eole-lemonldap/tmpl/portal-apache2.X.conf

#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================

# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"

# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng

# Portal Virtual Host (auth.example.com)
<VirtualHost %%adresse_ip_eth0:443>
    ServerName %%authWebName
    SSLEngine on
    SSLCertificateFile    %%server_cert
    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/portal_error.log
    CustomLog /var/log/apache2/portal_access.log common

    # See above to set LLNG user id in Apache logs
    #CustomLog /var/log/apache2/portal.log llng

    # DocumentRoot (FCGI scripts)
    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
        <IfVersion >= 2.3>
            Require all granted
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Allow from all
        </IfVersion>
        Options +ExecCGI +FollowSymLinks
    </Directory>
    RewriteEngine On
    # For performances, you can put static html files: simply put the HTML
    # result (example: /oauth2/checksession.html) as static file. Then
    # uncomment the following line.
    # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
    RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]

    # Note that Content-Security-Policy header is generated by portal itself
    <Files *.fcgi>
        SetHandler fcgid-script

        # Authorization header needs to be passed when using Kerberos or OIDC
        <IfVersion >= 2.4.13>
            CGIPassAuth On
        </IfVersion>
        <IfVersion < 2.4.13>
            RewriteCond %{HTTP:Authorization} ^(.*)
            RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
        </IfVersion>

        Options +ExecCGI
        header unset Lm-Remote-User
    </Files>

    # Uncomment this if status is enabled
    #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321

    # Static files
    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
        Require all granted
        Options +FollowSymLinks
    </Directory>
    <Location /static/>
        <IfModule mod_expires.c>
            ExpiresActive On
            ExpiresDefault "access plus 1 month"
        </IfModule>
    </Location>

    <IfModule mod_dir.c>
        DirectoryIndex index.fcgi index.html
    </IfModule>

    # REST/SOAP functions for sessions management (disabled by default)
    <Location /index.fcgi/adminSessions>
        <IfVersion >= 2.3>
            Require all denied
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Deny from all
        </IfVersion>
    </Location>

    # REST/SOAP functions for sessions access (disabled by default)
    <Location /index.fcgi/sessions>
        <IfVersion >= 2.3>
            Require all denied
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Deny from all
        </IfVersion>
    </Location>

    # REST/SOAP functions for configuration access (disabled by default)
    <Location /index.fcgi/config>
        <IfVersion >= 2.3>
            Require all denied
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Deny from all
        </IfVersion>
    </Location>

    # REST/SOAP functions for notification insertion (disabled by default)
    <Location /index.fcgi/notification>
        <IfVersion >= 2.3>
            Require all denied
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Deny from all
        </IfVersion>
    </Location>

    # Enable compression
    <Location />
        <IfModule mod_deflate.c>
                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
                SetOutputFilter DEFLATE
                BrowserMatch ^Mozilla/4 gzip-only-text/html
                BrowserMatch ^Mozilla/4\.0[678] no-gzip
                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
        </IfModule>
        <IfModule mod_headers.c>
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>

    # Uncomment this if site if you use SSL only
    #Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
Make LemonLDAP::NG useable with Apache2 Ref: #30852 2020-10-14 13:18:15 +02:00			`#====================================================================`
			`# Apache configuration for LemonLDAP::NG Portal`
			`#====================================================================`

			`# Uncomment this if no previous NameVirtualHost declaration`
			`#NameVirtualHost "*:80"`

			`# To insert LLNG user id in Apache logs, declare this format and use it in`
			`# CustomLog directive`
			`#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng`

			`# Portal Virtual Host (auth.example.com)`
			`<VirtualHost %%adresse_ip_eth0:443>`
			`ServerName %%authWebName`
			`SSLEngine on`
Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one 2020-12-02 11:52:11 +01:00			`SSLCertificateFile %%server_cert`
			`SSLCertificateKeyFile %%server_key`
Make LemonLDAP::NG useable with Apache2 Ref: #30852 2020-10-14 13:18:15 +02:00			`SSLCertificateChainFile /etc/ssl/certs/ca_local.crt`
			`SSLProtocol all -SSLv3 -SSLv2`
			`SSLProxyEngine on`

Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one 2020-12-02 11:52:11 +01:00			`LogLevel %%lm_loglevel`
Make LemonLDAP::NG useable with Apache2 Ref: #30852 2020-10-14 13:18:15 +02:00			`ErrorLog /var/log/apache2/portal_error.log`
			`CustomLog /var/log/apache2/portal_access.log common`

