diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 718c96f..bfede2a 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,12 +2,12 @@ - - - - - + + + + + diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 8608782..a4c4071 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -12,10 +12,6 @@ # IMPORTANT: # To protect applications, see test-nginx.conf template in example files -%if %%getVar("revprox_hash_bucket_size", "non") == "non" -server_names_hash_bucket_size %%nginxBucketSize; -%end if - # Log format include /etc/lemonldap-ng/nginx-lmlog.conf; #access_log /var/log/nginx/access.log lm_combined; @@ -28,7 +24,7 @@ server { server { listen 443; - ssl on; + ssl on; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; @@ -39,22 +35,26 @@ server { ssl_client_certificate /etc/ssl/certs/ca.crt; access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; server_name %%reloadWebName; + root /var/www/html; error_page 403 404 502 503 504 /nginx.html; location = /nginx.html{ root /usr/share/nginx/www; } - root /var/www/html; location = /reload { allow 127.0.0.1; -%for ipaddr in %%ip_ssh_eth0 - allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0); -%end for deny all; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE reload; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE reload; } # Client requests @@ -62,15 +62,7 @@ server { deny all; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } - # Uncomment this if status is enabled - #location = /status { - # allow 127.0.0.1; - # deny all; - # include /etc/nginx/fastcgi_params; - # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # fastcgi_param LLTYPE status; - #} -} \ No newline at end of file +} diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index c41aba4..921810f 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -110,6 +110,12 @@ localStorageOptions={ \ ; restart your server. This increase performances ;useLocalConf = 1 +; staticPrefix: relative (or URL) location of static HTML components +staticPrefix = /static +; location of HTML templates directory +templateDir = /usr/share/lemonldap-ng/portal/templates +; languages: available languages for portal interface +languages = fr, en ; PORTAL CUSTOMIZATION ; Name of the skin portalSkin = %%llSkin @@ -276,7 +282,7 @@ logLevel = warn staticPrefix = /static ; ; location of HTML templates directory -templateDir = /usr/share/lemonldap-ng/manager/templates +templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates ; languages: available languages for manager interface languages = fr, en diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json new file mode 100644 index 0000000..80d4a31 --- /dev/null +++ b/tmpl/lmConf-1.json @@ -0,0 +1,441 @@ +%set %%ssoFilters = %%getSSOFilters +{ + "ldapGroupAttributeNameUser": "dn", + "cfgAuthorIP": "172.16.0.1", + "samlSPMetaDataXML": null, + "facebookAuthnLevel": 1, + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "secureTokenAttribute": "uid", + "singleSession": 0, + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", + "CAS_pgtFile": "/tmp/pgt.txt", + "cookieName": "lemonldap", + "slaveExportedVars": {}, + "whatToTrace": "_whatToTrace", + "oidcRPMetaDataOptions": {}, + "notifyDeleted": 1, + "useRedirectOnError": 1, + "samlSPMetaDataExportedAttributes": null, + "ldapPwdEnc": "utf-8", + "openIdSPList": "0;", + "samlNameIDFormatMapEmail": "mail", + "samlSPMetaDataOptions": null, + "issuerDBOpenIDRule": 1, + "casStorageOptions": {}, + "mailFrom": "noreply@%%nom_domaine_local", + "timeoutActivity": 0, + "oidcRPMetaDataExportedVars": {}, + "issuerDBSAMLActivation": 0, + "issuerDBCASPath": "^/%%casFolder/", + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "exportedHeaders": { + "test1.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "test2.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "%%managerWebName": {} + }, + "vhostOptions": { + "%%managerWebName": { + "vhostHttps" : "1" + }, + "test1.%%nom_domaine_local": {}, + "test2.