From 30e142fa98b258eaf4ac38ca9ba5c3821dba91c4 Mon Sep 17 00:00:00 2001 From: Benjamin Bohard Date: Fri, 12 Jul 2019 11:03:25 +0200 Subject: [PATCH 1/3] Importation des fichiers de configuration --- tmpl/handler-nginx.conf | 55 ++++++++---------- tmpl/manager-nginx.conf | 60 +++++++++---------- tmpl/portal-nginx.conf | 126 +++++++++++++++++++--------------------- tmpl/test-nginx.conf | 68 ++++++++++++++-------- 4 files changed, 156 insertions(+), 153 deletions(-) diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 8608782..3651d0d 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -12,49 +12,37 @@ # IMPORTANT: # To protect applications, see test-nginx.conf template in example files -%if %%getVar("revprox_hash_bucket_size", "non") == "non" -server_names_hash_bucket_size %%nginxBucketSize; -%end if - # Log format include /etc/lemonldap-ng/nginx-lmlog.conf; #access_log /var/log/nginx/access.log lm_combined; server { listen 80; - server_name %%reloadWebName; - return 301 https://$host$request_uri; -} - -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; - server_name %%reloadWebName; - - error_page 403 404 502 503 504 /nginx.html; - location = /nginx.html{ - root /usr/share/nginx/www; - } + server_name reload.example.com; root /var/www/html; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; + location = /reload { allow 127.0.0.1; -%for ipaddr in %%ip_ssh_eth0 - allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0); -%end for deny all; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE reload; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE reload; } # Client requests @@ -62,15 +50,20 @@ server { deny all; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } # Uncomment this if status is enabled #location = /status { # allow 127.0.0.1; # deny all; + # # FastCGI configuration # include /etc/nginx/fastcgi_params; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; + # # OR TO USE uWSGI + # #include /etc/nginx/uwsgi_params; + # #uwsgi_pass 127.0.0.1:5000; + # #uwsgi_param LLTYPE status; #} -} \ No newline at end of file +} diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index 48e9d98..3c2deaa 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -1,48 +1,49 @@ server { listen 80; - server_name %%managerWebName; - return 301 https://$host$request_uri; -} + server_name manager.example.com; + root /usr/share/lemonldap-ng/manager/htdocs/; + # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) + #access_log /var/log/nginx/portal.log lm_app; -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; - server_name %%managerWebName; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; - error_page 403 404 502 503 504 /nginx.html; - location = /nginx.html{ - root /usr/share/nginx/www; - } - - if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) { + if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) { rewrite ^/(.*)$ /manager.psgi/$1 break; } - location /manager.psgi { + location ~ ^(?/.*\.psgi)(?:$|/) { + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE manager; + fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE psgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } location / { index manager.psgi; + try_files $uri $uri/ =404; allow 127.0.0.0/8; deny all; - try_files $uri $uri/ =404; } location /doc/ { @@ -52,12 +53,8 @@ server { location /lib/ { alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/; } - location /fr-doc/ { - alias /usr/share/doc/lemonldap-ng-fr-doc/; - index index.html start.html; - } location /static/ { - alias /usr/share/lemonldap-ng/manager/static/; + alias /usr/share/lemonldap-ng/manager/htdocs/static/; } # DEBIAN @@ -65,4 +62,5 @@ server { #location /javascript/ { # alias /usr/share/javascript/; #} + } diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index c7f0544..e063efd 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -1,93 +1,85 @@ +## map directive must be in http context +# Uncomment this if you use Auth SSL: +#map $ssl_client_s_dn $ssl_client_s_dn_cn { +# default ""; +# ~/CN=(?