Cadoles
/
eole-lemonldap
20
0
Fork 0
Code Issues 11 Pull Requests Releases Wiki Activity

Importation des fichiers de configuration

This commit is contained in:
Benjamin Bohard 2019-07-12 11:03:25 +02:00
parent 6c3adaab2b
commit 30e142fa98
4 changed files with 156 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
tmpl/handler-nginx.conf
View File

@ -12,49 +12,37 @@
# IMPORTANT: # IMPORTANT:
# To protect applications, see test-nginx.conf template in example files # To protect applications, see test-nginx.conf template in example files
%if %%getVar("revprox_hash_bucket_size", "non") == "non"
server_names_hash_bucket_size %%nginxBucketSize;
%end if
# Log format # Log format
include /etc/lemonldap-ng/nginx-lmlog.conf; include /etc/lemonldap-ng/nginx-lmlog.conf;
#access_log /var/log/nginx/access.log lm_combined; #access_log /var/log/nginx/access.log lm_combined;
server { server {
listen 80; listen 80;
server_name %%reloadWebName; server_name reload.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /var/www/html; root /var/www/html;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
location = /reload { location = /reload {
allow 127.0.0.1; allow 127.0.0.1;
%for ipaddr in %%ip_ssh_eth0
allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0);
%end for
deny all; deny all;
# FastCGI configuration
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload; fastcgi_param LLTYPE reload;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE reload;
} }
# Client requests # Client requests
@ -62,15 +50,20 @@ server {
deny all; deny all;
# Uncomment this if you use https only # Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000"; #add_header Strict-Transport-Security "max-age=15768000";
} }
# Uncomment this if status is enabled # Uncomment this if status is enabled
#location = /status { #location = /status {
# allow 127.0.0.1; # allow 127.0.0.1;
# deny all; # deny all;
# # FastCGI configuration
# include /etc/nginx/fastcgi_params; # include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status; # fastcgi_param LLTYPE status;
# # OR TO USE uWSGI
# #include /etc/nginx/uwsgi_params;
# #uwsgi_pass 127.0.0.1:5000;
# #uwsgi_param LLTYPE status;
#} #}
} }

60
tmpl/manager-nginx.conf
View File

@ -1,48 +1,49 @@
server { server {
listen 80; listen 80;
server_name %%managerWebName; server_name manager.example.com;
return 301 https://$host$request_uri; root /usr/share/lemonldap-ng/manager/htdocs/;
} # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app;
server { # Uncomment this if you are running behind a reverse proxy and want
listen 443; # LemonLDAP::NG to see the real IP address of the end user
ssl on; # Adjust the settings to match the IP address of your reverse proxy
%if %%cert_type == "letsencrypt" # and the header containing the original IP address
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; # As an alternative, you can use the PROXY protocol
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; #
%else #set_real_ip_from 127.0.0.1;
ssl_certificate %%server_cert; #real_ip_header X-Forwarded-For;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%managerWebName;
error_page 403 404 502 503 504 /nginx.html; if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
location = /nginx.html{
root /usr/share/nginx/www;
}
if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) {
rewrite ^/(.*)$ /manager.psgi/$1 break; rewrite ^/(.*)$ /manager.psgi/$1 break;
} }
location /manager.psgi { location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# FastCGI configuration
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager; fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
# Uncomment this if you use https only # Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000"; #add_header Strict-Transport-Security "max-age=15768000";
} }
location / { location / {
index manager.psgi; index manager.psgi;
try_files $uri $uri/ =404;
allow 127.0.0.0/8; allow 127.0.0.0/8;
deny all; deny all;
try_files $uri $uri/ =404;
} }
location /doc/ { location /doc/ {
@ -52,12 +53,8 @@ server {
location /lib/ { location /lib/ {
alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/; alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/;
} }
location /fr-doc/ {
alias /usr/share/doc/lemonldap-ng-fr-doc/;
index index.html start.html;
}
location /static/ { location /static/ {
alias /usr/share/lemonldap-ng/manager/static/; alias /usr/share/lemonldap-ng/manager/htdocs/static/;
} }
# DEBIAN # DEBIAN
@ -65,4 +62,5 @@ server {
#location /javascript/ { #location /javascript/ {
# alias /usr/share/javascript/; # alias /usr/share/javascript/;
#} #}
} }

