Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:configlocation [2019/09/01 12:31]
cmaudoux [Configuration reload]
documentation:2.1:configlocation [2020/05/05 12:40] (current)
coudot
Line 68: Line 68:
  
 <note warning>​LemonLDAP::​NG will do some checks on configuration and display errors and warnings if any. Configuration **is not saved** if errors occur.</​note>​ <note warning>​LemonLDAP::​NG will do some checks on configuration and display errors and warnings if any. Configuration **is not saved** if errors occur.</​note>​
 +
 +<note tip>
 +  * [[viewer|Configuration viewer]] allow some users to edit WebSSO configuration in Read Only mode.
 +
 +  * You can set and display instance name in Manager menu by editing ''​lemonldap-ng.ini''​ in [manager] section:
 +
 +<file ini>
 +[manager]
 +instanceName = LLNG_Demo
 +</​file>​
 +</​note>​
 +
 +===== Manager API =====
 +
 +Manager API is available for:
 +  * Second factors management for users
 +  * OpenID Connect RP management
 +  * SAML SP management
 +
 +See [[https://​lemonldap-ng.org/​manager-api/​2.0/​|Manager API documentation]].
 +
 +<note important>​To access Manager API, enable the ''​manager-api''​ virtual host and change the access rule. You can protect the API through Basic authentication,​ IP white list or any other condition.</​note>​
  
 ===== Configuration text editor ===== ===== Configuration text editor =====
Line 82: Line 104:
 /​usr/​libexec/​lemonldap-ng/​bin/​lmConfigEditor /​usr/​libexec/​lemonldap-ng/​bin/​lmConfigEditor
 </​code>​ </​code>​
- 
  
 <note tip>This script must be run as root, it will then use the Apache user and group to access configuration.</​note>​ <note tip>This script must be run as root, it will then use the Apache user and group to access configuration.</​note>​
Line 171: Line 192:
   * **portal-apache2.conf**:​ Portal virtual host, with SOAP/REST end points   * **portal-apache2.conf**:​ Portal virtual host, with SOAP/REST end points
   * **manager-apache2.conf**:​ Manager virtual host   * **manager-apache2.conf**:​ Manager virtual host
-  * **handler-apache2.conf** : Handler declaration,​ reload ​and sample ​virtual hosts+  * **handler-apache2.conf** : Handler declaration,​ reload ​virtual hosts 
 +  * **test-apache2.conf** : Example protected ​virtual hosts
  
 See [[configapache|how to deploy them]]. See [[configapache|how to deploy them]].
Line 177: Line 199:
 ==== Portal ==== ==== Portal ====
  
-In Portal virtual host, you will find several ​configuration ​parts:+After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the **portal-apache2.conf** ​configuration ​file. 
  
-  * Standard virtual host directives, to serve portal pages: +By defaultaccess ​to those URLs is denied:
- +
-<file apache>​ +
-    ServerName auth.example.com +
- +
-    # DocumentRoot +
-    DocumentRoot /​usr/​local/​lemonldap-ng/​htdocs/​portal/​ +
-    <​Directory /​usr/​local/​lemonldap-ng/​htdocs/​portal/>​ +
-        Require all granted +
-        Options +ExecCGI +FollowSymLinks +
-    </​Directory>​ +
-    # For performances,​ you can put static html files: simply put the HTML +
-    # result (example: /​oauth2/​checksession.html) as static file. Then +
-    # uncomment the following line. +
-    # RewriteCond "​%{REQUEST_FILENAME}"​ "​!\.html$"​ +
-    RewriteCond "​%{REQUEST_FILENAME}"​ "​!^/​(?:​(?:​static|javascript|favicon).*|.*\.fcgi)$"​ +
-    RewriteRule "​^/​(.+)$"​ "/​index.fcgi/​$1"​ [PT] +
- +
-    # Note that Content-Security-Policy header ​is generated by portal itself +
-    <Files *.fcgi>​ +
-        SetHandler fcgid-script +
-        # For Authorization header to be passed, please uncomment one of the following:​ +
-        # for Apache >= 2.4.13 +
-        #​CGIPassAuth On +
-        # for Apache < 2.4.13 +
-        #​RewriteCond %{HTTP:​Authorization} ^(.*) +
-        #​RewriteRule .* - [e=HTTP_AUTHORIZATION:​%1] +
-        Options +ExecCGI +
-    </​Files>​ +
- +
-    # Static files +
-    Alias /static/ __PORTALSTATICDIR__/​ +
-    <​Directory __PORTALSTATICDIR__>​ +
-        Require all granted +
-        Options +FollowSymLinks +
-    </​Directory>​ +
-    <​Location /​static/>​ +
-        <​IfModule mod_expires.c>​ +
-            ExpiresActive On +
-            ExpiresDefault "​access plus 1 month"​ +
-        </​IfModule>​ +
-    </​Location>​ +
- +
-    <​IfModule mod_dir.c>​ +
-        DirectoryIndex index.fcgi index.html +
-    </​IfModule>​ +
-</​file>​ +
- +
-  * REST/SOAP end points (disabled by default):+
  