%%nom_domaine_local": {} + }, + "radiusAuthnLevel": 3, + "dbiAuthnLevel": 2, + "ldapPasswordResetAttribute": "pwdReset", + "ldapGroupObjectClass": "groupOfNames", + "apacheAuthnLevel": 4, + "samlNameIDFormatMapKerberos": "uid", + "groups": {}, + "securedCookie": 0, + "httpOnly": 1, + "yubikeyAuthnLevel": 3, + "ADPwdMaxAge": 0, + "samlUseQueryStringSpecific": 0, + "loginHistoryEnabled": 1, + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "failedLoginNumber": 5, + "samlServicePrivateKeyEncPwd": "", + "portalForceAuthnInterval": 0, + "cfgLog": "", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "exportedVars": { + "UA": "HTTP_USER_AGENT", +%for att in %%casAttribute + "%%att": "%%att", +%end for +%set %%idx = 0 +%set %%size = %%len(%%ssoFilters) - 1 +%for key,value in %%ssoFilters + %if %%idx == %%size + "%%key": "%%value" + %else + "%%key": "%%value", + %end if + %set %%idx += 1 +%end for + }, + "notificationStorage": "File", + "applicationList": { + "1sample": { + "test2": { + "options": { + "name": "Application Test 2", + "logo": "thumbnail.png", + "uri": "https://test2.%%nom_domaine_local/", + "display": "auto", + "description": "The same simple application displaying authenticated user" + }, + "type": "application" + }, + "type": "category", + "catname": "Sample applications", + "test1": { + "type": "application", + "options": { + "description": "A simple application displaying authenticated user", + "uri": "https://test1.%%nom_domaine_local/", + "logo": "demo.png", + "display": "auto", + "name": "Application Test 1" + } + } + }, + "2administration": { + "notifications": { + "options": { + "name": "Notifications explorer", + "display": "auto", + "description": "Explore WebSSO notifications", + "uri": "https://%%managerWebName/notifications.pl", + "logo": "database.png" + }, + "type": "application" + }, + "manager": { + "options": { + "uri": "https://%%managerWebName/", + "display": "auto", + "description": "Configure LemonLDAP::NG WebSSO", + "logo": "configure.png", + "name": "WebSSO Manager" + }, + "type": "application" + }, + "type": "category", + "sessions": { + "type": "application", + "options": { + "description": "Explore WebSSO sessions", + "uri": "https://%%managerWebName/sessions.pl", + "logo": "database.png", + "display": "auto", + "name": "Sessions explorer" + } + }, + "catname": "Administration" + }, + "3documentation": { + "catname": "Documentation", + "officialwebsite": { + "type": "application", + "options": { + "name": "Offical Website", + "description": "Official LemonLDAP::NG Website", + "logo": "network.png", + "display": "on", + "uri": "http://lemonldap-ng.org/" + } + }, + "type": "category", + "localdoc": { + "options": { + "logo": "help.png", + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "uri": "http://%%managerWebName/doc/", + "name": "Local documentation" + }, + "type": "application" + } + } + }, + "userControl": "^[\\w\\.\\-@]+$", + "timeout": 72000, + "portalAntiFrame": 1, + "SMTPServer": "", + "ldapTimeout": 120, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "ldapUsePasswordResetAttribute": 1, + "ldapPpolicyControl": 0, + "casAttributes": { +%for att in %%casAttribute + "%%att": "%%att.casLDAPAttribute", +%end for +%set %%idx = 0 +%set %%size = %%len(%%ssoFilters) - 1 +%for key,value in %%ssoFilters + %if %%idx == %%size + "%%key": "%%key" + %else + "%%key": "%%key", + %end if + %set %%idx += 1 +%end for + }, + "issuerDBSAMLPath": "^/saml/", + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "portalDisplayAppslist": 1, + "confirmFormMethod": "post", + "domain": "%%nom_domaine_local", + "cfgNum": "1", + "authentication": "LDAP", + "samlNameIDFormatMapWindows": "uid", + "authChoiceModules": {}, + "ldapGroupAttributeName": "member", + "samlServicePrivateKeySigPwd": "", + "googleAuthnLevel": 1, + "successLoginNumber": 5, + "localSessionStorageOptions": { + "cache_root": "/tmp", + "namespace": "lemonldap-ng-sessions", + "default_expires_in": 600, + "directory_umask": "007", + "cache_depth": 3 + }, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "portalRequireOldPassword": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "ADPwdExpireWarning": 0, + "yubikeyPublicIDSize": 12, + "ldapGroupAttributeNameGroup": "dn", + "oidcRPMetaDataOptionsExtraClaims": null, + "ldapGroupRecursive": 0, + "mailSubject": "[LemonLDAP::NG] Your new password", + "nginxCustomHandlers": {}, + "samlSPSSODescriptorAuthnRequestsSigned": 1, +%if %%llResetPassword == "oui" + "portalDisplayResetPassword": 1, +%else + "portalDisplayResetPassword": 0, +%end if + "openIdSreg_timezone": "_timezone", + "infoFormMethod": "get", + "openIdAuthnLevel": 1, + "openIdSreg_nickname": "uid", + "samlServicePublicKeyEnc": "", + "userDB": "LDAP", + "grantSessionRules": {}, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "reloadUrls": { + "%%reloadWebName": "https://%%reloadWebName/reload" + }, + "registerTimeout": 0, + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "slaveAuthnLevel": 2, + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "Soap": 1, +%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo') +%if %%RegisterDB == "Custom" + "registerDB": "Null", +%else + "registerDB": "%%RegisterDB", +%end if + "locationRules": { + "%%managerWebName": { + "default": "$uid eq \"%%lemonAdmin\"" + }, + "test1.