126
tmpl/portal-nginx.conf
View File

@ -1,93 +1,85 @@
## map directive must be in http context
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
server { server {
listen 80; listen 80;
server_name %%authWebName; server_name auth.example.com;
return 301 https://$host$request_uri; root /usr/share/lemonldap-ng/portal/htdocs/;
} # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app;
server { # Uncomment this if you are running behind a reverse proxy and want
listen 443; # LemonLDAP::NG to see the real IP address of the end user
ssl on; # Adjust the settings to match the IP address of your reverse proxy
%if %%cert_type == "letsencrypt" # and the header containing the original IP address
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; # As an alternative, you can use the PROXY protocol
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; #
%else #set_real_ip_from 127.0.0.1;
ssl_certificate %%server_cert; #real_ip_header X-Forwarded-For;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name %%authWebName;
root /var/lib/lemonldap-ng/portal/;
location ~ \.pl(?:$|/) { if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
include /etc/nginx/fastcgi_params; rewrite ^/(.*)$ /index.psgi/$1 break;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $sn $request_uri;
if ($sn ~ "^(.*)\?") {
set $sn $1;
}
if ($sn ~ "^/index.pl") {
set $sn "/index.pl";
}
fastcgi_param SCRIPT_NAME $sn;
fastcgi_split_path_info ^(.*\.pl)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
} }
index index.pl; location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
# Uncomment this if you use Auth SSL:
#uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
}
index index.psgi;
location / { location / {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
# Uncomment this if you use https only # Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000"; #add_header Strict-Transport-Security "max-age=15768000";
} }
# SOAP functions for sessions management (disabled by default) location /static/ {
location /index.pl/adminSessions { alias /usr/share/lemonldap-ng/portal/htdocs/static/;
}
# REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all; deny all;
} }
# SOAP functions for sessions access (disabled by default) # REST/SOAP functions for sessions access (disabled by default)
location /index.pl/sessions { location /index.psgi/sessions {
deny all; deny all;
} }
# SOAP functions for configuration access (disabled by default) # REST/SOAP functions for configuration access (disabled by default)
location /index.pl/config { location /index.psgi/config {
deny all; deny all;
} }
# SOAP functions for notification insertion (disabled by default) # REST/SOAP functions for notification insertion (disabled by default)
location /index.pl/notification { location /index.psgi/notification {
deny all; deny all;
} }
# SAML2 Issuer
rewrite ^/saml/metadata /metadata.pl last;
rewrite ^/saml/.* /index.pl last;
# CAS Issuer
rewrite ^/cas/.* /index.pl;
# OpenID Issuer
rewrite ^/openidserver/.* /index.pl last;
# OpenID Connect Issuer
rewrite ^/oauth2/.* /index.pl last;
rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;
# Get Issuer
rewrite ^/get/.* /index.pl;
# Public pages
rewrite ^/public.* /public.pl;
# DEBIAN # DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this # If install was made with USEDEBIANLIBS (official releases), uncomment this

68
tmpl/test-nginx.conf
View File

@ -1,38 +1,46 @@
server { server {
listen 80; listen 80;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; server_name test1.example.com test2.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/; root /var/lib/lemonldap-ng/test/;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
# Internal authentication request # Internal authentication request
location = /lmauth { location = /lmauth {
internal; internal;
# FastCGI configuration
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# To use AuthBasic handler, uncomment this and remove "error_page 401"
# fastcgi_param LLTYPE authbasic;
# Drop post datas # Drop post datas
fastcgi_pass_request_body off; fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH ""; fastcgi_param CONTENT_LENGTH "";
# Keep original hostname # Keep original hostname
fastcgi_param HOST $http_host; fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri; fastcgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_pass_request_body off;
#uwsgi_param CONTENT_LENGTH "";
#uwsgi_param HOST $http_host;
#uwsgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#uwsgi_buffer_size 32k;
#uwsgi_buffers 32 32k;
} }
# Client requests # Client requests
@ -51,7 +59,7 @@ server {
auth_request /lmauth; auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location; auth_request_set $lmlocation $upstream_http_location;
# Uncomment this if CDA is used # If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie; #auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value; #add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler # Remove this for AuthBasic handler
@ -68,30 +76,37 @@ server {
# Set manually your headers # Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user; #auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser; #proxy_set_header Auth-User $authuser;
# OR in the correspondinc block # OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser; #fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie # Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie; #auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie; #proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block # OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie; #fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only # Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000"; #add_header Strict-Transport-Security "max-age=15768000";
# Set REMOTE_USER (for FastCGI apps only) # Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user; #fastcgi_param REMOTE_USER $lmremote_user;
} }
# Handle test CGI # Handle test CGI
location ~ \.pl$ { location ~ ^(?<sc>/.*\.pl)(?:$|/) {
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi; fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$; fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user; fastcgi_param REMOTE_USER $lmremote_user;
# Or with uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE cgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
} }
#location = /status { #location = /status {
@ -100,5 +115,10 @@ server {
# include /etc/nginx/fastcgi_params; # include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status; # fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;
## uwsgi_param LLTYPE status;
#} #}
} }