 <file apache> <file apache>
     # REST/SOAP functions for sessions management (disabled by default)     # REST/SOAP functions for sessions management (disabled by default)
     <​Location /​index.fcgi/​adminSessions>​     <​Location /​index.fcgi/​adminSessions>​
-        ​Require ​all denied+        ​Order deny,​allow 
 +        Deny from all
     </​Location>​     </​Location>​
 +</​file>​
  
-    # REST/SOAP functions for sessions access (disabled by default) +==== Allowing configuration reload ====
-    <​Location /​index.fcgi/​sessions>​ +
-        Require all denied +
-    </​Location>​+
  
-    # REST/SOAP functions for configuration ​access ​(disabled by default+In order to allow configuration ​reload from a different server ​(if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in  
-    <​Location /index.fcgi/​config>​ +**handler-apache2.conf**
-        Require all denied +
-    </​Location>​+
  
-    # REST/SOAP functions for notification insertion (disabled by default) +<file apache> 
-    <​Location /index.fcgi/​notification+    <​Location /reload> 
-        Require ​all denied+        #CHANGE THIS###### 
 +        Require ​ip 127 ::1  
 +        ###########​^^^^^^^ 
 +        SetHandler perl-script 
 +        PerlResponseHandler Lemonldap::​NG::​Handler::​ApacheMP2->​reload
     </​Location>​     </​Location>​
 </​file>​ </​file>​
  
-==== Manager ​====+==== Handler ​====
  
-Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI ​application+In order to protect your application ​VHosts with the LemonLDAP::NG handler, you need to add these directives:
-<file apache>​ +
-    # FASTCGI CONFIGURATION +
-    # --------------------- +
- +
-    # 1) URI management +
-    RewriteEngine on +
- +
-    RewriteRule "​^/​$"​ "/​psgi/​manager-server.fcgi"​ [PT] +
-    # For performances,​ you can delete ​the previous RewriteRule line after +
-    # puttings html filessimply put the HTML results of different modules +
-    # (configuration,​ sessions, notifications) as manager.html,​ sessions.html,​ +
-    # notifications.html and uncomment the 2 following lines: +
-    # DirectoryIndex manager.html +
-    # RewriteCond "​%{REQUEST_FILENAME}"​ "​!\.html$"​ +
- +
-    # REST URLs +
-    RewriteCond "​%{REQUEST_FILENAME}"​ "​!^/​(?:​static|doc|lib).*"​ +
-    RewriteRule "​^/​(.+)$"​ "/​psgi/​manager-server.fcgi/​$1"​ [PT] +
- +
-    Alias /psgi/ /​var/​lib/​lemonldap-ng/​manager/​psgi/​ +
- +
-    # 2) FastCGI engine +
- +
-    # You can choose any FastCGI system. Here is an example using mod_fcgid +
-    # mod_fcgid configuration +
-    <​Directory /​var/​lib/​lemonldap-ng/​manager/​psgi/>​ +
-        SetHandler fcgid-script +
-        Options +ExecCGI +
-    </​Directory>​ +
- +
-    # If you want to use mod_fastcgireplace lines below by: +
-    #​FastCgiServer /​var/​lib/​lemonldap-ng/​manager/​psgi/​manager-server.fcgi +
- +
-    # Or if you prefer ​to use CGI, use /​psgi/​manager-server.cgi instead of +
-    # /​psgi/​manager-server.fcgi and adapt the rewrite rules. +
-</​file>​ +
- +
-Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see ''​lemonldap-ng.ini''​). +
- +
-==== Handler ====+
  
   * Load Handler in Apache memory:   * Load Handler in Apache memory:
  
