{"id":291869,"date":"2019-07-10T03:00:41","date_gmt":"2019-07-10T03:00:41","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=291869"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=291869","title":{"rendered":"Docker \u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0447\u0435\u0440\u0435\u0437 Nginx"},"content":{"rendered":"\n<div class=\"post__text post__text-html js-mediator-article\">\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/er\/pm\/ew\/erpmewjegcpdjjgb6aobbkf3yda.jpeg\"><\/p>\n<p>  <\/p>\n<p>\u041e\u0434\u043d\u0430 \u0438\u0437 \u0434\u043e\u0441\u0430\u0434\u043d\u044b\u0445 \u043f\u0440\u043e\u0431\u043b\u0435\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0441\u0442\u0430\u044e\u0442 \u043f\u0440\u0438 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0438 NAS, \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043d\u0435 \u0432\u0441\u044f\u043a\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u043c\u043e\u0436\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0441 LDAP, \u0430 <a href=\"https:\/\/github.com\/d0u9\/youtube-dl-webui\">\u043d\u0435\u043a\u043e\u0442\u043e\u0440\u043e\u0435<\/a> \u0432\u043e\u043e\u0431\u0449\u0435 \u043d\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u0432 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<\/p>\n<p><a name=\"habracut\"><\/a>  <\/p>\n<p>\u0420\u0435\u0448\u0435\u043d\u0438\u0435\u043c \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043a\u0432\u043e\u0437\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0447\u0435\u0440\u0435\u0437 \u043e\u0431\u0440\u0430\u0442\u043d\u044b\u0439 \u043f\u0440\u043e\u043a\u0441\u0438.<br \/>  \u041f\u0440\u0438\u043c\u0435\u0440 \u0442\u043e\u0433\u043e, \u043a\u0430\u043a \u044d\u0442\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c, \u0432\u0435\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u0440\u0430\u0437\u043e\u0431\u0440\u0430\u043d, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0432 <a href=\"https:\/\/www.tune-it.ru\/web\/asddsa1137\/home\/-\/blogs\/%D0%BE%D0%B3%D1%80%D0%B0%D0%BD%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-%D1%80%D0%B0%D0%B7%D0%B3%D1%80%D0%B0%D0%BD%D0%B8%D1%87%D0%B5%D0%BD%D0%B8%D1%8F-%D0%B4%D0%BE%D1%81%D1%82%D1%83%D0%BF%D0%B0-%D0%BA-web-%D1%80%D0%B5%D1%81%D1%83%D1%80%D1%81%D1%83-%D1%87%D0%B5%D1%80%D0%B5%D0%B7-ldap-%D0%B2-nginx\">\u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435<\/a>.<\/p>\n<p>  <\/p>\n<p>\u041f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0434\u0430\u043d\u043d\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u0430\u0441\u0442\u044c\u044e <a href=\"https:\/\/habr.com\/ru\/post\/359346\/\">NAS \u0446\u0438\u043a\u043b\u0430<\/a>,<br \/>  \u0437\u0434\u0435\u0441\u044c \u044f \u043e\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0441\u044c \u043d\u0430 \u0442\u043e\u043c, \u043a\u0430\u043a \u043f\u0440\u0438\u0441\u043f\u043e\u0441\u043e\u0431\u0438\u0442\u044c \u0434\u0430\u043d\u043d\u043e\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c \u0432 Docker-\u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430\u0445.<\/p>\n<p>  <\/p>\n<p>\u0420\u0435\u0448\u0435\u043d\u0438\u0435 \u043e\u0441\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 \u0432\u043d\u0435\u0448\u043d\u0435\u0433\u043e \u0430\u0433\u0435\u043d\u0442\u0430 <a href=\"https:\/\/github.com\/nginxinc\/nginx-ldap-auth\">Nginx LDAP Auth<\/a>, \u043d\u043e \u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e <a href=\"https:\/\/github.com\/linuxserver\/docker-ldap-auth\">\u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u043e\u0442 LinuxServer.io<\/a> \u043f\u043e\u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u044d\u0442\u043e \u0433\u043e\u0442\u043e\u0432\u044b\u0439 \u043e\u0431\u0440\u0430\u0437, \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0439 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u044b\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0430\u043c.<\/p>\n<p>  <\/p>\n<p>\u0415\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u043b\u0430\u0441\u044c \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043f\u0430\u0442\u0447\u0438 LinuxServer.io \u0441\u043b\u043e\u043c\u0430\u043b\u0438 \u0431\u0430\u0437\u043e\u0432\u0443\u044e HTTP \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e, \u043d\u043e \u043f\u043e\u0441\u043b\u0435 \u0442\u043e\u0433\u043e, \u043a\u0430\u043a \u0432\u043b\u0438\u043b\u0438 <a href=\"https:\/\/github.com\/linuxserver\/docker-ldap-auth\/pull\/18\">\u0431\u0430\u0433\u0444\u0438\u043a\u0441<\/a>, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u044d\u0442\u0438\u043c \u0441\u0442\u0430\u043b\u043e \u043e\u043f\u044f\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e.<\/p>\n<p>  <\/p>\n<h2 id=\"autentifikaciya-v-obschem-sluchae\">\u0410\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0432 \u043e\u0431\u0449\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435<\/h2>\n<p>  <\/p>\n<p>\u041a\u0430\u043a \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u0432 \u0441\u0442\u0430\u0442\u044c\u044f\u0445, \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0441\u044f \u043f\u043e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0439 \u0441\u0445\u0435\u043c\u0435:<\/p>\n<p>  <\/p>\n<ul>\n<li>\u041a\u043b\u0438\u0435\u043d\u0442 \u043e\u0431\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0443.<\/li>\n<li>\u041e\u0431\u0440\u0430\u0442\u043d\u044b\u0439 \u043f\u0440\u043e\u043a\u0441\u0438 \u0434\u0435\u043b\u0430\u0435\u0442 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435, \u0435\u0441\u043b\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d cookie.<\/li>\n<li>\u0415\u0441\u043b\u0438 cookie \u043d\u0435\u0442, \u0434\u0435\u043b\u0430\u0435\u0442\u0441\u044f \u0437\u0430\u043f\u0440\u043e\u0441 \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<\/li>\n<li>\u0421\u0435\u0440\u0432\u0438\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u043b\u043e\u0433\u0438\u043d \u0438 \u043f\u0430\u0440\u043e\u043b\u044c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 \u043e\u0431\u0440\u0430\u0449\u0435\u043d\u0438\u0435 \u043a LDAP \u0441\u0435\u0440\u0432\u0435\u0440\u0443.<\/li>\n<li>\u0415\u0441\u043b\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0443\u0441\u043f\u0435\u0448\u043d\u0430, \u043e\u043d \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 cookie \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0430 \u0441\u0435\u0440\u0432\u0438\u0441.