Update apache configuration templates

2019-09-02 17:32:04 +02:00 · 2019-09-02 17:32:04 +02:00 · 9dac24287e
parent 223e7cc2c6
commit 9dac24287e
6 changed files with 319 additions and 6 deletions
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@ -5,9 +5,9 @@
 		<file filelist='lemonng' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemonng' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemonng' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/manager-apache2.X.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
+		<file filelist='lemona2' name='/etc/lemonldap-ng/manager-apache2.4.conf' mkdir='True' rm='True'/>
+		<file filelist='lemona2' name='/etc/lemonldap-ng/handler-apache2.4.conf' mkdir='True' rm='True'/>
+		<file filelist='lemona2' name='/etc/lemonldap-ng/portal-apache2.4.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
 		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
--- a/posttemplate/70-lemon-nginx
+++ b/posttemplate/70-lemon-nginx
@ -16,14 +16,14 @@ do
   if [ -L /etc/nginx/sites-enabled/${SERVICE}-nginx.conf ];then
       rm /etc/nginx/sites-enabled/${SERVICE}-nginx.conf
   fi
-   if [ -L /etc/apache2/sites-enabled/${SERVICE}-apache2.conf ];then
-       a2dissite ${SERVICE}-apache2
+   if [ -L /etc/apache2/sites-enabled/${SERVICE}-apache2.4.conf ];then
+       a2dissite ${SERVICE}-apache2.4
   fi
   if [ "${ENABLE}" = 'oui' ];then
       if [ "${SERVER}" = 'nginx' ];then
           ln -s /etc/nginx/sites-available/${SERVICE}-nginx.conf /etc/nginx/sites-enabled/${SERVICE}-nginx.conf
       elif [ "${SERVER}" = 'apache2' ];then
-           a2ensite ${SERVICE}-apache2.conf
+           a2ensite ${SERVICE}-apache2.4.conf
       fi
   fi
 done
--- a/tmpl/handler-apache2.4.conf
+++ b/tmpl/handler-apache2.4.conf
@ -0,0 +1,52 @@
+#========================================================================
+# Apache configuration for LemonLDAP::NG Handler
+#========================================================================
+# This file implements the reload virtualhost that permits to reload
+# configuration without restarting server, and some common instructions.
+# You need then to declare this vhost in reloadUrls (in the manager
+# interface if this server doesn't host the manager itself):
+#
+#         KEY       :               VALUE
+#   host-or-IP:port :  http://reload.example.com/reload
+#
+# IMPORTANT:
+# To protect applications, see test-apache.conf template in example files
+
+# Load LemonLDAP::NG Handler
+PerlOptions +GlobalRequest
+PerlModule Lemonldap::NG::Handler::ApacheMP2
+
+# Common error page and security parameters
+ErrorDocument 403 https//%%authWebName/lmerror/403
+ErrorDocument 404 https//%%authWebName/lmerror/404
+ErrorDocument 500 https//%%authWebName/lmerror/500
+ErrorDocument 502 https//%%authWebName/lmerror/502
+ErrorDocument 503 https//%%authWebName/lmerror/503
+
+<VirtualHost *:443>
+    ServerName %%reloadWebName
+
+    # Configuration reload mechanism (only 1 per physical server is
+    # needed): choose your URL to avoid restarting Apache when
+    # configuration change
+    <Location /reload>
+        Require ip 127 ::1
+        SetHandler perl-script
+        PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
+    </Location>
+
+    # Uncomment this to activate status module
+    #<Location /status>
+    #    Require ip 127 ::1
+    #    SetHandler perl-script
+    #    PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
+    #    # You may have to uncomment the next directive to skip
+    #    # an upper PerlHeaderParserHandler directive
+    #    #PerlHeaderParserHandler Apache2::Const::DECLINED
+    #</Location>
+
+    # Uncomment this if site if you use SSL only
+    #Header set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
+
+
--- a/tmpl/manager-apache2.4.conf
+++ b/tmpl/manager-apache2.4.conf
@ -0,0 +1,102 @@
+#====================================================================
+# Apache configuration for LemonLDAP::NG Manager
+#====================================================================
+
+# To insert LLNG user id in Apache logs, declare this format and use it in
+# CustomLog directive
+#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
+
+# Manager virtual host (manager.__DNSDOMAIN__)
+<VirtualHost *:443>
+    ServerName %%managerWebName
+    LogLevel notice
+    # See above to set LLNG user id in Apache logs
+    #CustomLog $(APACHE_LOG_DIR)/manager.log llng
+    #ErrorLog $(APACHE_LOG_DIR)/lm_err.log
+    SSLEngine on
+    SSLCertificateFile    %%apache_cert
+    SSLCertificateKeyFile %%server_key
+    SSLProtocol all -SSLv3 -SSLv2
+
+    # Uncomment this if you are running behind a reverse proxy and want
+    # LemonLDAP::NG to see the real IP address of the end user
+    # Adjust the settings to match the IP address of your reverse proxy
+    # and the header containing the original IP address
+    #
+    #RemoteIPHeader X-Forwarded-For
+    #RemoteIPInternalProxy 127.0.0.1
+
+
+    # FASTCGI CONFIGURATION
+    # ---------------------
+
+    # 1) URI management
+    RewriteEngine on
+
+    # For performances, you can delete the previous RewriteRule line after
+    # puttings html files: simply put the HTML results of differents modules
+    # (configuration, sessions, notifications) as manager.html, sessions.html,
+    # notifications.html and uncomment the 2 following lines:
+    # DirectoryIndex manager.html
+    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+
+    # REST URLs
+    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
+    RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+    # 2) FastCGI engine
+
+    # You can choose any FastCGI system. Here is an example using mod_fcgid
+    # mod_fcgid configuration
+    FcgidMaxRequestLen 2000000
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    # If you want to use mod_fastcgi, replace lines below by:
+    #FastCgiServer /usr/share/lemonldap-ng/manager/htdocs/manager.fcgi
+
+    # GLOBAL CONFIGURATION
+    # --------------------
+
+    DocumentRoot /usr/share/lemonldap-ng/manager/htdocs
+
+    <Location />
+        Require all granted
+
+        <IfModule mod_deflate.c>
+            AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+            SetOutputFilter DEFLATE
+            BrowserMatch ^Mozilla/4 gzip-only-text/html
+            BrowserMatch ^Mozilla/4\.0[678] no-gzip
+            BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+            SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+            Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+
+    # Static files (javascripts, HTML forms,...)
