From 30e142fa98b258eaf4ac38ca9ba5c3821dba91c4 Mon Sep 17 00:00:00 2001 From: Benjamin Bohard Date: Fri, 12 Jul 2019 11:03:25 +0200 Subject: [PATCH] Importation des fichiers de configuration --- tmpl/handler-nginx.conf | 55 ++++++++---------- tmpl/manager-nginx.conf | 60 +++++++++---------- tmpl/portal-nginx.conf | 126 +++++++++++++++++++--------------------- tmpl/test-nginx.conf | 68 ++++++++++++++-------- 4 files changed, 156 insertions(+), 153 deletions(-) diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 8608782..3651d0d 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -12,49 +12,37 @@ # IMPORTANT: # To protect applications, see test-nginx.conf template in example files -%if %%getVar("revprox_hash_bucket_size", "non") == "non" -server_names_hash_bucket_size %%nginxBucketSize; -%end if - # Log format include /etc/lemonldap-ng/nginx-lmlog.conf; #access_log /var/log/nginx/access.log lm_combined; server { listen 80; - server_name %%reloadWebName; - return 301 https://$host$request_uri; -} - -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; - server_name %%reloadWebName; - - error_page 403 404 502 503 504 /nginx.html; - location = /nginx.html{ - root /usr/share/nginx/www; - } + server_name reload.example.com; root /var/www/html; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; + location = /reload { allow 127.0.0.1; -%for ipaddr in %%ip_ssh_eth0 - allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0); -%end for deny all; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE reload; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE reload; } # Client requests @@ -62,15 +50,20 @@ server { deny all; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } # Uncomment this if status is enabled #location = /status { # allow 127.0.0.1; # deny all; + # # FastCGI configuration # include /etc/nginx/fastcgi_params; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; + # # OR TO USE uWSGI + # #include /etc/nginx/uwsgi_params; + # #uwsgi_pass 127.0.0.1:5000; + # #uwsgi_param LLTYPE status; #} -} \ No newline at end of file +} diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index 48e9d98..3c2deaa 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -1,48 +1,49 @@ server { listen 80; - server_name %%managerWebName; - return 301 https://$host$request_uri; -} + server_name manager.example.com; + root /usr/share/lemonldap-ng/manager/htdocs/; + # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) + #access_log /var/log/nginx/portal.log lm_app; -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; - server_name %%managerWebName; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; - error_page 403 404 502 503 504 /nginx.html; - location = /nginx.html{ - root /usr/share/nginx/www; - } - - if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) { + if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) { rewrite ^/(.*)$ /manager.psgi/$1 break; } - location /manager.psgi { + location ~ ^(?/.*\.psgi)(?:$|/) { + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE manager; + fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE psgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } location / { index manager.psgi; + try_files $uri $uri/ =404; allow 127.0.0.0/8; deny all; - try_files $uri $uri/ =404; } location /doc/ { @@ -52,12 +53,8 @@ server { location /lib/ { alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/; } - location /fr-doc/ { - alias /usr/share/doc/lemonldap-ng-fr-doc/; - index index.html start.html; - } location /static/ { - alias /usr/share/lemonldap-ng/manager/static/; + alias /usr/share/lemonldap-ng/manager/htdocs/static/; } # DEBIAN @@ -65,4 +62,5 @@ server { #location /javascript/ { # alias /usr/share/javascript/; #} + } diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index c7f0544..e063efd 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -1,93 +1,85 @@ +## map directive must be in http context +# Uncomment this if you use Auth SSL: +#map $ssl_client_s_dn $ssl_client_s_dn_cn { +# default ""; +# ~/CN=(?[^/]+) $CN; +#} + server { listen 80; - server_name %%authWebName; - return 301 https://$host$request_uri; -} + server_name auth.example.com; + root /usr/share/lemonldap-ng/portal/htdocs/; + # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) + #access_log /var/log/nginx/portal.log lm_app; -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; - server_name %%authWebName; - root /var/lib/lemonldap-ng/portal/; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; - location ~ \.pl(?:$|/) { - include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE cgi; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - set $sn $request_uri; - if ($sn ~ "^(.*)\?") { - set $sn $1; - } - if ($sn ~ "^/index.pl") { - set $sn "/index.pl"; - } - fastcgi_param SCRIPT_NAME $sn; - fastcgi_split_path_info ^(.*\.pl)(/.*)$; - fastcgi_param PATH_INFO $fastcgi_path_info; - # Uncomment this if you use Auth SSL: - #map $ssl_client_s_dn $ssl_client_s_dn_cn { - # default ""; - # ~/CN=(?[^/]+) $CN; - #} - #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn + if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { + rewrite ^/(.