<\/li>\n<\/ul>\n<p>  <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/n_\/e_\/7j\/n_e_7jmjle2qbyc35vfpv_0p7e4.jpeg\" alt=\"\u0421\u0445\u0435\u043c\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438\"><\/p>\n<p>  <\/p>\n<p>\u0410\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u044b\u043c \u0432\u0430\u0440\u0438\u0430\u043d\u0442\u043e\u043c \u043c\u043e\u0436\u0435\u0442 \u044f\u0432\u043b\u044f\u0442\u044c\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0433\u043e \u043c\u043e\u0434\u0443\u043b\u044f \u0434\u043b\u044f nginx, \u043d\u043e \u044f \u0434\u0430\u043d\u043d\u044b\u0439 \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u0437\u0434\u0435\u0441\u044c \u043d\u0435 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u044e \u0441 \u0441\u0438\u043b\u0443 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u0440\u043e\u0431\u043b\u0435\u043c \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u043c\u043e\u0434\u0443\u043b\u0435\u043c \u0438 \u043c\u0435\u043d\u044c\u0448\u0435\u0439 \u0435\u0433\u043e \u0433\u0438\u0431\u043a\u043e\u0441\u0442\u0438.<\/p>\n<p>  <\/p>\n<p>\u0414\u043e\u0440\u0430\u0431\u043e\u0442\u0430\u043d\u043d\u044b\u0439 \u043e\u0431\u0440\u0430\u0437 \u0434\u043b\u044f OpenLDAP \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0435\u0441\u0442\u044c <a href=\"https:\/\/github.com\/artiomn\/nginx-proxy-ldap\">\u0437\u0434\u0435\u0441\u044c<\/a>.<\/p>\n<p>  <\/p>\n<h2 id=\"autentifikaciya-konteynerov\">\u0410\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432<\/h2>\n<p>  <\/p>\n<p>\u0412 \u0440\u0430\u043c\u043a\u0430\u0445 NAS, \u0441\u0435\u0440\u0432\u0438\u0441\u044b \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u0432 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430\u0445, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0435\u0441\u0442\u044c \u0436\u0435\u043b\u0430\u043d\u0438\u0435 \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043f\u0435\u0440\u0435\u043a\u043b\u044e\u0447\u0430\u0442\u044c \u0440\u0435\u0436\u0438\u043c\u044b \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043f\u0440\u043e\u0441\u0442\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0432 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430.<\/p>\n<p>  <\/p>\n<p>\u0422\u0430\u043a\u043e\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0443\u0436\u0435 \u0435\u0441\u0442\u044c \u0432 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u043e\u043c <a href=\"https:\/\/github.com\/jwilder\/nginx-proxy\">\u043e\u0431\u0440\u0430\u0437\u0435 ngingx-proxy<\/a> \u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d \u043e\u043d \u0447\u0435\u0440\u0435\u0437 \u0448\u0430\u0431\u043b\u043e\u043d\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 <a href=\"https:\/\/github.com\/jwilder\/docker-gen\">docker-gen<\/a>.<br \/>  \u041e\u043d \u043f\u043e\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0432 \u0448\u0430\u0431\u043b\u043e\u043d \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u043d\u044b\u0445 \u0432 \u0434\u0430\u043d\u043d\u044b\u0439 \u043c\u043e\u043c\u0435\u043d\u0442 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 Docker.<\/p>\n<p>  <\/p>\n<p>\u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0432\u0441\u0451 \u0447\u0442\u043e \u043d\u0430\u0434\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u2014 \u044d\u0442\u043e \u0434\u043e\u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0448\u0430\u0431\u043b\u043e\u043d \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043e\u0431\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u043a\u0441\u0438 \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0438 \u043d\u0430\u043b\u0438\u0447\u0438\u0438 \u0443\u0441\u043b\u043e\u0432\u043d\u043e\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 \u0432 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0435, \u0431\u044b\u043b\u043e \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043e \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0430 \u0441\u0435\u0440\u0432\u0438\u0441 \u0441\u043a\u0432\u043e\u0437\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0432 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0435.<\/p>\n<p>  <\/p>\n<p>\u0417\u0430\u0442\u0435\u043c, \u0432\u043d\u0435\u0441\u0442\u0438 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u0438\u0432\u044b \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e docker-compose.<\/p>\n<p>  <\/p>\n<h2 id=\"realizaciya-autentifikacii\">\u0420\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438<\/h2>\n<p>  <\/p>\n<h3 id=\"modifikaciya-shablona-konfiguracii-nginx-proxy\">\u041c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 nginx-proxy<\/h3>\n<p>  <\/p>\n<p>\u0412 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043d\u043e\u0432\u044b\u0439 upstream, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043e\u0431\u0440\u0430\u0449\u0430\u0442\u044c\u0441\u044f \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0435:<\/p>\n<p>  <\/p>\n<pre><code class=\"nginx\">proxy_cache_path cache\/  keys_zone=auth_cache:10m;  upstream ldap-backend {         server {{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_LOGIN_PORT \"9000\" }}; }<\/code><\/pre>\n<p>  <\/p>\n<p>\u0412\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u0441\u0435\u0440\u0432\u0438\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043d\u0430 \u0445\u043e\u0441\u0442\u0435 <code>${LDAP_BACKEND}<\/code> \u0438 \u043f\u043e\u0440\u0442\u0443 <code>${LDAP_LOGIN_PORT }<\/code>, \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e 9000.<br \/>  \u0417\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u0431\u0443\u0434\u0443\u0442 \u043f\u043e\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u044b docker-gen \u0442\u0430\u043a, \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u0430\u044f \u0447\u0430\u0441\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u0433\u043b\u044f\u0434\u0435\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0432 <code>\/etc\/nginx\/conf.d\/default.conf<\/code> \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430:<\/p>\n<p>  <\/p>\n<pre><code class=\"nginx\">### LDAP                                                                                                                   proxy_cache_path cache\/  keys_zone=auth_cache:10m;                               upstream ldap-backend {                                                                                                                                                                                                         server ldap-auth:9000;                                                                                                                                                                                          }                                                                                                                                                                                                                       ###<\/code><\/pre>\n<p>  <\/p>\n<p>\u0421\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435 \u0434\u043e\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e <code>ext_ldap_auth<\/code>, \u0435\u0441\u043b\u0438 \u0432 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0435 \u043d\u0435\u043a\u043e\u0435\u0433\u043e \u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u0431\u044b\u043b\u0430 \u0432\u0437\u0432\u0435\u0434\u0435\u043d\u0430 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0430\u044f <code>LDAP_EXT_AUTH<\/code>.