[^/]+) $CN; +#} + server { listen 80; - server_name %%authWebName; - return 301 https://$host$request_uri; -} + server_name auth.example.com; + root /usr/share/lemonldap-ng/portal/htdocs/; + # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) + #access_log /var/log/nginx/portal.log lm_app; -server { - listen 443; - ssl on; -%if %%cert_type == "letsencrypt" - ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; - ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; -%else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; -%end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; - server_name %%authWebName; - root /var/lib/lemonldap-ng/portal/; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; - location ~ \.pl(?:$|/) { - include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE cgi; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - set $sn $request_uri; - if ($sn ~ "^(.*)\?") { - set $sn $1; - } - if ($sn ~ "^/index.pl") { - set $sn "/index.pl"; - } - fastcgi_param SCRIPT_NAME $sn; - fastcgi_split_path_info ^(.*\.pl)(/.*)$; - fastcgi_param PATH_INFO $fastcgi_path_info; - # Uncomment this if you use Auth SSL: - #map $ssl_client_s_dn $ssl_client_s_dn_cn { - # default ""; - # ~/CN=(?[^/]+) $CN; - #} - #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn + if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { + rewrite ^/(.*)$ /index.psgi/$1 break; } - index index.pl; + location ~ ^(?/.*\.psgi)(?:$|/) { + # Note that Content-Security-Policy header is generated by portal itself + + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + # Uncomment this if you use Auth SSL: + #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE psgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + # Uncomment this if you use Auth SSL: + #uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; + + } + + index index.psgi; location / { try_files $uri $uri/ =404; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } - # SOAP functions for sessions management (disabled by default) - location /index.pl/adminSessions { + location /static/ { + alias /usr/share/lemonldap-ng/portal/htdocs/static/; + } + + # REST/SOAP functions for sessions management (disabled by default) + location /index.psgi/adminSessions { deny all; } - # SOAP functions for sessions access (disabled by default) - location /index.pl/sessions { + # REST/SOAP functions for sessions access (disabled by default) + location /index.psgi/sessions { deny all; } - # SOAP functions for configuration access (disabled by default) - location /index.pl/config { + # REST/SOAP functions for configuration access (disabled by default) + location /index.psgi/config { deny all; } - # SOAP functions for notification insertion (disabled by default) - location /index.pl/notification { + # REST/SOAP functions for notification insertion (disabled by default) + location /index.psgi/notification { deny all; } - # SAML2 Issuer - rewrite ^/saml/metadata /metadata.pl last; - rewrite ^/saml/.* /index.pl last; - - # CAS Issuer - rewrite ^/cas/.* /index.pl; - - # OpenID Issuer - rewrite ^/openidserver/.* /index.pl last; - - # OpenID Connect Issuer - rewrite ^/oauth2/.* /index.pl last; - rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last; - - # Get Issuer - rewrite ^/get/.* /index.pl; - - # Public pages - rewrite ^/public.* /public.pl; # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf index ad83e3c..8dcf62b 100644 --- a/tmpl/test-nginx.conf +++ b/tmpl/test-nginx.conf @@ -1,38 +1,46 @@ server { listen 80; - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; - return 301 https://$host$request_uri; -} - -server { - listen 443; - ssl on; - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log; - - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + server_name test1.example.com test2.example.com; root /var/lib/lemonldap-ng/test/; + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # As an alternative, you can use the PROXY protocol + # + #set_real_ip_from 127.0.0.1; + #real_ip_header X-Forwarded-For; # Internal authentication request location = /lmauth { internal; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # To use AuthBasic handler, uncomment this and remove "error_page 401" - # fastcgi_param LLTYPE authbasic; - # Drop post datas fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; - # Keep original hostname fastcgi_param HOST $http_host; - - # Keep original request (LLNG server will received /llauth) + # Keep original request (LLNG server will receive /lmauth) fastcgi_param X_ORIGINAL_URI $request_uri; + # Improve performances + #fastcgi_buffer_size 32k; + #fastcgi_buffers 32 32k; + + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; + #uwsgi_param HOST $http_host; + #uwsgi_param X_ORIGINAL_URI $request_uri; + # Improve performances + #uwsgi_buffer_size 32k; + #uwsgi_buffers 32 32k; } # Client requests @@ -51,7 +59,7 @@ server { auth_request /lmauth; auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmlocation $upstream_http_location; - # Uncomment this if CDA is used + # If CDA is used, uncomment this #auth_request_set $cookie_value $upstream_http_set_cookie; #add_header Set-Cookie $cookie_value; # Remove this for AuthBasic handler @@ -68,30 +76,37 @@ server { # Set manually your headers #auth_request_set $authuser $upstream_http_auth_user; #proxy_set_header Auth-User $authuser; - # OR in the correspondinc block + # OR in the corresponding block #fastcgi_param HTTP_AUTH_USER $authuser; - # Then (if LUA not supported), change cookie header to hide LLNG cookie + # Then (if LUA is not supported), change cookie header to hide LLNG cookie #auth_request_set $lmcookie $upstream_http_cookie; #proxy_set_header Cookie: $lmcookie; # OR in the corresponding block #fastcgi_param HTTP_COOKIE $lmcookie; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; # Set REMOTE_USER (for FastCGI apps only) #fastcgi_param REMOTE_USER $lmremote_user; } # Handle test CGI - location ~ \.pl$ { + location ~ ^(?/.*\.pl)(?:$|/) { include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE cgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.pl)(/.+)$; fastcgi_param REMOTE_USER $lmremote_user; + + # Or with uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE cgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; } #location = /status { @@ -100,5 +115,10 @@ server { # include /etc/nginx/fastcgi_params; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; + + ### Or with uWSGI + ## include /etc/nginx/uwsgi_params; + ## uwsgi_pass 127.0.0.1:5000; + ## uwsgi_param LLTYPE status; #} } From abb1d10a8790e218177a38aafd376a5e3ad7acb7 Mon Sep 17 00:00:00 2001 From: Benjamin Bohard Date: Fri, 12 Jul 2019 11:32:26 +0200 Subject: [PATCH 2/3] =?UTF-8?q?Reprise=20des=20fichiers=20de=20configurati?= =?UTF-8?q?on=20pour=20int=C3=A9gration=20au=20module=20EOLE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tmpl/handler-nginx.conf | 43 ++++++++++++++++++++--------------------- tmpl/manager-nginx.conf | 35 +++++++++++++++++++++------------ tmpl/portal-nginx.conf | 40 ++++++++++++++++---------------------- tmpl/test-nginx.conf | 34 +++++++++++++------------------- 4 files changed, 74 insertions(+), 78 deletions(-) diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 3651d0d..a4c4071 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -18,17 +18,29 @@ include /etc/lemonldap-ng/nginx-lmlog.conf; server { listen 80; - server_name reload.example.com; + server_name %%reloadWebName; + return 301 https://$host$request_uri; +} + +server { + listen 443; + ssl on; +%if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; +%else + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; +%end if + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; + server_name %%reloadWebName; root /var/www/html; - # Uncomment this if you are running behind a reverse proxy and want - # LemonLDAP::NG to see the real IP address of the end user - # Adjust the settings to match the IP address of your reverse proxy - # and the header containing the original IP address - # As an alternative, you can use the PROXY protocol - # - #set_real_ip_from 127.0.0.1; - #real_ip_header X-Forwarded-For; + error_page 403 404 502 503 504 /nginx.html; + location = /nginx.html{ + root /usr/share/nginx/www; + } location = /reload { allow 127.0.0.1; @@ -53,17 +65,4 @@ server { #add_header Strict-Transport-Security "max-age=15768000"; } - # Uncomment this if status is enabled - #location = /status { - # allow 127.0.0.1; - # deny all; - # # FastCGI configuration - # include /etc/nginx/fastcgi_params; - # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # fastcgi_param LLTYPE status; - # # OR TO USE uWSGI - # #include /etc/nginx/uwsgi_params; - # #uwsgi_pass 127.0.0.1:5000; - # #uwsgi_param LLTYPE status; - #} } diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index 3c2deaa..ec288e5 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -1,18 +1,29 @@ server { listen 80; - server_name manager.example.com; - root /usr/share/lemonldap-ng/manager/htdocs/; - # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) - #access_log /var/log/nginx/portal.log lm_app; + server_name %%managerWebName; + return 301 https://$host$request_uri; +} - # Uncomment