Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:authssl [2019/08/16 11:46]
cmaudoux [SSL by Ajax]
documentation:2.1:authssl [2020/03/20 23:02] (current)
cmaudoux [With Nginx]
Line 10: Line 10:
   * Allow no certificate to chain with other authentication methods   * Allow no certificate to chain with other authentication methods
  
-===== Configuration =====+===== Configuration ​(as the only authentication module) ​=====
  
 By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG //​(compatible with [[authcombination|Combination]])//,​ you can activate "SSL by Ajax request"​ in the manager. See [[#​ssl_by_Ajax|SSL by Ajax]] below. By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG //​(compatible with [[authcombination|Combination]])//,​ you can activate "SSL by Ajax request"​ in the manager. See [[#​ssl_by_Ajax|SSL by Ajax]] below.
Line 83: Line 83:
 ssl_certificate_key /​etc/​letsencrypt/​live/​my/​privkey.pem;​ ssl_certificate_key /​etc/​letsencrypt/​live/​my/​privkey.pem;​
 ssl_verify_depth 3; ssl_verify_depth 3;
 +# All CA certificates concatenated in a single file
 ssl_client_certificate /​etc/​nginx/​ssl/​ca.pem;​ ssl_client_certificate /​etc/​nginx/​ssl/​ca.pem;​
 ssl_crl /​etc/​nginx/​ssl/​crl/​my.crl;​ ssl_crl /​etc/​nginx/​ssl/​crl/​my.crl;​
 +
 +# Reset SSL connection. User does not have to close his browser to try connecting again
 +keepalive_timeout 0 0;
 +add_header '​Connection'​ '​close';​
 +ssl_session_timeout 1s;
 </​file>​ </​file>​
  
Line 157: Line 163:
 It is particularly important for smart cards: when the card is not inserted before the browser starts, the user must restart his browser, or at least refresh (F5) the page. It is particularly important for smart cards: when the card is not inserted before the browser starts, the user must restart his browser, or at least refresh (F5) the page.
  
 +=== Apache server ===
 It is possible with AJAX code and 3 Apache locations to bypass this limitation. It is possible with AJAX code and 3 Apache locations to bypass this limitation.
  
Line 248: Line 255:
 </​script>​ </​script>​
 </​body>​ </​body>​
 +</​file>​
 +
 +
 +=== Nginx server ===
 +With Nginx, append those server context directives to force SSL connexion reset:
 +
 +<file nginx>
 +keepalive_timeout 0 0;
 +add_header '​Connection'​ '​close';​
 +ssl_session_timeout 1s;
 </​file>​ </​file>​
  
 <note warning>​It is incompatible with authentication combination because of Apache parameter "​SSLVerifyClient",​ which must have the value "​require"​. To enable SSL with [[authcombination|Combination]],​ use [[#​ssl_by_ajax|SSL by Ajax]]</​note>​ <note warning>​It is incompatible with authentication combination because of Apache parameter "​SSLVerifyClient",​ which must have the value "​require"​. To enable SSL with [[authcombination|Combination]],​ use [[#​ssl_by_ajax|SSL by Ajax]]</​note>​
  
-===== SSL by Ajax =====+===== Configuration (for Combination/​Choice) ​=====
  
 If you enable this feature, you must configure 2 portal virtual hosts: If you enable this feature, you must configure 2 portal virtual hosts:
Line 259: Line 276:
  
 then declare the second URL in SSL options in the Manager. That's all ! Then you can chain it in a [[authcombination|combination]]. then declare the second URL in SSL options in the Manager. That's all ! Then you can chain it in a [[authcombination|combination]].
- 
 <​note>​ <​note>​
 With [[authchoice|choice]],​ the second URL should be also declared in module URL parameter to redirect user to Portal menu. With [[authchoice|choice]],​ the second URL should be also declared in module URL parameter to redirect user to Portal menu.
Line 273: Line 289:
 </​file>​ </​file>​
  
-To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens be stored into Global Storage by editing ''​lemonldap-ng.ini''​ in section [portal]:+To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens ​to be stored into Global Storage by editing ''​lemonldap-ng.ini''​ in section [portal]:
  
 <file ini> <file ini>
Line 281: Line 297:
  
 </​note>​ </​note>​
- 
 <note important>​ <note important>​
 **Content Security Policy** may prevent to submit Ajax Request. **Content Security Policy** may prevent to submit Ajax Request.
Line 298: Line 313:
 **Script source** => '​self'​ "Ajax request URL" **Script source** => '​self'​ "Ajax request URL"
 </​note>​ </​note>​
 +
 +===== Extracting the username attribute =====
 +
 +The "​Extracted certificate field" must be set to the Apache/​Nginx environment variable containing the username attribute.
 +
 +See the [[https://​httpd.apache.org/​docs/​current/​en/​mod/​mod_ssl.html|mod_ssl documentation]] for a list of supported variables names.
 +
 +If your webserver configuration allows multiple CAs, you may configure a different environment variable for each CA.
 +
 +In the "​Conditional extracted certificate field",​ add a line for each CA.
 +
 +  * Unordered List Itemkey: the CA subject DN (will be printed in debug logs)
 +  * value: the variable containing the username when using certificates emitted by this CA