eole-lemonldap/tmpl/handler-nginx.conf

72 lines
2.1 KiB
Plaintext

#=======================================================================
# Nginx configuration for LemonLDAP::NG Handler
#=======================================================================
# This file implements the reload virtualhost that permits to reload
# configuration without restarting server.
# You need then to declare this vhost in reloadUrls (in the manager
# interface if this server doesn't host the manager itself):
#
# KEY : VALUE
# host-or-IP:port : http://reload.example.com/reload
#
# IMPORTANT:
# To protect applications, see test-nginx.conf template in example files
# Log format
include /etc/lemonldap-ng/nginx-lmlog.conf;
#access_log /var/log/nginx/access.log lm_combined;
server {
listen 80;
server_name %%reloadWebName;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /var/www/html;
location = /reload {
allow 127.0.0.1;
%for ipaddr in %%ip_ssh_eth0
allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0)
%end for
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
}
# Client requests
location / {
deny all;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
}
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}