<br \/>  \u0422\u0430\u043a\u0436\u0435, \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u044e\u0442\u0441\u044f \u0435\u0449\u0451 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u0434\u043b\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<\/p>\n<p>  <\/p>\n<pre><code class=\"nginx\">{{\/* Nginx LDAP authentication enabled *\/}} {{ $ext_ldap_auth := parseBool (or (first (groupByKeys $containers \"Env.LDAP_EXT_AUTH\")) \"false\") }}  {{\/* User need to be participated in these groups to use service *\/}} {{ $ldap_add_groups := or (first (groupByKeys $containers \"Env.LDAP_EXT_ADD_GROUPS\")) \"\" }}  {{\/* Use HTML login page or HTTP Basic authentication *\/}} {{ $ldap_use_login_page := parseBool (or $.Env.LDAP_USE_LOGIN_PAGE \"false\" ) }}<\/code><\/pre>\n<p>  <\/p>\n<p>\u041e\u0441\u043d\u043e\u0432\u043d\u043e\u0439 \u0431\u043b\u043e\u043a \u0434\u043e\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0439 \u043f\u0440\u0438\u0432\u0435\u0434\u0451\u043d \u043d\u0438\u0436\u0435. \u041e\u043d \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u0443\u0435\u0442\u0441\u044f, \u0442\u043e\u043b\u044c\u043a\u043e \u0435\u0441\u043b\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0430\u044f <code>ext_ldap_auth<\/code>.<br \/>  \u0415\u0441\u043b\u0438 <code>ldap_use_login_page<\/code> \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430, \u0442\u043e \u0431\u0443\u0434\u0435\u0442 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043e \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0438\u043d\u0430\u0447\u0435 \u0431\u0443\u0434\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u043e \u043e\u043a\u043d\u043e \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 HTTP.<\/p>\n<p>  <\/p>\n<p>\u041f\u0443\u0442\u044c <code>\/auth-proxy<\/code> \u2014 \u044d\u0442\u043e \u0438 \u0435\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0430 \u0441\u0435\u0440\u0432\u0438\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<br \/>  \u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0431\u0443\u0434\u0443\u0442 \u043f\u0435\u0440\u0435\u0434\u0430\u043d\u044b \u0447\u0435\u0440\u0435\u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 HTTP.<br \/>  \u041a\u0430\u043a\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0438 \u0434\u043b\u044f \u0447\u0435\u0433\u043e \u043d\u0443\u0436\u043d\u044b, \u0432\u043f\u043e\u043b\u043d\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043e\u043f\u0438\u0441\u0430\u043d\u043e \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u044f\u0445.<\/p>\n<p>  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">LDAP \u0441\u0435\u043a\u0446\u0438\u044f<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"nginx\">        {{ if ($ext_ldap_auth) }}         ### LDAP          {{ if ($ldap_use_login_page) }}         location \/login-ldap {             proxy_pass http:\/\/{{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_LOGIN_PORT \"9000\" }};                 # Login service returns a redirect to the original URI                 # and sets the cookie for the ldap-auth daemon                 proxy_set_header X-Target $request_uri;                  proxy_pass_request_body off;                 proxy_set_header Content-Length \"\";                 proxy_cache auth_cache;                 proxy_cache_valid 200 10m;                  proxy_cache_key \"$http_authorization$cookie_nginxauth\";                  proxy_set_header X-CookieName \"nginxauth\";                 proxy_set_header Cookie nginxauth=$cookie_nginxauth;         }         {{ end }}      location = \/auth-proxy {         internal;                  # The ldap-auth daemon listens on port $LDAP_BACKEND_PORT (8888, by default), as set                 # in nginx-ldap-auth-daemon.py.                 # Change the IP address if the daemon is not running on                 # the same host as NGINX\/NGINX Plus.                 proxy_pass http:\/\/{{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_BACKEND_PORT \"8888\" }};                  proxy_pass_request_body off;                 proxy_set_header Content-Length \"\";                 proxy_cache auth_cache;                 proxy_cache_valid 200 10m;                  # The following directive adds the cookie to the cache key                 proxy_cache_key \"$http_authorization$cookie_nginxauth\";                  # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon                 # communicates with a LDAP server, passing in the following                 # parameters to specify which user account to authenticate. To                 # eliminate the need to modify the Python code, this file contains                 # 'proxy_set_header' directives that set the values of the                 # parameters. Set or change them as instructed in the comments.                 #                 #    Parameter      Proxy header                 #    -----------    ----------------                 #    url            X-Ldap-URL                 #    starttls       X-Ldap-Starttls                 #    basedn         X-Ldap-BaseDN                 #    binddn         X-Ldap-BindDN                 #    bindpasswd     X-Ldap-BindPass                 #    cookiename     X-CookieName                 #    realm          X-Ldap-Realm                 #    template       X-Ldap-Template                  # (Required) Set the URL and port for connecting to the LDAP server,                 # by replacing 'example.com'.                 # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.                 proxy_set_header X-Ldap-URL      \"{{ $.Env.LDAP_HOST }}\";                  # (Optional) Establish a TLS-enabled LDAP session after binding to the                 # LDAP server.                 # This is the 'proper' way to establish encrypted TLS connections, see                 # http:\/\/www.openldap.org\/faq\/data\/cache\/185.html                 {{ if eq (\"$.Env.LDAP_METHOD\") \"start_tls\" }}                 proxy_set_header X-Ldap-Starttls \"true\";                 {{ end }}                  # (Required) Set the Base DN, by replacing the value enclosed in                 # double quotes.                 