Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- location /protected/data/ {
- internal;
- alias /path/to/data/files/;
- }
- location /download.php$ {
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- fastcgi_param SCRIPT_FILENAME /scripts/download.php;
- fastcgi_param PHP_AUTH_USER $remote_user;
- fastcgi_param PHP_AUTH_PW $http_authorization;
- include fastcgi_params;
- }
- function authenticate() {
- // I'm watching you.
- error_log("authreq: " . $_SERVER['REMOTE_ADDR']);
- // mark that we're seeing the login box.
- $_SESSION['AUTH'] = 1;
- // browser shows login box
- Header("WWW-Authenticate: Basic realm=LDAP credentials.");
- Header("HTTP/1.0 401 Unauthorized");
- die('Unauthorized.');
- }
- function forbidden() {
- error_log("forbidden: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']);
- // avoid brute force attacks
- sleep(rand(0, 3));
- // re-display login form
- session_destroy();
- // don't give too much info (e.g. user does not exist / password is wrong)
- Header("HTTP/1.0 403 Forbidden");
- // yes I did put the same message.
- die('Unauthorized.');
- }
- function ldap_auth() {
- $ldap_server = 'ldap://ldap.example.com/';
- $ldap_domain = 'dc=example,dc=com';
- $ldap_userbase = 'ou=Users,' . $ldap_domain;
- $ldap_user = 'uid=' . $_SERVER['PHP_AUTH_USER'] . ',' . $ldap_userbase;
- $ldap_pass = $_SERVER['PHP_AUTH_PW'];
- // connect to ldap server
- $ldapconn = ldap_connect($ldap_server)
- or die("Could not connect to LDAP server.");
- ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3) ;
- if ($ldapconn) {
- // try to bind/authenticate against ldap
- $ldapbind = @ldap_bind($ldapconn, $ldap_user, $ldap_pass) || forbidden();
- // "LDAP bind successful...";
- error_log("success: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']);
- }
- ldap_close($ldapconn);
- }
- if (@$_SESSION['AUTH'] != 1) {
- authenticate();
- }
- if (empty($_SERVER['PHP_AUTH_USER'])) {
- authenticate();
- }
- // check credentials on each access
- ldap_auth();
- // Get requested file name
- // you can use the query string or a parameter
- // or the full request uri if you like.
- $path = $_GET["path"];
- error_log("serving: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER'] . ', path: ' . $path);
- header("Content-Type: ", true);
- header("X-Accel-Redirect: /protected" . $path);
- location /protected/data/ {
- internal;
- autoindex on;
- alias /path/to/data/files/;
- }
- location /data/ {
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- fastcgi_param SCRIPT_FILENAME /scripts/auth.php;
- fastcgi_param PHP_AUTH_USER $remote_user;
- fastcgi_param PHP_AUTH_PW $http_authorization;
- include fastcgi_params;
- }
- // Get requested file name
- $path = $_SERVER["REQUEST_URI"];
- error_log("serving: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER'] . ', path: ' . $path);
- header("Content-Type: ", true);
- header("X-Accel-Redirect: /protected" . $path);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement