Philippe Caseiro
bf94e74916
Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one
148 lines
4.8 KiB
Plaintext
148 lines
4.8 KiB
Plaintext
#====================================================================
|
|
# Apache configuration for LemonLDAP::NG Portal
|
|
#====================================================================
|
|
|
|
# Uncomment this if no previous NameVirtualHost declaration
|
|
#NameVirtualHost "*:80"
|
|
|
|
# To insert LLNG user id in Apache logs, declare this format and use it in
|
|
# CustomLog directive
|
|
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
|
|
|
|
# Portal Virtual Host (auth.example.com)
|
|
<VirtualHost %%adresse_ip_eth0:443>
|
|
ServerName %%authWebName
|
|
SSLEngine on
|
|
SSLCertificateFile %%server_cert
|
|
SSLCertificateKeyFile %%server_key
|
|
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
|
SSLProtocol all -SSLv3 -SSLv2
|
|
SSLProxyEngine on
|
|
|
|
LogLevel %%lm_loglevel
|
|
ErrorLog /var/log/apache2/portal_error.log
|
|
CustomLog /var/log/apache2/portal_access.log common
|
|
|
|
# See above to set LLNG user id in Apache logs
|
|
#CustomLog /var/log/apache2/portal.log llng
|
|
|
|
# DocumentRoot (FCGI scripts)
|
|
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
|
|
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
|
|
<IfVersion >= 2.3>
|
|
Require all granted
|
|
</IfVersion>
|
|
<IfVersion < 2.3>
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</IfVersion>
|
|
Options +ExecCGI +FollowSymLinks
|
|
</Directory>
|
|
RewriteEngine On
|
|
# For performances, you can put static html files: simply put the HTML
|
|
# result (example: /oauth2/checksession.html) as static file. Then
|
|
# uncomment the following line.
|
|
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
|
|
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
|
|
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
|
|
|
|
# Note that Content-Security-Policy header is generated by portal itself
|
|
<Files *.fcgi>
|
|
SetHandler fcgid-script
|
|
|
|
# Authorization header needs to be passed when using Kerberos or OIDC
|
|
<IfVersion >= 2.4.13>
|
|
CGIPassAuth On
|
|
</IfVersion>
|
|
<IfVersion < 2.4.13>
|
|
RewriteCond %{HTTP:Authorization} ^(.*)
|
|
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
|
</IfVersion>
|
|
|
|
Options +ExecCGI
|
|
header unset Lm-Remote-User
|
|
</Files>
|
|
|
|
# Uncomment this if status is enabled
|
|
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
|
|
|
|
# Static files
|
|
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
|
|
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
|
|
Require all granted
|
|
Options +FollowSymLinks
|
|
</Directory>
|
|
<Location /static/>
|
|
<IfModule mod_expires.c>
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 month"
|
|
</IfModule>
|
|
</Location>
|
|
|
|
<IfModule mod_dir.c>
|
|
DirectoryIndex index.fcgi index.html
|
|
</IfModule>
|
|
|
|
# REST/SOAP functions for sessions management (disabled by default)
|
|
<Location /index.fcgi/adminSessions>
|
|
<IfVersion >= 2.3>
|
|
Require all denied
|
|
</IfVersion>
|
|
<IfVersion < 2.3>
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</IfVersion>
|
|
</Location>
|
|
|
|
# REST/SOAP functions for sessions access (disabled by default)
|
|
<Location /index.fcgi/sessions>
|
|
<IfVersion >= 2.3>
|
|
Require all denied
|
|
</IfVersion>
|
|
<IfVersion < 2.3>
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</IfVersion>
|
|
</Location>
|
|
|
|
# REST/SOAP functions for configuration access (disabled by default)
|
|
<Location /index.fcgi/config>
|
|
<IfVersion >= 2.3>
|
|
Require all denied
|
|
</IfVersion>
|
|
<IfVersion < 2.3>
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</IfVersion>
|
|
</Location>
|
|
|
|
# REST/SOAP functions for notification insertion (disabled by default)
|
|
<Location /index.fcgi/notification>
|
|
<IfVersion >= 2.3>
|
|
Require all denied
|
|
</IfVersion>
|
|
<IfVersion < 2.3>
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</IfVersion>
|
|
</Location>
|
|
|
|
# Enable compression
|
|
<Location />
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
|
|
SetOutputFilter DEFLATE
|
|
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
|
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
|
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
|
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
|
|
</IfModule>
|
|
<IfModule mod_headers.c>
|
|
Header append Vary User-Agent env=!dont-vary
|
|
</IfModule>
|
|
</Location>
|
|
|
|
# Uncomment this if site if you use SSL only
|
|
#Header set Strict-Transport-Security "max-age=15768000"
|
|
</VirtualHost>
|