Reprise des fichiers de configuration pour intégration au module EOLE

2019-07-12 11:32:26 +02:00 · 2019-07-12 11:32:26 +02:00 · abb1d10a87
parent 30e142fa98
commit abb1d10a87
4 changed files with 74 additions and 78 deletions
--- a/tmpl/handler-nginx.conf
+++ b/tmpl/handler-nginx.conf
@ -18,17 +18,29 @@ include /etc/lemonldap-ng/nginx-lmlog.conf;

 server {
  listen 80;
-  server_name reload.example.com;
+  server_name %%reloadWebName;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443;
+  ssl on;
+%if %%cert_type == "letsencrypt"
+  ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
+  ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
+%else
+  ssl_certificate    %%server_cert;
+  ssl_certificate_key     %%server_key;
+%end if
+  ssl_client_certificate  /etc/ssl/certs/ca.crt;
+  access_log  /var/log/nginx/manager-lemon-ldap.access-ssl.log;
+  server_name %%reloadWebName;
  root /var/www/html;

-  # Uncomment this if you are running behind a reverse proxy and want
-  # LemonLDAP::NG to see the real IP address of the end user
-  # Adjust the settings to match the IP address of your reverse proxy
-  # and the header containing the original IP address
-  # As an alternative, you can use the PROXY protocol
-  #
-  #set_real_ip_from  127.0.0.1;
-  #real_ip_header    X-Forwarded-For;
+  error_page   403 404 502 503 504  /nginx.html;
+  location = /nginx.html{
+       root /usr/share/nginx/www;
+    }

  location = /reload {
    allow 127.0.0.1;
@ -53,17 +65,4 @@ server {
    #add_header Strict-Transport-Security "max-age=15768000";
  }

-  # Uncomment this if status is enabled
-  #location = /status {
-  #  allow 127.0.0.1;
-  #  deny all;
-  #  # FastCGI configuration
-  #  include /etc/nginx/fastcgi_params;
-  #  fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-  #  fastcgi_param LLTYPE status;
-  #  # OR TO USE uWSGI
-  #  #include /etc/nginx/uwsgi_params;
-  #  #uwsgi_pass 127.0.0.1:5000;
-  #  #uwsgi_param LLTYPE status;
-  #}
 }
--- a/tmpl/manager-nginx.conf
+++ b/tmpl/manager-nginx.conf
@ -1,18 +1,29 @@
 server {
  listen 80;
-  server_name manager.example.com;
-  root /usr/share/lemonldap-ng/manager/htdocs/;
-  # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
-  #access_log /var/log/nginx/portal.log lm_app;
+  server_name %%managerWebName;
+  return 301 https://$host$request_uri;
+}

-  # Uncomment this if you are running behind a reverse proxy and want
-  # LemonLDAP::NG to see the real IP address of the end user
-  # Adjust the settings to match the IP address of your reverse proxy
-  # and the header containing the original IP address
-  # As an alternative, you can use the PROXY protocol
-  #
-  #set_real_ip_from  127.0.0.1;
-  #real_ip_header    X-Forwarded-For;
+server {
+  listen 443;
+  ssl on;
+  %if %%cert_type == "letsencrypt"
+  ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
+  ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
+%else
+  ssl_certificate    %%server_cert;
+  ssl_certificate_key     %%server_key;
+%end if
+  ssl_client_certificate  /etc/ssl/certs/ca.crt;
+  access_log  /var/log/nginx/manager-lemon-ldap.access-ssl.log;
+  server_name %%managerWebName;
+
+  error_page   403 404 502 503 504  /nginx.html;
+  location = /nginx.html{
+    root /usr/share/nginx/www;
+  } 
+
+  root /usr/share/lemonldap-ng/manager/htdocs/;

  if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
    rewrite ^/(.*)$ /manager.psgi/$1 break;
--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@ -7,19 +7,24 @@

 server {
  listen 80;
-  server_name auth.example.com;
-  root /usr/share/lemonldap-ng/portal/htdocs/;
-  # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
-  #access_log /var/log/nginx/portal.log lm_app;
+  server_name %%authWebName;
+  return 301 https://$host$request_uri;
+}

-  # Uncomment this if you are running behind a reverse proxy and want
-  # LemonLDAP::NG to see the real IP address of the end user
-  # Adjust the settings to match the IP address of your reverse proxy
-  # and the header containing the original IP address
-  # As an alternative, you can use the PROXY protocol
-  #
-  #set_real_ip_from  127.0.0.1;
-  #real_ip_header    X-Forwarded-For;
+server {
+  listen 443;
+  ssl on;
+%if %%cert_type == "letsencrypt"
+  ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
+  ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
+%else
+  ssl_certificate %%server_cert;
+  ssl_certificate_key %%server_key;
+%end if
+  ssl_client_certificate /etc/ssl/certs/ca..crt;
+  access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
+  server_name %%authWebName;
+  root /usr/share/lemonldap-ng/portal/htdocs/;

  if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
@ -35,17 +40,6 @@ server {
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
-    # Uncomment this if you use Auth SSL:
-    #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
-
-    # OR TO USE uWSGI
-    #include /etc/nginx/uwsgi_params;
-    #uwsgi_pass 127.0.0.1:5000;
-    #uwsgi_param LLTYPE psgi;
-    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
-    #uwsgi_param SCRIPT_NAME $sc;
-    # Uncomment this if you use Auth SSL:
-    #uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;

  }

--- a/tmpl/test-nginx.conf
+++ b/tmpl/test-nginx.conf
@ -1,16 +1,19 @@
 server {
  listen 80;
-  server_name test1.example.com test2.example.com;
-  root /var/lib/lemonldap-ng/test/;
+  server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
+  return 301 https://$host$request_uri;
+}

-  # Uncomment this if you are running behind a reverse proxy and want
-  # LemonLDAP::NG to see the real IP address of the end user
-  # Adjust the settings to match the IP address of your reverse proxy
-  # and the header containing the original IP address
-  # As an alternative, you can use the PROXY protocol
-  #
-  #set_real_ip_from  127.0.0.1;
-  #real_ip_header    X-Forwarded-For;
+server {
+  listen 443;
+  ssl on;
+  ssl_certificate    %%server_cert;
+  ssl_certificate_key     %%server_key;
+  ssl_client_certificate  /etc/ssl/certs/ca.crt;
+  access_log  /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
+
+  server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
+  root /var/lib/lemonldap-ng/test/;

  # Internal authentication request
  location = /lmauth {
@ -30,17 +33,6 @@ server {
    #fastcgi_buffer_size 32k;
    #fastcgi_buffers 32 32k;
    
-
-    # OR TO USE uWSGI
-    #include /etc/nginx/uwsgi_params;
-    #uwsgi_pass 127.0.0.1:5000;
-    #uwsgi_pass_request_body  off;
-    #uwsgi_param CONTENT_LENGTH "";
-    #uwsgi_param HOST $http_host;
-    #uwsgi_param X_ORIGINAL_URI  $request_uri;
-    # Improve performances
-    #uwsgi_buffer_size 32k;
-    #uwsgi_buffers 32 32k;
  }

  # Client requests