+
+    Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static/
+    <Directory /usr/share/lemonldap-ng/manager/htdocs/static>
+        Require all granted
+        Options +FollowSymLinks
+    </Directory>
+
+    # On-line documentation
+    Alias /doc/ /usr/share/lemonldap-ng/htdocs/doc/
+    Alias /lib/ /usr/share/lemonldap-ng/htdocs/doc/pages/documentation/current/lib/
+    <Directory /usr/share/lemonldap-ng/htdocs/doc/>
+        Require all granted
+        ErrorDocument 404 /notfound.html
+        Options +FollowSymLinks
+        DirectoryIndex index.html start.html
+    </Directory>
+
+    # Uncomment this if site if you use SSL only
+    #Header set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
--- a/tmpl/portal-apache2.4.conf
+++ b/tmpl/portal-apache2.4.conf
@ -0,0 +1,112 @@
+#====================================================================
+# Apache configuration for LemonLDAP::NG Portal
+#====================================================================
+
+# To insert LLNG user id in Apache logs, declare this format and use it in
+# CustomLog directive
+#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
+
+# Portal Virtual Host (auth.__DNSDOMAIN__)
+<VirtualHost *:443>
+    ServerName auth.__DNSDOMAIN__
+    # See above to set LLNG user id in Apache logs
+    #CustomLog $(APACHE_LOG_DIR)/portal.log llng
+
+    # Uncomment this if you are running behind a reverse proxy and want
+    # LemonLDAP::NG to see the real IP address of the end user
+    # Adjust the settings to match the IP address of your reverse proxy
+    # and the header containing the original IP address
+    #
+    #RemoteIPHeader X-Forwarded-For
+    #RemoteIPInternalProxy 127.0.0.1
+
+    # DocumentRoot (FCGI scripts)
+    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs>
+        Require all granted
+        Options +ExecCGI +FollowSymLinks
+    </Directory>
+    RewriteEngine On
+    # For performances, you can put static html files: simply put the HTML
+    # result (example: /oauth2/checksession.html) as static file. Then
+    # uncomment the following line.
+    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
+    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+    # Note that Content-Security-Policy header is generated by portal itself
+    <Files *.fcgi>
+        SetHandler fcgid-script
+
+        # Authorization header needs to be passed when using Kerberos or OIDC
+        <IfVersion >= 2.4.13>
+            CGIPassAuth On
+        </IfVersion>
+        <IfVersion < 2.4.13>
+            RewriteCond %{HTTP:Authorization} ^(.*)
+            RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
+        </IfVersion>
+
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    # Uncomment this if status is enabled
+    #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
+
+    # Static files
+    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
+        Require all granted
+        Options +FollowSymLinks
+    </Directory>
+    <Location /static/>
+        <IfModule mod_expires.c>
+            ExpiresActive On
+            ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.fcgi index.html
+    </IfModule>
+
+    # REST/SOAP functions for sessions management (disabled by default)
+    <Location /index.fcgi/adminSessions>
+        Require all denied
+    </Location>
+
+    # REST/SOAP functions for sessions access (disabled by default)
+    <Location /index.fcgi/sessions>
+        Require all denied
+    </Location>
+
+    # REST/SOAP functions for configuration access (disabled by default)
+    <Location /index.fcgi/config>
+        Require all denied
+    </Location>
+
+    # REST/SOAP functions for notification insertion (disabled by default)
+    <Location /index.fcgi/notification>
+        Require all denied
+    </Location>
+
+    # Enabe compression
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+
+    # Uncomment this if site if you use SSL only
+    #Header set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
+
--- a/tmpl/test-apache2.4.conf
+++ b/tmpl/test-apache2.4.conf
@ -0,0 +1,47 @@
+#====================================================================
+# Apache configuration for LemonLDAP::NG sample applications
+#====================================================================
+
+PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
+
+# Sample application
+<VirtualHost __VHOSTLISTEN__>
+    ServerName test1.__DNSDOMAIN__
+    ServerAlias test2.__DNSDOMAIN__
+
+    # Uncomment this if you are running behind a reverse proxy and want
+    # LemonLDAP::NG to see the real IP address of the end user
+    # Adjust the settings to match the IP address of your reverse proxy
+    # and the header containing the original IP address
+    #
+    #RemoteIPHeader X-Forwarded-For
+    #RemoteIPInternalProxy 127.0.0.1
+
+    # SSO protection
+    PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
+
+    # DocumentRoot
+    DocumentRoot __TESTDIR__
+    <Directory __TESTDIR__>
+        Require all granted
+        Options +ExecCGI
+    </Directory>
+
+    # Perl script (application test is written in Perl)
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+
+        # Display Menu
+        PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
+
+    </Files>
+
+    # Directory index
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    # Uncomment this if site if you use SSL only
+    #Header set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>