proxy_set_header X-Ldap-BaseDN   \"{{ $.Env.LDAP_BASE }}\";                  # (Required) Set the Bind DN, by replacing the value enclosed in                 # double quotes.                 proxy_set_header X-Ldap-BindDN   \"{{ $.Env.LDAP_BIND_DN }}\";                  # (Required) Set the Bind password, by replacing 'secret'.                 proxy_set_header X-Ldap-BindPass \"{{ $.Env.LDAP_PASS }}\";                  # (Required) The following directives set the cookie name and pass                 # it, respectively. They are required for cookie-based                 # authentication. Comment them out if using HTTP basic                 # authentication.                 proxy_set_header X-CookieName \"nginxauth\";                 proxy_set_header Cookie nginxauth=$cookie_nginxauth;                  # (Required if using Microsoft Active Directory as the LDAP server)                 # Set the LDAP template by uncommenting the following directive.                 #proxy_set_header X-Ldap-Template \"(sAMAccountName=%(username)s)\";                  # (May be required if using Microsoft Active Directory and                 # getting \"In order to perform this operation a successful bind                 # must be completed on the connection.\" errror)                 #proxy_set_header X-Ldap-DisableReferrals \"true\";                  # (Optional if using OpenLDAP as the LDAP server) Set the LDAP                 # template by uncommenting the following directive and replacing                 # '(cn=%(username)s)' which is the default set in                 # nginx-ldap-auth-daemon.py.                 {{ $ldap_filter := $.Env.LDAP_USER_FILTER }}                 {{ $ldap_filter := (printf \"(&amp;%s%s)\" $ldap_filter $ldap_add_groups) }}                  proxy_set_header X-Ldap-Template \"{{ $ldap_filter }}\";                  # (Optional) Set the realm name, by uncommenting the following                 # directive and replacing 'Restricted' which is the default set                 # in nginx-ldap-auth-daemon.py.                 #proxy_set_header X-Ldap-Realm    \"Restricted\";         }         ### \/LDAP         {{ end }}<\/code><\/pre>\n<\/div>\n<\/div>\n<p>  <\/p>\n<p>\u0418 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0435, \u043a\u043e\u0433\u0434\u0430 LDAP \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430, \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f <code>auth_request<\/code> \u0432 \u0435\u0433\u043e location:<\/p>\n<p>  <\/p>\n<pre><code class=\"nginx\">    location \/ {                 {{ if ($ext_ldap_auth) }}         auth_request \/auth-proxy;          {{ if ($ldap_use_login_page) }}         # redirect 401 to login form         # Comment them out if using HTTP basic authentication.         # or authentication popup won't show         error_page 401 =200 \/login-ldap;         {{ end }}         {{ end }} <\/code><\/pre>\n<p>  <\/p>\n<p>\u041d\u0438\u0436\u0435 \u043f\u0440\u0438\u0432\u0435\u0434\u0451\u043d \u043f\u043e\u043b\u043d\u044b\u0439 \u043b\u0438\u0441\u0442\u0438\u043d\u0433 \u0448\u0430\u0431\u043b\u043e\u043d\u0430.<\/p>\n<p>  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">nginx.tmpl<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"nginx\">{{ $CurrentContainer := where $ \"ID\" .Docker.CurrentContainerID | first }}  {{ define \"upstream\" }}     {{ if .Address }}         {{\/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT *\/}}         {{ if and .Container.Node.ID .Address.HostPort }}             # {{ .Container.Node.Name }}\/{{ .Container.Name }}             server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};         {{\/* If there is no swarm node or the port is not published on host, use container's IP:PORT *\/}}         {{ else if .Network }}             # {{ .Container.Name }}             server {{ .Network.IP }}:{{ .Address.Port }};         {{ end }}     {{ else if .Network }}         # {{ .Container.Name }}         {{ if .Network.IP }}             server {{ .Network.IP }} down;         {{ else }}             server 127.0.0.1 down;         {{ end }}     {{ end }}  {{ end }}  # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto {   default $http_x_forwarded_proto;   ''      $scheme; }  # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port {   default $http_x_forwarded_port;   ''      $server_port; }  # If we receive Upgrade, set Connection to \"upgrade\"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection {   default upgrade;   '' close; }  # Apply fix for very long server names server_names_hash_bucket_size 128;  # Default dhparam {{ if (exists \"\/etc\/nginx\/certs\/dhparam.pem\") }} ssl_dhparam \/etc\/nginx\/certs\/dhparam.pem; {{ end }}  # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl {   default off;   https on; }  gzip_types text\/plain text\/css application\/javascript application\/json application\/x-javascript text\/xml application\/xml application\/xml+rss text\/javascript;  log_format vhost '$host $remote_addr - $remote_user [$time_local] '                  '\"$request\" $status $body_bytes_sent '                  '\"$http_referer\" \"$http_user_agent\"';  access_log off;  {{ if $.Env.RESOLVERS }} resolver {{ $.Env.RESOLVERS }}; {{ end }}  {{ if (exists \"\/etc\/nginx\/proxy.conf\") }} include \/etc\/nginx\/proxy.conf; {{ else }} # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;  # Allow iframing. proxy_hide_header X-Frame-Options;  # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy \"\"; {{ end }}  ### LDAP  proxy_cache_path cache\/  keys_zone=auth_cache:10m;  upstream ldap-backend {         server {{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_LOGIN_PORT \"9000\" }}; }  ###  {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) \"\") \"true\" }} server {     server_name _; # This is just an invalid value which will never trigger on a real hostname.     listen 80;     {{ if $enable_ipv6 }}     listen [::]:80;     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;     return 503; }  {{ if (and (exists \"\/etc\/nginx\/certs\/default.crt\") (exists \"\/etc\/nginx\/certs\/default.key\")) }} server {     server_name _; # This is just an invalid value which will never trigger on a real hostname.     