*)$ /index.psgi/$1 break; } - index index.pl; + location ~ ^(?/.*\.psgi)(?:$|/) { + # Note that Content-Security-Policy header is generated by portal itself + + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + # Uncomment this if you use Auth SSL: + #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE psgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + # Uncomment this if you use Auth SSL: + #uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; + + } + + index index.psgi; location / { try_files $uri $uri/ =404; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } - # SOAP functions for sessions management (disabled by default) - location /index.pl/adminSessions { + location /static/ { + alias /usr/share/lemonldap-ng/portal/htdocs/static/; + } + + # REST/SOAP functions for sessions management (disabled by default) + location /index.psgi/adminSessions { deny all; } - # SOAP functions for sessions access (disabled by default) - location /index.pl/sessions { + # REST/SOAP functions for sessions access (disabled by default) + location /index.psgi/sessions { deny all; } - # SOAP functions for configuration access (disabled by default) - location /index.pl/config { + # REST/SOAP functions for configuration access (disabled by default) + location /index.psgi/config { deny all; } - # SOAP functions for notification insertion (disabled by default) - location /index.pl/notification { + # REST/SOAP functions for notification insertion (disabled by default) + location /index.psgi/notification { deny all; } - # SAML2 Issuer - rewrite ^/saml/metadata /metadata.pl last; - rewrite ^/saml/.* /index.pl last; - - # CAS Issuer - rewrite ^/cas/.* /index.pl; - - # OpenID Issuer - rewrite ^/openidserver/.* /index.pl last; - - # OpenID Connect Issuer - rewrite ^/oauth2/.* /index.pl last; - rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last; - - # Get Issuer - rewrite ^/get/.* /index.pl; - - # Public pages - rewrite ^/public.* /public.pl; # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf index ad83e3c..8dcf62b 100644 --- a/tmpl/test-nginx.conf +++ b/tmpl/test-nginx.conf @@ -1,38 +1,46 @@ server { listen 80; - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; - return 301 https://$host$request_uri; -} - -server { - listen 443; - ssl on; - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log; - - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + server_name test1.example.com test2.example.com; root /var/lib/lemonldap-ng/test/; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; # Internal authentication request location = /lmauth { internal; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # To use AuthBasic handler, uncomment this and remove "error_page 401" - # fastcgi_param LLTYPE authbasic; - # Drop post datas fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; - # Keep original hostname fastcgi_param HOST $http_host; - - # Keep original request (LLNG server will received /llauth) + # Keep original request (LLNG server will receive /lmauth) fastcgi_param X_ORIGINAL_URI $request_uri; + # Improve performances + #fastcgi_buffer_size 32k; + #fastcgi_buffers 32 32k; + + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; + #uwsgi_param HOST $http_host; + #uwsgi_param X_ORIGINAL_URI $request_uri; + # Improve performances + #uwsgi_buffer_size 32k; + #uwsgi_buffers 32 32k; } # Client requests @@ -51,7 +59,7 @@ server { auth_request /lmauth; auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmlocation $upstream_http_location; - # Uncomment this if CDA is used + # If CDA is used, uncomment this #auth_request_set $cookie_value $upstream_http_set_cookie; #add_header Set-Cookie $cookie_value; # Remove this for AuthBasic handler @@ -68,30 +76,37 @@ server { # Set manually your headers #auth_request_set $authuser $upstream_http_auth_user; #proxy_set_header Auth-User $authuser; - # OR in the correspondinc block + # OR in the corresponding block #fastcgi_param HTTP_AUTH_USER $authuser; - # Then (if LUA not supported), change cookie header to hide LLNG cookie + # Then (if LUA is not supported), change cookie header to hide LLNG cookie #auth_request_set $lmcookie $upstream_http_cookie; #proxy_set_header Cookie: $lmcookie; # OR in the corresponding block #fastcgi_param HTTP_COOKIE $lmcookie; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; # Set REMOTE_USER (for FastCGI apps only) #fastcgi_param REMOTE_USER $lmremote_user; } # Handle test CGI - location ~ \.pl$ { + location ~ ^(?/.*\.pl)(?:$|/) { include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE cgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.pl)(/.+)$; fastcgi_param REMOTE_USER $lmremote_user; + + # Or with uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE cgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; } #location = /status { @@ -100,5 +115,10 @@ server { # include /etc/nginx/fastcgi_params; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; + + ### Or with uWSGI + ## include /etc/nginx/uwsgi_params; + ## uwsgi_pass 127.0.0.1:5000; + ## uwsgi_param LLTYPE status; #} }