 +(in a global configuration file)
 <file apache> <file apache>
 PerlOptions +GlobalRequest PerlOptions +GlobalRequest
-PerlModule Lemonldap::​NG::​Handler::​Apache2+PerlModule Lemonldap::​NG::​Handler::​ApacheMP2
 </​file>​ </​file>​
  
Line 312: Line 248:
 </​file>​ </​file>​
  
-  * Reload virtual host: 
- 
-<file apache> 
-<​VirtualHost *:80> 
-    ServerName reload.example.com 
- 
-    # Configuration reload mechanism (only 1 per physical server is 
-    # needed): choose your URL to avoid restarting Apache when 
-    # configuration change 
-    <​Location /reload> 
-        Order deny,allow 
-        Deny from all 
-        Allow from 127.0.0.0/8 
-        SetHandler perl-script 
-        PerlResponseHandler Lemonldap::​NG::​Handler::​Apache2->​reload 
-    </​Location>​ 
- 
-    # Uncomment this to activate status module 
-    #<​Location /status> 
-    #    Order deny,allow 
-    #    Deny from all 
-    #    Allow from 127.0.0.0/8 
-    #    SetHandler perl-script 
-    #    PerlResponseHandler Lemonldap::​NG::​Handler::​Apache2->​status 
-    #</​Location>​ 
- 
-</​VirtualHost>​ 
-</​file>​ 
  
 Then, to protect a standard virtual host, the only configuration line to add is: Then, to protect a standard virtual host, the only configuration line to add is:
  
 <file apache> <file apache>
-PerlHeaderParserHandler Lemonldap::​NG::​Handler::​Apache2+PerlHeaderParserHandler Lemonldap::​NG::​Handler::​ApacheMP2
 </​file>​ </​file>​
 +
 +See **test-apache2.conf** for a complete example of a protected application
  
 ===== Nginx ===== ===== Nginx =====
Line 355: Line 265:
   * **manager-nginx.conf**:​ Manager virtual host   * **manager-nginx.conf**:​ Manager virtual host
   * **handler-nginx.conf** : Handler reload virtual hosts   * **handler-nginx.conf** : Handler reload virtual hosts
 +  * **test-nginx.conf** : Example protected application
  
 See [[confignginx|how to deploy them]]. See [[confignginx|how to deploy them]].
  
-<note warning>​[[fastcgiserver|LL::​NG FastCGI]] server must be loaded ​separately.</​note>​+<note warning>​[[fastcgiserver|LL::​NG FastCGI]] server must be enabled and started ​separately.</​note>​
  
 ==== Portal ==== ==== Portal ====
  
-In Portal virtual host, you will find several ​configuration ​parts:+After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the **portal-nginx.conf** ​configuration ​file. 
  
-  * Standard virtual host directives, to serve portal pages:+By defaultaccess ​to those URLs is denied:
  
 <file nginx> <file nginx>
-## Map directive must be in http context +    location ~ ^/​index.psgi/​adminSessions ​
-# Uncomment this if you use Auth SSL: +      ​fastcgi_pass llng_portal_upstream
-#map $ssl_client_s_dn ​ $ssl_client_s_dn_cn ​+      deny all
-#  default ​          ""​+    
-#  ~/​CN=(?<​CN>​[^/​]+) $CN+</​file>​
-#+
-#​fastcgi_param ​ SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn+
  
-server { +==== Allowing configuration reload ====
-  listen 80; +
-  server_name auth.example.com;​ +
-  root /​var/​lib/​lemonldap-ng/​portal/;​ +
-  if ($uri !~ ^/​((static|javascript|favicon).*|.*\.psgi)) { +
-    rewrite ^/(.*)$ /​index.psgi/​$1 break; +
-  }+
  
-  location ~ \.psgi(?:$|/{ +In order to allow configuration reload from a different server ​(if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in  
-    # Note that Content-Security-Policy header is generated by portal itself +**handler-nginx.conf**
-    include /etc/nginx/​fastcgi_params;​ +
-    fastcgi_pass unix:​__FASTCGISOCKDIR__/​llng-fastcgi.sock;​ +
-    fastcgi_param LLTYPE psgi; +
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;​ +
-    fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +
-    fastcgi_param PATH_INFO ​ $fastcgi_path_info;​ +
-  } +
- +
-  index index.psgi;​ +
-  location / { +
-    try_files $uri $uri/ =404; +
- +
-    # Uncomment this if you use https only +
-    #add_header Strict-Transport-Security "​15768000";​ +
-  } +
- +
-  location /static/ { +
-    alias __PORTALSTATICDIR__;​ +
-  } +
-+
-</​file>​ +
- +
-  * REST/SOAP end points (inactivated by default):+
  
