eole-lemonldap/tmpl/portal-nginx.conf

## map directive must be in http context
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn  $ssl_client_s_dn_cn {
#  default           "";
#  ~/CN=(?<CN>[^/]+) $CN;
#}
%set %%webDomain = %%authWebName.split('.',1)[1]
%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')


server {
  listen 80;
  server_name %%authWebName;
  return 301 https://$host$request_uri;
}

server {
  listen 443;
  ssl on;
%if %%cert_type == "letsencrypt"
  ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
  ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
%else
  ssl_certificate %%server_cert;
  ssl_certificate_key %%server_key;
%end if
  ssl_client_certificate /etc/ssl/certs/ca..crt;
  ssl_session_cache shared:SSL:10m;
  access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
  server_name %%authWebName;
  root /usr/share/lemonldap-ng/portal/htdocs/;

  if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
  }

  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
    # Note that Content-Security-Policy header is generated by portal itself

    # FastCGI configuration
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
    fastcgi_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";

  }

  index index.psgi;
  location / {
    try_files $uri $uri/ =404;

    # Uncomment this if you use https only
    #add_header Strict-Transport-Security "max-age=15768000";
  }

  location /static/ {
    alias /usr/share/lemonldap-ng/portal/htdocs/static/;
  }

  # REST/SOAP functions for sessions management (disabled by default)
  location /index.psgi/adminSessions {
    deny all;
  }

  # REST/SOAP functions for sessions access (disabled by default)
  location /index.psgi/sessions {
    deny all;
  }

  # REST/SOAP functions for configuration access (disabled by default)
  location /index.psgi/config {
    deny all;
  }

  # REST/SOAP functions for notification insertion (disabled by default)
  location /index.psgi/notification {
    deny all;
  }

  # DEBIAN
  # If install was made with USEDEBIANLIBS (official releases), uncomment this
  #location /javascript/ {
  #  alias /usr/share/javascript/;
  #}
}