this if you are running behind a reverse proxy and want - # LemonLDAP::NG to see the real IP address of the end user - # Adjust the settings to match the IP address of your reverse proxy - # and the header containing the original IP address - # As an alternative, you can use the PROXY protocol - # - #set_real_ip_from 127.0.0.1; - #real_ip_header X-Forwarded-For; +server { + listen 443; + ssl on; + %if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; +%else + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; +%end if + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; + server_name %%managerWebName; + + error_page 403 404 502 503 504 /nginx.html; + location = /nginx.html{ + root /usr/share/nginx/www; + } + + root /usr/share/lemonldap-ng/manager/htdocs/; if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) { rewrite ^/(.*)$ /manager.psgi/$1 break; diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index e063efd..32464a1 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -7,19 +7,24 @@ server { listen 80; - server_name auth.example.com; - root /usr/share/lemonldap-ng/portal/htdocs/; - # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) - #access_log /var/log/nginx/portal.log lm_app; + server_name %%authWebName; + return 301 https://$host$request_uri; +} - # Uncomment this if you are running behind a reverse proxy and want - # LemonLDAP::NG to see the real IP address of the end user - # Adjust the settings to match the IP address of your reverse proxy - # and the header containing the original IP address - # As an alternative, you can use the PROXY protocol - # - #set_real_ip_from 127.0.0.1; - #real_ip_header X-Forwarded-For; +server { + listen 443; + ssl on; +%if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; +%else + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; +%end if + ssl_client_certificate /etc/ssl/certs/ca..crt; + access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; + server_name %%authWebName; + root /usr/share/lemonldap-ng/portal/htdocs/; if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { rewrite ^/(.*)$ /index.psgi/$1 break; @@ -35,17 +40,6 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - # Uncomment this if you use Auth SSL: - #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; - - # OR TO USE uWSGI - #include /etc/nginx/uwsgi_params; - #uwsgi_pass 127.0.0.1:5000; - #uwsgi_param LLTYPE psgi; - #uwsgi_param SCRIPT_FILENAME $document_root$sc; - #uwsgi_param SCRIPT_NAME $sc; - # Uncomment this if you use Auth SSL: - #uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; } diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf index 8dcf62b..87e170f 100644 --- a/tmpl/test-nginx.conf +++ b/tmpl/test-nginx.conf @@ -1,16 +1,19 @@ server { listen 80; - server_name test1.example.com test2.example.com; - root /var/lib/lemonldap-ng/test/; + server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + return 301 https://$host$request_uri; +} - # Uncomment this if you are running behind a reverse proxy and want - # LemonLDAP::NG to see the real IP address of the end user - # Adjust the settings to match the IP address of your reverse proxy - # and the header containing the original IP address - # As an alternative, you can use the PROXY protocol - # - #set_real_ip_from 127.0.0.1; - #real_ip_header X-Forwarded-For; +server { + listen 443; + ssl on; + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log; + + server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + root /var/lib/lemonldap-ng/test/; # Internal authentication request location = /lmauth { @@ -30,17 +33,6 @@ server { #fastcgi_buffer_size 32k; #fastcgi_buffers 32 32k; - - # OR TO USE uWSGI - #include /etc/nginx/uwsgi_params; - #uwsgi_pass 127.0.0.1:5000; - #uwsgi_pass_request_body off; - #uwsgi_param CONTENT_LENGTH ""; - #uwsgi_param HOST $http_host; - #uwsgi_param X_ORIGINAL_URI $request_uri; - # Improve performances - #uwsgi_buffer_size 32k; - #uwsgi_buffers 32 32k; } # Client requests From 73fb96c026434fe1755e5c70cc997a7b385fac6b Mon Sep 17 00:00:00 2001 From: Benjamin Bohard Date: Mon, 15 Jul 2019 10:40:26 +0200 Subject: [PATCH 3/3] Update configuration and dictionnary for v2.0 --- dicos/70_lemonldap_ng.xml | 10 +- tmpl/lemonldap-ng.ini | 8 +- tmpl/lmConf-1.json | 441 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 453 insertions(+), 6 deletions(-) create mode 100644 tmpl/lmConf-1.json diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 718c96f..bfede2a 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,12 +2,12 @@ - - - - - + + + + + diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index c41aba4..921810f 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -110,6 +110,12 @@ localStorageOptions={ \ ; restart your server. This increase performances ;useLocalConf = 1 +; staticPrefix: relative (or URL) location of static HTML components +staticPrefix = /static +; location of HTML templates directory +templateDir = /usr/share/lemonldap-ng/portal/templates +; languages: available languages for portal interface +languages = fr, en ; PORTAL CUSTOMIZATION ; Name of the skin portalSkin = %%llSkin @@ -276,7 +282,7 @@ logLevel = warn staticPrefix = /static ; ; location of HTML templates directory -templateDir = /usr/share/lemonldap-ng/manager/templates +templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates ; languages: available languages for manager interface languages = fr, en diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json new file mode 100644 index 0000000..80d4a31 --- /dev/null +++ b/tmpl/lmConf-1.json @@ -0,0 +1,441 @@ +%set %%ssoFilters = %%getSSOFilters +{ + "ldapGroupAttributeNameUser": "dn", + "cfgAuthorIP": "172.16.0.1", + "samlSPMetaDataXML": null, + "facebookAuthnLevel": 1, + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "secureTokenAttribute": "uid", + "singleSession": 0, + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", + "CAS_pgtFile": "/tmp/pgt.txt", + "cookieName": "lemonldap", + "slaveExportedVars": {}, + "whatToTrace": "_whatToTrace", + "oidcRPMetaDataOptions": {}, + "notifyDeleted": 1, + "useRedirectOnError": 1, + "samlSPMetaDataExportedAttributes": null, + "ldapPwdEnc": "utf-8", + "openIdSPList": "0;", + "samlNameIDFormatMapEmail": "mail", + "samlSPMetaDataOptions": null, + "issuerDBOpenIDRule": 1, + "casStorageOptions": {}, + "mailFrom": "noreply@%%nom_domaine_local", + "timeoutActivity": 0, + "oidcRPMetaDataExportedVars": {}, + "issuerDBSAMLActivation": 0, + "issuerDBCASPath": "^/%%casFolder/", + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "exportedHeaders": { + "test1.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "test2.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "%%managerWebName": {} + }, + "vhostOptions": { + "%%managerWebName": { + "vhostHttps" : "1" + }, + "test1.%%nom_domaine_local": {}, + "test2.%%nom_domaine_local": {} + }, + "radiusAuthnLevel": 3, + "dbiAuthnLevel": 2, + "ldapPasswordResetAttribute": "pwdReset", + "ldapGroupObjectClass": "groupOfNames", + "apacheAuthnLevel": 4, + "samlNameIDFormatMapKerberos": "uid", + "groups": {}, + "securedCookie": 0, + "httpOnly": 1, + "yubikeyAuthnLevel": 3, + "ADPwdMaxAge": 0, + "samlUseQueryStringSpecific": 0, + "loginHistoryEnabled": 1, + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "failedLoginNumber": 5, + "samlServicePrivateKeyEncPwd": "", + "portalForceAuthnInterval": 0, + "cfgLog": "", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "exportedVars": { + "UA": "HTTP_USER_AGENT", +%for att in %%casAttribute + "%%att": "%%att", +%end for +%set %%idx = 0 +%set %%size = %%len(%%ssoFilters) - 1 +%for key,value in %%ssoFilters + %if %%idx == %%size + "%%key": "%%value" + %else + "%%key": "%%value", + %end if + %set %%idx += 1 +%end for + }, + "notificationStorage": "File", + "applicationList": { + "1sample": { + "test2": { + "options": { + "name": "Application Test 2", + "logo": "thumbnail.png", + "uri": "https://test2.%%nom_domaine_local/", + "display": "auto", + "description": "The same simple application displaying authenticated user" + }, + "type": "application" + }, + "type": "category", + "catname": "Sample applications", + "test1": { + "type": "application", + "options": { + "description": "A simple application displaying authenticated user", + "uri": "https://test1.