			`# See above to set LLNG user id in Apache logs`
			`#CustomLog /var/log/apache2/portal.log llng`

			`# DocumentRoot (FCGI scripts)`
			`DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/`
			`<Directory /usr/share/lemonldap-ng/portal/htdocs/>`
			`<IfVersion >= 2.3>`
			`Require all granted`
			`</IfVersion>`
			`<IfVersion < 2.3>`
			`Order Deny,Allow`
			`Allow from all`
			`</IfVersion>`
			`Options +ExecCGI +FollowSymLinks`
			`</Directory>`
			`RewriteEngine On`
			`# For performances, you can put static html files: simply put the HTML`
			`# result (example: /oauth2/checksession.html) as static file. Then`
			`# uncomment the following line.`
			`# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"`
			`RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static\|javascript\|favicon).\|.\.fcgi(?:/.*)?)$"`
			`RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]`

			`# Note that Content-Security-Policy header is generated by portal itself`
			`<Files *.fcgi>`
			`SetHandler fcgid-script`

			`# Authorization header needs to be passed when using Kerberos or OIDC`
			`<IfVersion >= 2.4.13>`
			`CGIPassAuth On`
			`</IfVersion>`
			`<IfVersion < 2.4.13>`
			`RewriteCond %{HTTP:Authorization} ^(.*)`
			`RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]`
			`</IfVersion>`

			`Options +ExecCGI`
			`header unset Lm-Remote-User`
			`</Files>`

			`# Uncomment this if status is enabled`
			`#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321`

			`# Static files`
			`Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/`
			`<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>`
			`Require all granted`
			`Options +FollowSymLinks`
			`</Directory>`
			`<Location /static/>`
			`<IfModule mod_expires.c>`
			`ExpiresActive On`
			`ExpiresDefault "access plus 1 month"`
			`</IfModule>`
			`</Location>`

			`<IfModule mod_dir.c>`
			`DirectoryIndex index.fcgi index.html`
			`</IfModule>`

			`# REST/SOAP functions for sessions management (disabled by default)`
			`<Location /index.fcgi/adminSessions>`
			`<IfVersion >= 2.3>`
			`Require all denied`
			`</IfVersion>`
			`<IfVersion < 2.3>`
			`Order Deny,Allow`
			`Deny from all`
			`</IfVersion>`
			`</Location>`

			`# REST/SOAP functions for sessions access (disabled by default)`
			`<Location /index.fcgi/sessions>`
			`<IfVersion >= 2.3>`
			`Require all denied`
			`</IfVersion>`
			`<IfVersion < 2.3>`
			`Order Deny,Allow`
			`Deny from all`
			`</IfVersion>`
			`</Location>`

			`# REST/SOAP functions for configuration access (disabled by default)`
			`<Location /index.fcgi/config>`
			`<IfVersion >= 2.3>`
			`Require all denied`
			`</IfVersion>`
			`<IfVersion < 2.3>`
			`Order Deny,Allow`
			`Deny from all`
			`</IfVersion>`
			`</Location>`

			`# REST/SOAP functions for notification insertion (disabled by default)`
			`<Location /index.fcgi/notification>`
			`<IfVersion >= 2.3>`
			`Require all denied`
			`</IfVersion>`
			`<IfVersion < 2.3>`
			`Order Deny,Allow`
			`Deny from all`
			`</IfVersion>`
			`</Location>`

			`# Enable compression`
			`<Location />`
			`<IfModule mod_deflate.c>`
			`AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css`
			`SetOutputFilter DEFLATE`
			`BrowserMatch ^Mozilla/4 gzip-only-text/html`
			`BrowserMatch ^Mozilla/4\.0[678] no-gzip`
			`BrowserMatch \bMSIE !no-gzip !gzip-only-text/html`
			`SetEnvIfNoCase Request_URI \.(?:gif\|jpe?g\|png)$ no-gzip dont-vary`
			`</IfModule>`
			`<IfModule mod_headers.c>`
			`Header append Vary User-Agent env=!dont-vary`
			`</IfModule>`
			`</Location>`

			`# Uncomment this if site if you use SSL only`
			`#Header set Strict-Transport-Security "max-age=15768000"`
			`</VirtualHost>`