 <file nginx> <file nginx>
-  ​# REST/SOAP functions for sessions management (disabled by default) +  location ​/reload ​{ 
-  ​location /index.psgi/​adminSessions ​{+    
 +    ## CHANGE THIS # 
 +    allow 127.0.0.1;​ 
 +    ######​^^^^^^^^^#​ 
 +   
     deny all;     deny all;
-  } 
  
-  ​REST/SOAP functions for sessions access (disabled by default) +    ​FastCGI ​configuration
-  location /​index.psgi/​sessions { +
-    deny all; +
-  } +
- +
-  # REST/SOAP functions for configuration access (disabled by default) +
-  location /​index.psgi/​config { +
-    deny all; +
-  } +
- +
-  # REST/SOAP functions for notification insertion (disabled by default) +
-  location /​index.psgi/​notification { +
-    deny all; +
-  } +
-</​file>​ +
- +
-==== Manager ==== +
- +
-Manager virtual host is used to serve configuration ​interface and local documentation. +
- +
-<file nginx> +
-server { +
-  listen 80; +
-  server_name manager.example.com;​ +
-  root /​usr/​share/​lemonldap-ng/​manager/;​ +
- +
-  if ($uri !~ ^/​(static|doc|lib|javascript)) { +
-    rewrite ^/(.*)$ /​manager.psgi/​$1 break; +
-  } +
- +
-  location /​manager.psgi {+
     include /​etc/​nginx/​fastcgi_params;​     include /​etc/​nginx/​fastcgi_params;​
-    fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +    fastcgi_pass unix:__FASTCGISOCKDIR__/​llng-fastcgi.sock;​ 
-    fastcgi_param LLTYPE ​manager; +    fastcgi_param LLTYPE ​reload;
-    fastcgi_param SCRIPT_NAME /​manager.psgi;​ +
-  } +
- +
-  location / { +
-    index manager.psgi;​ +
-    try_files $uri $uri/ =404;+
   }   }
-} 
 </​file>​ </​file>​
  
-By default, configuration interface access is not protected by Nginx but by LemonLDAP::​NG itself (see ''​lemonldap-ng.ini''​). 
  
 ==== Handler ==== ==== Handler ====
Line 474: Line 319:
 </​file>​ </​file>​
  
-  * Reload virtual host: +To protect a standard virtual host, you must insert this (or create an included file):
- +
-<file nginx> +
-server {                                                                +
-  listen 80;                                                         +
-  server_name reload.example.com; ​                                      +
-  root /​var/​www/​html;​ +
-   +
-  location = /reload {                                                  +
-    allow 127.0.0.1;  +
-    deny all; +
-    include /​etc/​nginx/​fastcgi_params;​ +
-    fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +
-    fastcgi_param LLTYPE reload; +
-  }  +
- +
-  # Other requests ​                                                    +
-  location / {                                                          +
-    deny all; +
-  }  +
-     +
-  # Uncomment this if status is enabled ​                                +
-  #location = /status {                                               +
-  #  allow 127.0.0.1;​ +
-  #  deny all; +
-  #  include /​etc/​nginx/​fastcgi_params; ​                                +
-  #  fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +
-  #  fastcgi_param LLTYPE status; +
-  #} +
-+
-</​file>​ +
- +
-Then, to protect a standard virtual host, you must insert this (or create an included file):+
  
 <file nginx> <file nginx>
Line 566: Line 379:
 You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds. You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
  
-<note important>​Configuration ​file is compacted ​to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused ​parameters to be purged, you can enable "Don 't compact configuration file" ​option.</​note>​+<note important>​If "​Compact configuration ​file" option ​is enabled, all useless parameters are removed ​to limit file size. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid useless ​parameters to be purged, you can disable this option.</​note>​
  
 These parameters can be overwritten in LemonLDAP::​NG ini file, in the section ''​apply''​. These parameters can be overwritten in LemonLDAP::​NG ini file, in the section ''​apply''​.