%%nom_domaine_local/", + "logo": "demo.png", + "display": "auto", + "name": "Application Test 1" + } + } + }, + "2administration": { + "notifications": { + "options": { + "name": "Notifications explorer", + "display": "auto", + "description": "Explore WebSSO notifications", + "uri": "https://%%managerWebName/notifications.pl", + "logo": "database.png" + }, + "type": "application" + }, + "manager": { + "options": { + "uri": "https://%%managerWebName/", + "display": "auto", + "description": "Configure LemonLDAP::NG WebSSO", + "logo": "configure.png", + "name": "WebSSO Manager" + }, + "type": "application" + }, + "type": "category", + "sessions": { + "type": "application", + "options": { + "description": "Explore WebSSO sessions", + "uri": "https://%%managerWebName/sessions.pl", + "logo": "database.png", + "display": "auto", + "name": "Sessions explorer" + } + }, + "catname": "Administration" + }, + "3documentation": { + "catname": "Documentation", + "officialwebsite": { + "type": "application", + "options": { + "name": "Offical Website", + "description": "Official LemonLDAP::NG Website", + "logo": "network.png", + "display": "on", + "uri": "http://lemonldap-ng.org/" + } + }, + "type": "category", + "localdoc": { + "options": { + "logo": "help.png", + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "uri": "http://%%managerWebName/doc/", + "name": "Local documentation" + }, + "type": "application" + } + } + }, + "userControl": "^[\\w\\.\\-@]+$", + "timeout": 72000, + "portalAntiFrame": 1, + "SMTPServer": "", + "ldapTimeout": 120, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "ldapUsePasswordResetAttribute": 1, + "ldapPpolicyControl": 0, + "casAttributes": { +%for att in %%casAttribute + "%%att": "%%att.casLDAPAttribute", +%end for +%set %%idx = 0 +%set %%size = %%len(%%ssoFilters) - 1 +%for key,value in %%ssoFilters + %if %%idx == %%size + "%%key": "%%key" + %else + "%%key": "%%key", + %end if + %set %%idx += 1 +%end for + }, + "issuerDBSAMLPath": "^/saml/", + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "portalDisplayAppslist": 1, + "confirmFormMethod": "post", + "domain": "%%nom_domaine_local", + "cfgNum": "1", + "authentication": "LDAP", + "samlNameIDFormatMapWindows": "uid", + "authChoiceModules": {}, + "ldapGroupAttributeName": "member", + "samlServicePrivateKeySigPwd": "", + "googleAuthnLevel": 1, + "successLoginNumber": 5, + "localSessionStorageOptions": { + "cache_root": "/tmp", + "namespace": "lemonldap-ng-sessions", + "default_expires_in": 600, + "directory_umask": "007", + "cache_depth": 3 + }, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "portalRequireOldPassword": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "ADPwdExpireWarning": 0, + "yubikeyPublicIDSize": 12, + "ldapGroupAttributeNameGroup": "dn", + "oidcRPMetaDataOptionsExtraClaims": null, + "ldapGroupRecursive": 0, + "mailSubject": "[LemonLDAP::NG] Your new password", + "nginxCustomHandlers": {}, + "samlSPSSODescriptorAuthnRequestsSigned": 1, +%if %%llResetPassword == "oui" + "portalDisplayResetPassword": 1, +%else + "portalDisplayResetPassword": 0, +%end if + "openIdSreg_timezone": "_timezone", + "infoFormMethod": "get", + "openIdAuthnLevel": 1, + "openIdSreg_nickname": "uid", + "samlServicePublicKeyEnc": "", + "userDB": "LDAP", + "grantSessionRules": {}, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "reloadUrls": { + "%%reloadWebName": "https://%%reloadWebName/reload" + }, + "registerTimeout": 0, + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "slaveAuthnLevel": 2, + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "Soap": 1, +%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo') +%if %%RegisterDB == "Custom" + "registerDB": "Null", +%else + "registerDB": "%%RegisterDB", +%end if + "locationRules": { + "%%managerWebName": { + "default": "$uid eq \"%%lemonAdmin\"" + }, + "test1.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + }, + "test2.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + } + }, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "hideOldPassword": 0, +%if %%is_file(%%ldapBindUserPassword) + "managerPassword": "%%readPass("", %%ldapBindUserPassword)", +%else + "managerPassword": "%%ldapBindUserPassword", +%end if + "authChoiceParam": "lmAuth", + "lwpSslOpts": {}, + "portalSkinRules": {}, + "issuerDBOpenIDPath": "^/openidserver/", + "redirectFormMethod": "get", + "portalDisplayRegister": 1, + "secureTokenMemcachedServers": "127.0.0.1:11211", + "notificationStorageOptions": { + "dirName": "/var/lib/lemonldap-ng/notifications" + }, + "browserIdAuthnLevel": 1, + "portalUserAttr": "_user", + "ldapVersion": 3, + "sessionDataToRemember": {}, + "samlNameIDFormatMapX509": "mail", + "managerDn": "%%ldapBindUserDN", + "mailSessionKey": "mail", + "openIdSreg_email": "mail", + "localSessionStorage": "Cache::FileCache", + "persistentStorage": "Apache::Session::File", + "mailOnPasswordChange": 0, + "captchaStorage": "Apache::Session::File", + "remoteGlobalStorageOptions": { + "proxy": "https://%%authWebName/index.pl/sessions", + "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" + }, + "passwordDB": "LDAP", + "captcha_size": 6, + "mailCharset": "utf-8", + "facebookExportedVars": {}, + "nullAuthnLevel": 2, + "singleIP": 0, + "dbiExportedVars": {}, + "portalSkin": "bootstrap", + "storePassword": 0, + "hiddenAttributes": "_password", + "samlServicePrivateKeySig": "", + "globalStorage": "Apache::Session::File", + "notificationWildcard": "allusers", + "portalForceAuthn": 0, + "samlMetadataForceUTF8": 1, + "secureTokenUrls": ".