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + }, + "test2.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + } + }, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "hideOldPassword": 0, +%if %%is_file(%%ldapBindUserPassword) + "managerPassword": "%%readPass("", %%ldapBindUserPassword)", +%else + "managerPassword": "%%ldapBindUserPassword", +%end if + "authChoiceParam": "lmAuth", + "lwpSslOpts": {}, + "portalSkinRules": {}, + "issuerDBOpenIDPath": "^/openidserver/", + "redirectFormMethod": "get", + "portalDisplayRegister": 1, + "secureTokenMemcachedServers": "127.0.0.1:11211", + "notificationStorageOptions": { + "dirName": "/var/lib/lemonldap-ng/notifications" + }, + "browserIdAuthnLevel": 1, + "portalUserAttr": "_user", + "ldapVersion": 3, + "sessionDataToRemember": {}, + "samlNameIDFormatMapX509": "mail", + "managerDn": "%%ldapBindUserDN", + "mailSessionKey": "mail", + "openIdSreg_email": "mail", + "localSessionStorage": "Cache::FileCache", + "persistentStorage": "Apache::Session::File", + "mailOnPasswordChange": 0, + "captchaStorage": "Apache::Session::File", + "remoteGlobalStorageOptions": { + "proxy": "https://%%authWebName/index.pl/sessions", + "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" + }, + "passwordDB": "LDAP", + "captcha_size": 6, + "mailCharset": "utf-8", + "facebookExportedVars": {}, + "nullAuthnLevel": 2, + "singleIP": 0, + "dbiExportedVars": {}, + "portalSkin": "bootstrap", + "storePassword": 0, + "hiddenAttributes": "_password", + "samlServicePrivateKeySig": "", + "globalStorage": "Apache::Session::File", + "notificationWildcard": "allusers", + "portalForceAuthn": 0, + "samlMetadataForceUTF8": 1, + "secureTokenUrls": ".*", + "secureTokenAllowOnError": 1, + "samlAuthnContextMapTLSClient": 5, + "ldapAllowResetExpiredPassword": 0, + "oidcOPMetaDataExportedVars": {}, + "notifyOther": 0, + "secureTokenExpiration": 60, + "captcha_mail_enabled": 0, + "samlStorageOptions": {}, + "samlOrganizationDisplayName": "Example", + "trustedProxies": "", + "secureTokenHeader": "Auth-Token", + "issuerDBCASActivation": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlIDPMetaDataXML": {}, + "oidcStorageOptions": {}, + "cfgDate": 1519998069, + "samlAuthnContextMapPassword": 2, + "portalDisplayLoginHistory": 1, + "ldapPasswordResetAttributeValue": "TRUE", + "ldapServer": "%%ldapScheme://%%ldapServer", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPMetaDataExportedAttributes": null, + "samlServicePrivateKeyEnc": "", + "useRedirectOnForbidden": 0, + "captcha_login_enabled": 0, + "https": 0, + "checkXSS": 1, + "ldapSetPassword": 0, + "portalPingInterval": 60000, + "captchaStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/captcha/" + }, + "useSafeJail": 1, + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "issuerDBCASRule": 1, + "samlAuthnContextMapKerberos": 4, + "ldapGroupAttributeNameSearch": "cn", + "logoutServices": {}, + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "portalDisplayLogout": 1, + "issuerDBGetParameters": {}, + "googleExportedVars": {}, + "openIdSreg_fullname": "cn", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "demoExportedVars": { + "mail": "mail", + "uid": "uid", + "cn": "cn" + }, + "oidcOPMetaDataJSON": null, + "samlIdPResolveCookie": "lemonldapidp", + "samlRelayStateTimeout": 600, + "samlOrganizationURL": "https://auth.%%nom_domaine_local", + "globalStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/sessions", + "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" + }, + "ldapExportedVars": { + "mail": "mail", + "cn": "cn", + "uid": "uid" + }, + "webIDExportedVars": {}, + "activeTimer": 1, + "cda": 0, + "samlServicePublicKeySig": "", +%if %%llCheckLogins == "oui" + "portalCheckLogins": 1, +%else + "portalCheckLogins": 0, +%end if + "CAS_authnLevel": 1, + "macros": { + "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "samlIDPMetaDataOptions": null, + "twitterAuthnLevel": 1, + "openIdExportedVars": {}, + "captcha_register_enabled": 1, + "oidcOPMetaDataJWKS": null, + "webIDAuthnLevel": 1, + "issuerDBOpenIDActivation": "1", +%if %%is_empty(%%llResetUrl) + "mailUrl": "https://%%authWebName/mail.pl", +%else + "mailUrl": "%%llResetUrl", +%end if + "maintenance": 0, + "jsRedirect": 0, + "cfgAuthor": "Cadoles", + "persistentStorageOptions": { + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", + "Directory": "/var/lib/lemonldap-ng/psessions" + }, + "SSLAuthnLevel": 5, + "oidcServiceMetaDataAuthnContext": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "notification": 1, + "ldapChangePasswordAsUser": 0, + "CAS_proxiedServices": {}, + "key": "e\"bTCt3*eU9^\\V%b", + "portal": "https://%%authWebName/", + "singleSessionUserByIP": 0, + "portalOpenLinkInNewWindow": 0, + "post": { + "test2.%%nom_domaine_local": {}, + "test1.%%nom_domaine_local": {}, + "%%managerWebName": {} + }, + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "issuerDBSAMLRule": 1, + "samlCommonDomainCookieActivation": 0, + "syslog": "", + "ldapBase": "%%ldapUserBaseDN", + "ldapAuthnLevel": 2, + "mailTimeout": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "oidcOPMetaDataOptions": null, + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlOrganizationName": "%%samlOrganizationName", +%if %%RegisterDB == "Custom" + "registerUrl": "%%llRegisterURL", +%else + "registerUrl": "https://%%authWebName/register.pl", +%end if + "casAccessControlPolicy": "none", + "multiValuesSeparator": ";", + "ldapPort": %%ldapServerPort +} diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index 48e9d98..ec288e5 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -6,8 +6,8 @@ server { server { listen 443; - ssl on; -%if %%cert_type == "letsencrypt" + ssl on; + %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; %else @@ -20,29 +20,41 @@ server { error_page 403 404 502 503 504 /nginx.html; location = /nginx.html{ - root /usr/share/nginx/www; - } + root /usr/share/nginx/www; + } - if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) { + root /usr/share/lemonldap-ng/manager/htdocs/; + + if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) { rewrite ^/(.*)$ /manager.psgi/$1 break; } - location /manager.psgi { + location ~ ^(?/.*\.psgi)(?:$|/) { + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE manager; + fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; + + # OR TO USE uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE psgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } location / { index manager.psgi; + try_files $uri $uri/ =404; allow 127.0.0.0/8; deny all; - try_files $uri $uri/ =404; } location /doc/ { @@ -52,12 +64,8 @@ server { location /lib/ { alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/; } - location /fr-doc/ { - alias /usr/share/doc/lemonldap-ng-fr-doc/; - index index.html start.html; - } location /static/ { - alias /usr/share/lemonldap-ng/manager/static/; + alias /usr/share/lemonldap-ng/manager/htdocs/static/; } # DEBIAN @@ -65,4 +73,5 @@ server { #location /javascript/ { # alias /usr/share/javascript/; #} + } diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index c7f0544..32464a1 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -1,3 +1,10 @@ +## map directive must be in http context +# Uncomment this if you use Auth SSL: +#map $ssl_client_s_dn $ssl_client_s_dn_cn { +# default ""; +# ~/CN=(?[^/]+) $CN; +#} + server { listen 80; server_name %%authWebName; @@ -6,88 +13,67 @@ server { server { listen 443; - ssl on; + ssl on; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; %else - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; %end if - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; + ssl_client_certificate /etc/ssl/certs/ca..crt; + access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; server_name %%authWebName; - root /var/lib/lemonldap-ng/portal/; + root /usr/share/lemonldap-ng/portal/htdocs/; - location ~ \.pl(?:$|/) { - include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE cgi; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - set $sn $request_uri; - if ($sn ~ "^(.*)\?") { - set $sn $1; - } - if ($sn ~ "^/index.pl") { - set $sn "/index.pl"; - } - fastcgi_param SCRIPT_NAME $sn; - fastcgi_split_path_info ^(.*\.pl)(/.*)$; - fastcgi_param PATH_INFO $fastcgi_path_info; - # Uncomment this if you use Auth SSL: - #map $ssl_client_s_dn $ssl_client_s_dn_cn { - # default ""; - # ~/CN=(?[^/]+) $CN; - #} - #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn + if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { + rewrite ^/(.*)$ /index.psgi/$1 break; } - index index.pl; + location ~ ^(?/.*\.psgi)(?:$|/) { + # Note that Content-Security-Policy header is generated by portal itself + + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + + } + + index index.psgi; location / { try_files $uri $uri/ =404; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; } - # SOAP functions for sessions management (disabled by default) - location /index.pl/adminSessions { + location /static/ { + alias /usr/share/lemonldap-ng/portal/htdocs/static/; + } + + # REST/SOAP functions for sessions management (disabled by default) + location /index.psgi/adminSessions { deny all; } - # SOAP functions for sessions access (disabled by default) - location /index.pl/sessions { + # REST/SOAP functions for sessions access (disabled by default) + location /index.psgi/sessions { deny all; } - # SOAP functions for configuration access (disabled by default) - location /index.pl/config { + # REST/SOAP functions for configuration access (disabled by default) + location /index.psgi/config { deny all; } - # SOAP functions for notification insertion (disabled by default) - location /index.pl/notification { + # REST/SOAP functions for notification insertion (disabled by default) + location /index.psgi/notification { deny all; } - # SAML2 Issuer - rewrite ^/saml/metadata /metadata.pl last; - rewrite ^/saml/.* /index.pl last; - - # CAS Issuer - rewrite ^/cas/.* /index.pl; - - # OpenID Issuer - rewrite ^/openidserver/.* /index.pl last; - - # OpenID Connect Issuer - rewrite ^/oauth2/.* /index.pl last; - rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last; - - # Get Issuer - rewrite ^/get/.* /index.pl; - - # Public pages - rewrite ^/public.* /public.pl; # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf index ad83e3c..87e170f 100644 --- a/tmpl/test-nginx.conf +++ b/tmpl/test-nginx.conf @@ -6,7 +6,7 @@ server { server { listen 443; - ssl on; + ssl on; ssl_certificate %%server_cert; ssl_certificate_key %%server_key; ssl_client_certificate /etc/ssl/certs/ca.crt; @@ -15,24 +15,24 @@ server { server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; root /var/lib/lemonldap-ng/test/; - # Internal authentication request location = /lmauth { internal; + + # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # To use AuthBasic handler, uncomment this and remove "error_page 401" - # fastcgi_param LLTYPE authbasic; - # Drop post datas fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; - # Keep original hostname fastcgi_param HOST $http_host; - - # Keep original request (LLNG server will received /llauth) + # Keep original request (LLNG server will receive /lmauth) fastcgi_param X_ORIGINAL_URI $request_uri; + # Improve performances + #fastcgi_buffer_size 32k; + #fastcgi_buffers 32 32k; + } # Client requests @@ -51,7 +51,7 @@ server { auth_request /lmauth; auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmlocation $upstream_http_location; - # Uncomment this if CDA is used + # If CDA is used, uncomment this #auth_request_set $cookie_value $upstream_http_set_cookie; #add_header Set-Cookie $cookie_value; # Remove this for AuthBasic handler @@ -68,30 +68,37 @@ server { # Set manually your headers #auth_request_set $authuser $upstream_http_auth_user; #proxy_set_header Auth-User $authuser; - # OR in the correspondinc block + # OR in the corresponding block #fastcgi_param HTTP_AUTH_USER $authuser; - # Then (if LUA not supported), change cookie header to hide LLNG cookie + # Then (if LUA is not supported), change cookie header to hide LLNG cookie #auth_request_set $lmcookie $upstream_http_cookie; #proxy_set_header Cookie: $lmcookie; # OR in the corresponding block #fastcgi_param HTTP_COOKIE $lmcookie; # Uncomment this if you use https only - #add_header Strict-Transport-Security "15768000"; + #add_header Strict-Transport-Security "max-age=15768000"; # Set REMOTE_USER (for FastCGI apps only) #fastcgi_param REMOTE_USER $lmremote_user; } # Handle test CGI - location ~ \.pl$ { + location ~ ^(?/.*\.pl)(?:$|/) { include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE cgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.pl)(/.+)$; fastcgi_param REMOTE_USER $lmremote_user; + + # Or with uWSGI + #include /etc/nginx/uwsgi_params; + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_param LLTYPE cgi; + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; } #location = /status { @@ -100,5 +107,10 @@ server { # include /etc/nginx/fastcgi_params; # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; + + ### Or with uWSGI + ## include /etc/nginx/uwsgi_params; + ## uwsgi_pass 127.0.0.1:5000; + ## uwsgi_param LLTYPE status; #} }