https://nginx.org/download/nginx-1.20.1.tar.gz
$ tar zxvf nginx-*.tar.gz

Go to the directory

$ cd nginx-*/

Clone the SPNEGO module repository

$ git clone https://github.com/stnoonan/spnego-http-auth-nginx-module.git

See what options the installed NGINX is built with

$ nginx -V

We need whatever comes after “configure arguments:”

We set the configuration for building Nginx from source, at the end we add “—add-dynamic-module = spnego-http-auth-nginx-module” to build a dynamic module

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC" --with-ld-opt="-Wl,-z,relro -Wl,-z,now -pie" --add-dynamic-module=spnego-http-auth-nginx-module

We collect

$ make modules

The file “ngx_http_auth_spnego_module.so” will appear in the “objs” directory

Connecting the Spnego module to Nginx

Copy the module to the appropriate directory and set the rights

$ sudo cp objs/ngx_http_auth_spnego_module.so /usr/lib64/nginx/modules/
$ sudo chmod 644 /usr/lib64/nginx/modules/ngx_http_auth_spnego_module.so

Add the ngx_http_auth_spnego_module.so module to the Nginx config

$ sudo nano /etc/nginx/nginx.conf
...
pid        /var/run/nginx.pid;

load_module modules/ngx_http_auth_spnego_module.so;

events {
...

Checking

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restarting Nginx

$ sudo systemctl restart nginx

Integration with Windows AD

Installing the Kerberos client

$ sudo dnf -y install krb5-workstation

Editing the config

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ITDRAFT.RU
default_keytab_name = /etc/nginx/zabbix_srv.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
ticket_lifetime = 24h

[realms]
ITDRAFT.RU = {
 kdc = srv-dc-01.itdraft.ru
 kdc = srv-dc-02.itdraft.ru
 default_domain = ITDRAFT.RU
 admin_server = srv-dc-01.itdraft.ru
}

[domain_realm]
.itdraft.ru = ITDRAFT.RU
itdraft.ru = ITDRAFT.RU

Add our zabbix-server “mon.itdraft.ru” to the local DNS. We register the FQDN in / etc / hosts

Create account and keytab in AD

In AD, we create a standard account, in this example zabbix_srv

Run powershell, Create SPN record

> setspn -A HTTP/[email protected] zabbix_srv

Create a keytab file

> ktpass /princ HTTP/[email protected] /mapuser [email protected]  /crypto ALL /ptype KRB5_NT_PRINCIPAL /out C:zabbix_srv.keytab /pass *
mon.itdraft.ru — имя zabbix-сервера;
ITDRAFT.RU — домен;
[email protected] — учетная запись в AD;
pass * — пароль.

Copy the keytab file to our zabbix server in the / etc / nginx / directory

Checking on zabbix server

$ kinit -V -k -t /etc/nginx/zabbix_srv.keytab HTTP/[email protected]
Using new cache: 1000:47555
Using principal: HTTP/[email protected]
Using keytab: /etc/nginx/zabbix_srv.keytab
Authenticated to Kerberos v5

Configuring HTTP authentication in zabbix

Go to the section: Administration – Authentication – HTTP Settings

Configuring SSO in Nginx, integration with Zabbix in Centos 8 / Rocky Linux 2

Activating HTTP Authentication

Configuring SSO in Nginx

Editing Nginx config for Zabbix

$ sudo nano /etc/nginx/conf.d/zabbix.conf
server {
        listen          80;
        listen          443 ssl;
        server_name     mon.itdraft.ru;
		
        auth_gss on;
        auth_gss_realm ITDRAFT.RU;
        auth_gss_keytab /etc/nginx/zabbix_srv.keytab;
        auth_gss_service_name "HTTP/mon.itdraft.ru";
        auth_gss_allow_basic_fallback on;
...

Checking the Nginx config

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restarting Nginx

$ sudo systemctl restart nginx

Now we need to add our server to the “trusted” ones to make SSO work

To check, you can run Google Chrome with parameters:

"C:Program Files (x86)GoogleChromeApplicationchrome.exe" --auth-server-whitelist="mon.itdraft.ru" --auth-negotiate-delegate-whitelist="mon.itdraft.ru"

Related Posts