listen 443 ssl http2;     {{ if $enable_ipv6 }}     listen [::]:443 ssl http2;     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;     return 503;      ssl_session_tickets off;     ssl_certificate \/etc\/nginx\/certs\/default.crt;     ssl_certificate_key \/etc\/nginx\/certs\/default.key; } {{ end }}  {{ range $host, $containers := groupByMulti $ \"Env.VIRTUAL_HOST\" \",\" }}  {{ $host := trim $host }} {{ $is_regexp := hasPrefix \"~\" $host }} {{ $upstream_name := when $is_regexp (sha1 $host) $host }}  # {{ $host }} upstream {{ $upstream_name }} {  {{ range $container := $containers }}     {{ $addrLen := len $container.Addresses }}      {{ range $knownNetwork := $CurrentContainer.Networks }}         {{ range $containerNetwork := $container.Networks }}             {{ if (and (ne $containerNetwork.Name \"ingress\") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name \"host\"))) }}                 ## Can be connected with \"{{ $containerNetwork.Name }}\" network                  {{\/* If only 1 port exposed, use that *\/}}                 {{ if eq $addrLen 1 }}                     {{ $address := index $container.Addresses 0 }}                     {{ template \"upstream\" (dict \"Container\" $container \"Address\" $address \"Network\" $containerNetwork) }}                 {{\/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 *\/}}                 {{ else }}                     {{ $port := coalesce $container.Env.VIRTUAL_PORT \"80\" }}                     {{ $address := where $container.Addresses \"Port\" $port | first }}                     {{ template \"upstream\" (dict \"Container\" $container \"Address\" $address \"Network\" $containerNetwork) }}                 {{ end }}             {{ else }}                 # Cannot connect to network of this container                 server 127.0.0.1 down;             {{ end }}         {{ end }}     {{ end }} {{ end }} }  {{ $default_host := or ($.Env.DEFAULT_HOST) \"\" }} {{ $default_server := index (dict $host \"\" $default_host \"default_server\") $host }}  {{\/* Get the VIRTUAL_PROTO defined by containers w\/ the same vhost, falling back to \"http\" *\/}} {{ $proto := trim (or (first (groupByKeys $containers \"Env.VIRTUAL_PROTO\")) \"http\") }}  {{\/* Get the NETWORK_ACCESS defined by containers w\/ the same vhost, falling back to \"external\" *\/}} {{ $network_tag := or (first (groupByKeys $containers \"Env.NETWORK_ACCESS\")) \"external\" }}  {{\/* Get the HTTPS_METHOD defined by containers w\/ the same vhost, falling back to \"redirect\" *\/}} {{ $https_method := or (first (groupByKeys $containers \"Env.HTTPS_METHOD\")) \"redirect\" }}  {{\/* Get the SSL_POLICY defined by containers w\/ the same vhost, falling back to \"Mozilla-Intermediate\" *\/}} {{ $ssl_policy := or (first (groupByKeys $containers \"Env.SSL_POLICY\")) \"Mozilla-Intermediate\" }}  {{\/* Get the HSTS defined by containers w\/ the same vhost, falling back to \"max-age=31536000\" *\/}} {{ $hsts := or (first (groupByKeys $containers \"Env.HSTS\")) \"max-age=31536000\" }}  {{\/* Get the VIRTUAL_ROOT By containers w\/ use fastcgi root *\/}} {{ $vhost_root := or (first (groupByKeys $containers \"Env.VIRTUAL_ROOT\")) \"\/var\/www\/public\" }}  {{\/* Nginx LDAP authentication enabled *\/}} {{ $ext_ldap_auth := parseBool (or (first (groupByKeys $containers \"Env.LDAP_EXT_AUTH\")) \"false\") }}  {{\/* User need to be participated in these groups to use service *\/}} {{ $ldap_add_groups := or (first (groupByKeys $containers \"Env.LDAP_EXT_ADD_GROUPS\")) \"\" }}  {{\/* Use HTML login page or HTTP Basic authentication *\/}} {{ $ldap_use_login_page := parseBool (or $.Env.LDAP_USE_LOGIN_PAGE \"false\" ) }}  {{\/* Get the first cert name defined by containers w\/ the same vhost *\/}} {{ $certName := (first (groupByKeys $containers \"Env.CERT_NAME\")) }}  {{\/* Get the best matching cert  by name for the vhost. *\/}} {{ $vhostCert := (closest (dir \"\/etc\/nginx\/certs\") (printf \"%s.crt\" $host))}}  {{\/* vhostCert is actually a filename so remove any suffixes since they are added later *\/}} {{ $vhostCert := trimSuffix \".crt\" $vhostCert }} {{ $vhostCert := trimSuffix \".key\" $vhostCert }}  {{\/* Use the cert specified on the container or fallback to the best vhost match *\/}} {{ $cert := (coalesce $certName $vhostCert) }}  {{ $is_https := (and (ne $https_method \"nohttps\") (ne $cert \"\") (or (and (exists (printf \"\/etc\/nginx\/certs\/letsencrypt\/live\/%s\/fullchain.pem\" $cert)) (exists (printf \"\/etc\/nginx\/certs\/letsencrypt\/live\/%s\/privkey.pem\" $cert))) (and (exists (printf \"\/etc\/nginx\/certs\/%s.crt\" $cert)) (exists (printf \"\/etc\/nginx\/certs\/%s.key\" $cert)))) ) }}  {{ if $is_https }}  {{ if eq $https_method \"redirect\" }} server {     server_name {{ $host }};     listen 80 {{ $default_server }};     {{ if $enable_ipv6 }}     listen [::]:80 {{ $default_server }};     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;      return 301 https:\/\/$host$request_uri; } {{ end }}  server {     server_name {{ $host }};     listen 443 ssl http2 {{ $default_server }};     {{ if $enable_ipv6 }}     listen [::]:443 ssl http2 {{ $default_server }};     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;      {{ if eq $network_tag \"internal\" }}     # Only allow traffic from internal clients     include \/etc\/nginx\/network_internal.conf;     {{ end }}      {{ if eq $ssl_policy \"Mozilla-Modern\" }}     ssl_protocols TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';     {{ else if eq $ssl_policy \"Mozilla-Intermediate\" }}     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';     {{ else if eq $ssl_policy \"Mozilla-Old\" }}     ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';     {{ else if eq $ssl_policy \"AWS-TLS-1-2-2017-01\" }}     ssl_protocols TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';     {{ else if eq $ssl_policy \"AWS-TLS-1-1-2017-01\" }}     ssl_protocols TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';     {{ else if eq $ssl_policy \"AWS-2016-08\" }}     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';     {{ else if eq $ssl_policy \"AWS-2015-05\" }}     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';     {{ else if eq $ssl_policy \"AWS-2015-03\" }}     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';     {{ else if eq $ssl_policy \"AWS-2015-02\" }}     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';     {{ end }}      ssl_prefer_server_ciphers on;     ssl_session_timeout 5m;     ssl_session_cache shared:SSL:50m;     ssl_session_tickets off;          {{ if (and (exists (printf \"\/etc\/nginx\/certs\/letsencrypt\/live\/%s\/fullchain.pem\" $cert)) (exists (printf \"\/etc\/nginx\/certs\/letsencrypt\/live\/%s\/privkey.pem\" $cert))) }}     ssl_certificate \/etc\/nginx\/certs\/letsencrypt\/live\/{{ (printf \"%s\/fullchain.pem\" $cert) }};     ssl_certificate_key \/etc\/nginx\/certs\/letsencrypt\/live\/{{ (printf \"%s\/privkey.pem\" $cert) }};         {{ else if (and (exists (printf \"\/etc\/nginx\/certs\/%s.crt\" $cert)) (exists (printf \"\/etc\/nginx\/certs\/%s.key\" $cert))) }}     ssl_certificate \/etc\/nginx\/certs\/{{ (printf \"%s.crt\" $cert) }};     ssl_certificate_key \/etc\/nginx\/certs\/{{ (printf \"%s.key\" $cert) }};     {{ end }}      {{ if (exists (printf \"\/etc\/nginx\/certs\/%s.dhparam.pem\" $cert)) }}     ssl_dhparam {{ printf \"\/etc\/nginx\/certs\/%s.dhparam.pem\" $cert }};     {{ end }}      {{ if (exists (printf \"\/etc\/nginx\/certs\/%s.chain.pem\" $cert)) }}     ssl_stapling on;     ssl_stapling_verify on;     ssl_trusted_certificate {{ printf \"\/etc\/nginx\/certs\/%s.chain.pem\" $cert }};     {{ end }}      {{ if (and (ne $https_method \"noredirect\") (ne $hsts \"off\")) }}     add_header Strict-Transport-Security \"{{ trim $hsts }}\" always;     {{ end }}      {{ if (exists (printf \"\/etc\/nginx\/vhost.d\/%s\" $host)) }}     include {{ printf \"\/etc\/nginx\/vhost.d\/%s\" $host }};     {{ else if (exists \"\/etc\/nginx\/vhost.d\/default\") }}     include \/etc\/nginx\/vhost.d\/default;     {{ end }}          {{ if ($ext_ldap_auth) }}         ### LDAP          {{ if ($ldap_use_login_page) }}         location \/login-ldap {             proxy_pass http:\/\/{{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_LOGIN_PORT \"9000\" }};                 # Login service returns a redirect to the original URI                 # and sets the cookie for the ldap-auth daemon                 proxy_set_header X-Target $request_uri;                  proxy_pass_request_body off;                 proxy_set_header Content-Length \"\";                 proxy_cache auth_cache;                 proxy_cache_valid 200 10m;                  proxy_cache_key \"$http_authorization$cookie_nginxauth\";                  proxy_set_header X-CookieName \"nginxauth\";                 proxy_set_header Cookie nginxauth=$cookie_nginxauth;         }         {{ end }}      location = \/auth-proxy {         internal;                  # The ldap-auth daemon listens on port $LDAP_BACKEND_PORT (8888, by default), as set                 # in nginx-ldap-auth-daemon.py.                 # Change the IP address if the daemon is not running on                 # the same host as NGINX\/NGINX Plus.                 proxy_pass http:\/\/{{ $.Env.LDAP_BACKEND }}:{{ or $.Env.LDAP_BACKEND_PORT \"8888\" }};                  proxy_pass_request_body off;                 proxy_set_header Content-Length \"\";                 proxy_cache auth_cache;                 proxy_cache_valid 200 10m;                  # The following directive adds the cookie to the cache key                 proxy_cache_key \"$http_authorization$cookie_nginxauth\";                  # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon                 # communicates with a LDAP server, passing in the following                 # parameters to specify which user account to authenticate. To                 # eliminate the need to modify the Python code, this file contains                 # 'proxy_set_header' directives that set the values of the                 # parameters. Set or change them as instructed in the comments.                 #                 #    Parameter      Proxy header                 #    -----------    ----------------                 #    url            X-Ldap-URL                 #    starttls       X-Ldap-Starttls                 #    basedn         X-Ldap-BaseDN                 #    binddn         X-Ldap-BindDN                 #    bindpasswd     X-Ldap-BindPass                 #    cookiename     X-CookieName                 #    realm          X-Ldap-Realm                 #    template       X-Ldap-Template                  # (Required) Set the URL and port for connecting to the LDAP server,                 # by replacing 'example.com'.                 # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.                 proxy_set_header X-Ldap-URL      \"{{ $.Env.LDAP_HOST }}\";                  # (Optional) Establish a TLS-enabled LDAP session after binding to the                 # LDAP server.                 # This is the 'proper' way to establish encrypted TLS connections, see                 # http:\/\/www.openldap.org\/faq\/data\/cache\/185.html                 {{ if eq (\"$.Env.LDAP_METHOD\") \"start_tls\" }}                 proxy_set_header X-Ldap-Starttls \"true\";                 {{ end }}                  # (Required) Set the Base DN, by replacing the value enclosed in                 # double quotes.                 proxy_set_header X-Ldap-BaseDN   \"{{ $.Env.LDAP_BASE }}\";                  # (Required) Set the Bind DN, by replacing the value enclosed in                 # double quotes.                 proxy_set_header X-Ldap-BindDN   \"{{ $.Env.LDAP_BIND_DN }}\";                  # (Required) Set the Bind password, by replacing 'secret'.                 proxy_set_header X-Ldap-BindPass \"{{ $.Env.LDAP_PASS }}\";                  # (Required) The following directives set the cookie name and pass                 # it, respectively. They are required for cookie-based                 # authentication. Comment them out if using HTTP basic                 # authentication.                 proxy_set_header X-CookieName \"nginxauth\";                 proxy_set_header Cookie nginxauth=$cookie_nginxauth;                  # (Required if using Microsoft Active Directory as the LDAP server)                 # Set the LDAP template by uncommenting the following directive.                 #proxy_set_header X-Ldap-Template \"(sAMAccountName=%(username)s)\";                  # (May be required if using Microsoft Active Directory and                 # getting \"In order to perform this operation a successful bind                 # must be completed on the connection.\" errror)                 #proxy_set_header X-Ldap-DisableReferrals \"true\";                  # (Optional if using OpenLDAP as the LDAP server) Set the LDAP                 # template by uncommenting the following directive and replacing                 # '(cn=%(username)s)' which is the default set in                 # nginx-ldap-auth-daemon.py.                 {{ $ldap_filter := $.Env.LDAP_USER_FILTER }}                 {{ $ldap_filter := (printf \"(&amp;%s%s)\" $ldap_filter $ldap_add_groups) }}                  proxy_set_header X-Ldap-Template \"{{ $ldap_filter }}\";                  # (Optional) Set the realm name, by uncommenting the following                 # directive and replacing 'Restricted' which is the default set                 # in nginx-ldap-auth-daemon.py.                 #proxy_set_header X-Ldap-Realm    \"Restricted\";         }         ### \/LDAP         {{ end }}      location \/ {                 {{ if ($ext_ldap_auth) }}         auth_request \/auth-proxy;          {{ if ($ldap_use_login_page) }}         # redirect 401 to login form         # Comment them out if using HTTP basic authentication.         # or authentication popup won't show         error_page 401 =200 \/login-ldap;         {{ end }}         {{ end }}          {{ if eq $proto \"uwsgi\" }}         include uwsgi_params;         uwsgi_pass {{ trim $proto }}:\/\/{{ trim $upstream_name }};         {{ else if eq $proto \"fastcgi\" }}         root   {{ trim $vhost_root }};         include fastcgi.conf;         fastcgi_pass {{ trim $upstream_name }};         {{ else }}         proxy_pass {{ trim $proto }}:\/\/{{ trim $upstream_name }};         {{ end }}          {{ if (exists (printf \"\/etc\/nginx\/htpasswd\/%s\" $host)) }}         auth_basic  \"Restricted {{ $host }}\";         auth_basic_user_file    {{ (printf \"\/etc\/nginx\/htpasswd\/%s\" $host) }};         {{ end }}         {{ if (exists (printf \"\/etc\/nginx\/vhost.d\/%s_location\" $host)) }}         include {{ printf \"\/etc\/nginx\/vhost.d\/%s_location\" $host}};         {{ else if (exists \"\/etc\/nginx\/vhost.d\/default_location\") }}         include \/etc\/nginx\/vhost.d\/default_location;         {{ end }}     } }  {{ end }}  {{ if or (not $is_https) (eq $https_method \"noredirect\") }}  server {     server_name {{ $host }};     listen 80 {{ $default_server }};     {{ if $enable_ipv6 }}     listen [::]:80 {{ $default_server }};     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;      {{ if eq $network_tag \"internal\" }}     # Only allow traffic from internal clients     include \/etc\/nginx\/network_internal.conf;     {{ end }}      {{ if (exists (printf \"\/etc\/nginx\/vhost.d\/%s\" $host)) }}     include {{ printf \"\/etc\/nginx\/vhost.d\/%s\" $host }};     {{ else if (exists \"\/etc\/nginx\/vhost.d\/default\") }}     include \/etc\/nginx\/vhost.d\/default;     {{ end }}      location \/ {         {{ if eq $proto \"uwsgi\" }}         include uwsgi_params;         uwsgi_pass {{ trim $proto }}:\/\/{{ trim $upstream_name }};         {{ else if eq $proto \"fastcgi\" }}         root   {{ trim $vhost_root }};         include fastcgi.conf;         fastcgi_pass {{ trim $upstream_name }};         {{ else }}         proxy_pass {{ trim $proto }}:\/\/{{ trim $upstream_name }};         {{ end }}         {{ if (exists (printf \"\/etc\/nginx\/htpasswd\/%s\" $host)) }}         auth_basic  \"Restricted {{ $host }}\";         auth_basic_user_file    {{ (printf \"\/etc\/nginx\/htpasswd\/%s\" $host) }};         {{ end }}         {{ if (exists (printf \"\/etc\/nginx\/vhost.d\/%s_location\" $host)) }}         include {{ printf \"\/etc\/nginx\/vhost.d\/%s_location\" $host}};         {{ else if (exists \"\/etc\/nginx\/vhost.d\/default_location\") }}         include \/etc\/nginx\/vhost.d\/default_location;         {{ end }}     } }  {{ if (and (not $is_https) (exists \"\/etc\/nginx\/certs\/default.crt\") (exists \"\/etc\/nginx\/certs\/default.key\")) }} server {     server_name {{ $host }};     listen 443 ssl http2 {{ $default_server }};     {{ if $enable_ipv6 }}     listen [::]:443 ssl http2 {{ $default_server }};     {{ end }}     access_log \/var\/log\/nginx\/access.log vhost;     return 500;      ssl_certificate \/etc\/nginx\/certs\/default.crt;     ssl_certificate_key \/etc\/nginx\/certs\/default.key; } {{ end }}  {{ end }} {{ end }}<\/code><\/pre>\n<\/div>\n<\/div>\n<p>  <\/p>\n<h3 id=\"modifikaciya-konfiguracii-docker-compose\">\u041c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 docker-compose<\/h3>\n<p>  <\/p>\n<p>\u0412 <code>docker-compose.yml<\/code> \u0431\u044b\u043b\u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u044b:<\/p>\n<p>  <\/p>\n<ul>\n<li>\u041d\u043e\u0432\u044b\u0439 \u0441\u0435\u0440\u0432\u0438\u0441 &#171;ldap-auth&#187;, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 \u0437\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044e.<\/li>\n<li>\u0411\u043b\u043e\u043a \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445, \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u044e\u0449\u0438\u0445 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0441 LDAP \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.<\/li>\n<\/ul>\n<p>  <\/p>\n<p>\u0422\u043e \u0447\u0442\u043e \u0437\u0430\u043f\u0438\u0441\u0430\u043d\u043e \u0432 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445, nginx \u043f\u0435\u0440\u0435\u0434\u0430\u0441\u0442 \u0441\u0435\u0440\u0432\u0438\u0441\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 HTTP \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438.<br \/>  \u041d\u0430\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 \u044f\u0441\u043d\u043e \u0438\u0437 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445, \u0442\u0430\u043a \u0447\u0442\u043e \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c\u0441\u044f \u044f \u043d\u0430 \u043d\u0438\u0445 \u043d\u0435 \u0431\u0443\u0434\u0443.<br \/>  \u041f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0444\u0438\u0433 \u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u043d\u0438\u0436\u0435.<\/p>\n<p>  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">docker-compose.yml<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"plaintext\">version: '2'  networks:   internal:   docker0:     external:       name: docker0  services:   ldap-auth:     image: linuxserver\/ldap-auth:latest     container_name: ldap-auth     networks:       - internal       - docker0     environment:       - TZ=Europe\/Moscow     expose:       - 8888       - 9000     restart: unless-stopped    nginx-proxy:     depends_on:       - ldap-auth     networks:       - internal       - docker0     restart: always     image: jwilder\/nginx-proxy     ports:       - \"80:80\"       - \"443:443\"     volumes:       - .\/certs:\/etc\/nginx\/certs:ro       - .\/vhost.d:\/etc\/nginx\/vhost.d       - .\/html:\/usr\/share\/nginx\/html       - \/var\/run\/docker.sock:\/tmp\/docker.sock:ro       - .\/local-config:\/etc\/nginx\/conf.d       - .\/nginx.tmpl:\/app\/nginx.tmpl     environment:       - DEFAULT_HOST=nas.nas       - LDAP_BACKEND=ldap-auth       #- LDAP_BACKEND_PORT=8888       #- LDAP_LOGIN_PORT=9000       - LDAP_HOST=ldap:\/\/172.21.0.1:389       #- LDAP_METHOD=start_tls       - LDAP_METHOD=plain       - LDAP_UID=uid       - LDAP_PASS=LDAP_PASSWORD       - LDAP_BASE=ou=users,dc=nas,dc=nas       - LDAP_BIND_DN=cn=readonly,dc=nas,dc=nas       - LDAP_USER_FILTER=(uid=%(username)s)       #- LDAP_USE_LOGIN_PAGE=true      labels:       - \"com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true\"    letsencrypt-dns:     image: adferrand\/letsencrypt-dns     restart: always     volumes:       - .\/certs\/letsencrypt:\/etc\/letsencrypt     environment:       - \"LETSENCRYPT_USER_MAIL=MAIL@MAIL.COM\"       - \"LEXICON_PROVIDER=cloudns\"       - \"LEXICON_OPTIONS=--delegated NAS.cloudns.cc\"       - \"LEXICON_PROVIDER_OPTIONS=--auth-id=CLOUDNS_ID --auth-password=CLOUDNS_PASSWORD\"<\/code><\/pre>\n<\/div>\n<\/div>\n<p>  <\/p>\n<h2 id=\"ispolzovanie-servisom\">\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u043c<\/h2>\n<p>  <\/p>\n<p>\u0421\u043a\u0432\u043e\u0437\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0432\u044b\u043a\u043b\u044e\u0447\u0435\u043d\u0430.<br \/>  \u0414\u043b\u044f \u0435\u0451 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0432 \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438 \u043d\u0443\u0436\u043d\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435:<\/p>\n<p>  <\/p>\n<ul>\n<li><code>LDAP_EXT_AUTH=true<\/code> \u2014 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<\/li>\n<li><code>LDAP_EXT_ADD_GROUPS=(memberOf=cn=users_cloud,ou=groups,dc=nas,dc=nas)<\/code> \u2014 \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0444\u0438\u043b\u044c\u0442\u0440, \u0441\u043f\u0438\u0441\u043e\u043a \u0433\u0440\u0443\u043f\u043f, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0434\u043e\u043b\u0436\u0435\u043d \u0432\u0445\u043e\u0434\u0438\u0442\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c, \u0447\u0442\u043e\u0431\u044b \u0431\u044b\u0442\u044c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c. \u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438.<\/li>\n<\/ul>\n<p>  <\/p>\n<pre><code class=\"plaintext\">   environment:       - LDAP_EXT_AUTH=true       - LDAP_EXT_ADD_GROUPS=(memberOf=cn=users_cloud,ou=groups,dc=nas,dc=nas)<\/code><\/pre>\n<p>  <\/p>\n<h2 id=\"zaklyuchenie\">\u0417\u0430\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435<\/h2>\n<p>  <\/p>\n<p>\u0412 \u0446\u0435\u043b\u043e\u043c, \u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0443\u0436\u0435 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0435 \u0432\u0440\u0435\u043c\u044f \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0438 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u043d\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e, \u043d\u043e \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044e.<br \/>  \u0427\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0432 NAS \u043b\u044e\u0431\u044b\u0435 \u0441\u0435\u0440\u0432\u0438\u0441\u044b \u0432 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430\u0445, \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e \u043e\u0442 \u0442\u043e\u0433\u043e \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0442 \u043b\u0438 \u043e\u043d\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e \u0447\u0435\u0440\u0435\u0437 LDAP.<\/p>\n<p>  <\/p>\n<p>\u0425\u043e\u0442\u044f \u0438\u043c\u0435\u044e\u0442\u0441\u044f \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b:<\/p>\n<p>  <\/p>\n<ul>\n<li>\u0411\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0435\u0435 \u0438 \u0443\u0434\u043e\u0431\u043d\u0435\u0435 \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u044c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 HTML \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443, \u0432\u043a\u043b\u044e\u0447\u0438\u0432 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e <code>ldap_use_login_page<\/code>. \u041d\u043e \u044d\u0442\u043e\u0442 \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u0443 \u043c\u0435\u043d\u044f \u043d\u0435 \u0437\u0430\u0440\u0430\u0431\u043e\u0442\u0430\u043b. \u0411\u0443\u0434\u0435\u0442 \u0432\u0440\u0435\u043c\u044f \u2014 \u0440\u0430\u0437\u0431\u0435\u0440\u0443\u0441\u044c.<\/li>\n<li>\u041d\u0435\u0443\u0434\u043e\u0431\u043d\u043e \u0437\u0430\u0434\u0430\u0432\u0430\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u0433\u0440\u0443\u043f\u043f. \u042f \u0432\u044b\u043d\u0443\u0436\u0434\u0435\u043d \u0431\u044b\u043b \u0434\u0435\u043b\u0430\u0442\u044c LDAP \u0444\u0438\u043b\u044c\u0442\u0440, \u0430 \u043d\u0435 \u0441\u043f\u0438\u0441\u043e\u043a, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f docker-gen \u043d\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u043c\u043d\u0435 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043d\u0443\u0436\u043d\u0443\u044e \u0441\u0442\u0440\u043e\u043a\u0443.<\/li>\n<\/ul>\n<p>  <\/p>\n<p>\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e NAS \u0432\u044b \u043c\u043e\u0436\u0435\u0442\u0435 \u043d\u0430\u0439\u0442\u0438 \u0432 <a href=\"https:\/\/github.com\/artiomn\/NAS\">\u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0438<\/a>.<\/p>\n<\/div>\n<p>               <script class=\"js-mediator-script\">!function(e){function t(t,n){if(!(n in e)){for(var r,a=e.document,i=a.scripts,o=i.length;o--;)if(-1!==i[o].src.indexOf(t)){r=i[o];break}if(!r){r=a.createElement(\"script\"),r.type=\"text\/javascript\",r.async=!0,r.defer=!0,r.src=t,r.charset=\"UTF-8\";var d=function(){var e=a.getElementsByTagName(\"script\")[0];e.parentNode.insertBefore(r,e)};\"[object Opera]\"==e.opera?a.addEventListener?a.addEventListener(\"DOMContentLoaded\",d,!1):e.attachEvent(\"onload\",d):d()}}}t(\"\/\/mediator.mail.ru\/script\/2820404\/\",\"_mediator\")}(window);<\/script>     <br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habr.com\/ru\/post\/456894\/\"> https:\/\/habr.com\/ru\/post\/456894\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n<div class=\"post__text post__text-html js-mediator-article\">\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/er\/pm\/ew\/erpmewjegcpdjjgb6aobbkf3yda.jpeg\"><\/p>\n<p>  <\/p>\n<p>\u041e\u0434\u043d\u0430 \u0438\u0437 \u0434\u043e\u0441\u0430\u0434\u043d\u044b\u0445 \u043f\u0440\u043e\u0431\u043b\u0435\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0441\u0442\u0430\u044e\u0442 \u043f\u0440\u0438 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0438 NAS, \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043d\u0435 \u0432\u0441\u044f\u043a\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u043c\u043e\u0436\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0441 LDAP, \u0430 <a href=\"https:\/\/github.com\/d0u9\/youtube-dl-webui\">\u043d\u0435\u043a\u043e\u0442\u043e\u0440\u043e\u0435<\/a> \u0432\u043e\u043e\u0431\u0449\u0435 \u043d\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u0432 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-291869","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/291869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=291869"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/291869\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=291869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=291869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=291869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}