## map directive must be in http context # Uncomment this if you use Auth SSL: #map $ssl_client_s_dn $ssl_client_s_dn_cn { # default ""; # ~/CN=(?[^/]+) $CN; #} %set %%webDomain = %%authWebName.split('.',1)[1] %set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ') server { listen 80; server_name %%authWebName; return 301 https://$host$request_uri; } server { listen 443; ssl on; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; %else ssl_certificate %%server_cert; ssl_certificate_key %%server_key; %end if ssl_client_certificate /etc/ssl/certs/ca..crt; access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; server_name %%authWebName; root /usr/share/lemonldap-ng/portal/htdocs/; if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { rewrite ^/(.*)$ /index.psgi/$1 break; } location ~ ^(?/.*\.psgi)(?:$|/) { # Note that Content-Security-Policy header is generated by portal itself # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_hide_header Content-Security-Policy; add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'"; } index index.psgi; location / { try_files $uri $uri/ =404; # Uncomment this if you use https only #add_header Strict-Transport-Security "max-age=15768000"; } location /static/ { alias /usr/share/lemonldap-ng/portal/htdocs/static/; } # REST/SOAP functions for sessions management (disabled by default) location /index.psgi/adminSessions { deny all; } # REST/SOAP functions for sessions access (disabled by default) location /index.psgi/sessions { deny all; } # REST/SOAP functions for configuration access (disabled by default) location /index.psgi/config { deny all; } # REST/SOAP functions for notification insertion (disabled by default) location /index.psgi/notification { deny all; } # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this #location /javascript/ { # alias /usr/share/javascript/; #} }