Windows authentication is always used inside company. IIS can enable Windows authentication easily. For Nginx users, some solutions aren't friendly: Nginx Pro provides ntlm module but it isn't free; reverse proxy must setup other server firstly.
The project is inspired by express-ntlm and PyAuthenNTLM2. IIS will trigger windows authentication scenario for each connection. Unlike IIS, the project only trigger ntlm for first requestion. After authentication done, http header Authorization:Bearer will be sent to browser, and browser should put it in each request package to avoid ntlm again. At the same time, http header: X-Ntlm-Username and X-Ntlm-Domain will be sent to upstream.
NOTICE: don't set-cookie during ntlm authentication. (#1175)
- install OpenResty which integrates Nginx and LuaJIT
- intall LuaRocks because
ntlm.luadepends onstruct,iconvmodule - install
structmodule:sudo /usr/local/openresty/luajit/bin/luarocks install struct - install
iconvmodule:sudo /usr/local/openresty/luajit/bin/luarocks install lua-iconv - save
ntlm.luainto/usr/local/openresty/site/lualib - add the following code to
/usr/local/openresty/nginx/conf/nginx.conf:lua_shared_dict ntlm_cache 10m; keepalive_timeout 35; ... ... access_by_lua_block { local cache = ngx.shared.ntlm_cache require('ntlm').negotiate("ldap://domain.net:389", cache, 10) -- cache is shared DICT -- timeout is less than keepalive } - restart nginx service:
sudo service openresty restart