*", + "secureTokenAllowOnError": 1, + "samlAuthnContextMapTLSClient": 5, + "ldapAllowResetExpiredPassword": 0, + "oidcOPMetaDataExportedVars": {}, + "notifyOther": 0, + "secureTokenExpiration": 60, + "captcha_mail_enabled": 0, + "samlStorageOptions": {}, + "samlOrganizationDisplayName": "Example", + "trustedProxies": "", + "secureTokenHeader": "Auth-Token", + "issuerDBCASActivation": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlIDPMetaDataXML": {}, + "oidcStorageOptions": {}, + "cfgDate": 1519998069, + "samlAuthnContextMapPassword": 2, + "portalDisplayLoginHistory": 1, + "ldapPasswordResetAttributeValue": "TRUE", + "ldapServer": "%%ldapScheme://%%ldapServer", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPMetaDataExportedAttributes": null, + "samlServicePrivateKeyEnc": "", + "useRedirectOnForbidden": 0, + "captcha_login_enabled": 0, + "https": 0, + "checkXSS": 1, + "ldapSetPassword": 0, + "portalPingInterval": 60000, + "captchaStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/captcha/" + }, + "useSafeJail": 1, + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "issuerDBCASRule": 1, + "samlAuthnContextMapKerberos": 4, + "ldapGroupAttributeNameSearch": "cn", + "logoutServices": {}, + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "portalDisplayLogout": 1, + "issuerDBGetParameters": {}, + "googleExportedVars": {}, + "openIdSreg_fullname": "cn", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "demoExportedVars": { + "mail": "mail", + "uid": "uid", + "cn": "cn" + }, + "oidcOPMetaDataJSON": null, + "samlIdPResolveCookie": "lemonldapidp", + "samlRelayStateTimeout": 600, + "samlOrganizationURL": "https://auth.%%nom_domaine_local", + "globalStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/sessions", + "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" + }, + "ldapExportedVars": { + "mail": "mail", + "cn": "cn", + "uid": "uid" + }, + "webIDExportedVars": {}, + "activeTimer": 1, + "cda": 0, + "samlServicePublicKeySig": "", +%if %%llCheckLogins == "oui" + "portalCheckLogins": 1, +%else + "portalCheckLogins": 0, +%end if + "CAS_authnLevel": 1, + "macros": { + "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "samlIDPMetaDataOptions": null, + "twitterAuthnLevel": 1, + "openIdExportedVars": {}, + "captcha_register_enabled": 1, + "oidcOPMetaDataJWKS": null, + "webIDAuthnLevel": 1, + "issuerDBOpenIDActivation": "1", +%if %%is_empty(%%llResetUrl) + "mailUrl": "https://%%authWebName/mail.pl", +%else + "mailUrl": "%%llResetUrl", +%end if + "maintenance": 0, + "jsRedirect": 0, + "cfgAuthor": "Cadoles", + "persistentStorageOptions": { + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", + "Directory": "/var/lib/lemonldap-ng/psessions" + }, + "SSLAuthnLevel": 5, + "oidcServiceMetaDataAuthnContext": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "notification": 1, + "ldapChangePasswordAsUser": 0, + "CAS_proxiedServices": {}, + "key": "e\"bTCt3*eU9^\\V%b", + "portal": "https://%%authWebName/", + "singleSessionUserByIP": 0, + "portalOpenLinkInNewWindow": 0, + "post": { + "test2.%%nom_domaine_local": {}, + "test1.%%nom_domaine_local": {}, + "%%managerWebName": {} + }, + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "issuerDBSAMLRule": 1, + "samlCommonDomainCookieActivation": 0, + "syslog": "", + "ldapBase": "%%ldapUserBaseDN", + "ldapAuthnLevel": 2, + "mailTimeout": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "oidcOPMetaDataOptions": null, + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlOrganizationName": "%%samlOrganizationName", +%if %%RegisterDB == "Custom" + "registerUrl": "%%llRegisterURL", +%else + "registerUrl": "https://%%authWebName/register.pl", +%end if + "casAccessControlPolicy": "none", + "multiValuesSeparator": ";", + "ldapPort": %%ldapServerPort +}