Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:configlocation [2019/09/01 12:31]
cmaudoux [Configuration reload]
documentation:2.1:configlocation [2019/11/08 21:56] (current)
cmaudoux [Configuration reload]
Line 82: Line 82:
 /​usr/​libexec/​lemonldap-ng/​bin/​lmConfigEditor /​usr/​libexec/​lemonldap-ng/​bin/​lmConfigEditor
 </​code>​ </​code>​
- 
  
 <note tip>This script must be run as root, it will then use the Apache user and group to access configuration.</​note>​ <note tip>This script must be run as root, it will then use the Apache user and group to access configuration.</​note>​
Line 171: Line 170:
   * **portal-apache2.conf**:​ Portal virtual host, with SOAP/REST end points   * **portal-apache2.conf**:​ Portal virtual host, with SOAP/REST end points
   * **manager-apache2.conf**:​ Manager virtual host   * **manager-apache2.conf**:​ Manager virtual host
-  * **handler-apache2.conf** : Handler declaration,​ reload ​and sample ​virtual hosts+  * **handler-apache2.conf** : Handler declaration,​ reload ​virtual hosts 
 +  * **test-apache2.conf** : Example protected ​virtual hosts
  
 See [[configapache|how to deploy them]]. See [[configapache|how to deploy them]].
Line 177: Line 177:
 ==== Portal ==== ==== Portal ====
  
-In Portal virtual host, you will find several ​configuration ​parts:+After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the **portal-apache2.conf** ​configuration ​file. 
  
-  * Standard virtual host directives, to serve portal pages: +By defaultaccess ​to those URLs is denied:
- +
-<file apache>​ +
-    ServerName auth.example.com +
- +
-    # DocumentRoot +
-    DocumentRoot /​usr/​local/​lemonldap-ng/​htdocs/​portal/​ +
-    <​Directory /​usr/​local/​lemonldap-ng/​htdocs/​portal/>​ +
-        Require all granted +
-        Options +ExecCGI +FollowSymLinks +
-    </​Directory>​ +
-    # For performances,​ you can put static html files: simply put the HTML +
-    # result (example: /​oauth2/​checksession.html) as static file. Then +
-    # uncomment the following line. +
-    # RewriteCond "​%{REQUEST_FILENAME}"​ "​!\.html$"​ +
-    RewriteCond "​%{REQUEST_FILENAME}"​ "​!^/​(?:​(?:​static|javascript|favicon).*|.*\.fcgi)$"​ +
-    RewriteRule "​^/​(.+)$"​ "/​index.fcgi/​$1"​ [PT] +
- +
-    # Note that Content-Security-Policy header ​is generated by portal itself +
-    <Files *.fcgi>​ +
-        SetHandler fcgid-script +
-        # For Authorization header to be passed, please uncomment one of the following:​ +
-        # for Apache >= 2.4.13 +
-        #​CGIPassAuth On +
-        # for Apache < 2.4.13 +
-        #​RewriteCond %{HTTP:​Authorization} ^(.*) +
-        #​RewriteRule .* - [e=HTTP_AUTHORIZATION:​%1] +
-        Options +ExecCGI +
-    </​Files>​ +
- +
-    # Static files +
-    Alias /static/ __PORTALSTATICDIR__/​ +
-    <​Directory __PORTALSTATICDIR__>​ +
-        Require all granted +
-        Options +FollowSymLinks +
-    </​Directory>​ +
-    <​Location /​static/>​ +
-        <​IfModule mod_expires.c>​ +
-            ExpiresActive On +
-            ExpiresDefault "​access plus 1 month"​ +
-        </​IfModule>​ +
-    </​Location>​ +
- +
-    <​IfModule mod_dir.c>​ +
-        DirectoryIndex index.fcgi index.html +
-    </​IfModule>​ +
-</​file>​ +
- +
-  * REST/SOAP end points (disabled by default):+
  
 <file apache> <file apache>
     # REST/SOAP functions for sessions management (disabled by default)     # REST/SOAP functions for sessions management (disabled by default)
     <​Location /​index.fcgi/​adminSessions>​     <​Location /​index.fcgi/​adminSessions>​
-        ​Require ​all denied+        ​Order deny,​allow 
 +        Deny from all
     </​Location>​     </​Location>​
 +</​file>​
  
-    # REST/SOAP functions for sessions access (disabled by default) +==== Allowing configuration reload ====
-    <​Location /​index.fcgi/​sessions>​ +
-        Require all denied +
-    </​Location>​+
  
-    # REST/SOAP functions for configuration ​access ​(disabled by default+In order to allow configuration ​reload from a different server ​(if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in  
-    <​Location /index.fcgi/​config>​ +**handler-apache2.conf**
-        Require all denied +
-    </​Location>​+
  
-    # REST/SOAP functions for notification insertion (disabled by default) +<file apache> 
-    <​Location /index.fcgi/​notification+    <​Location /reload> 
-        Require ​all denied+        #CHANGE THIS###### 
 +        Require ​ip 127 ::1  
 +        ###########​^^^^^^^ 
 +        SetHandler perl-script 
 +        PerlResponseHandler Lemonldap::​NG::​Handler::​ApacheMP2->​reload
     </​Location>​     </​Location>​
 </​file>​ </​file>​
  
-==== Manager ​====+==== Handler ​====
  
-Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI ​application+In order to protect your application ​VHosts with the LemonLDAP::NG handler, you need to add these directives:
-<file apache>​ +
-    # FASTCGI CONFIGURATION +
-    # --------------------- +
- +
-    # 1) URI management +
-    RewriteEngine on +
- +
-    RewriteRule "​^/​$"​ "/​psgi/​manager-server.fcgi"​ [PT] +
-    # For performances,​ you can delete ​the previous RewriteRule line after +
-    # puttings html filessimply put the HTML results of different modules +
-    # (configuration,​ sessions, notifications) as manager.html,​ sessions.html,​ +
-    # notifications.html and uncomment the 2 following lines: +
-    # DirectoryIndex manager.html +
-    # RewriteCond "​%{REQUEST_FILENAME}"​ "​!\.html$"​ +
- +
-    # REST URLs +
-    RewriteCond "​%{REQUEST_FILENAME}"​ "​!^/​(?:​static|doc|lib).*"​ +
-    RewriteRule "​^/​(.+)$"​ "/​psgi/​manager-server.fcgi/​$1"​ [PT] +
- +
-    Alias /psgi/ /​var/​lib/​lemonldap-ng/​manager/​psgi/​ +
- +
-    # 2) FastCGI engine +
- +
-    # You can choose any FastCGI system. Here is an example using mod_fcgid +
-    # mod_fcgid configuration +
-    <​Directory /​var/​lib/​lemonldap-ng/​manager/​psgi/>​ +
-        SetHandler fcgid-script +
-        Options +ExecCGI +
-    </​Directory>​ +
- +
-    # If you want to use mod_fastcgireplace lines below by: +
-    #​FastCgiServer /​var/​lib/​lemonldap-ng/​manager/​psgi/​manager-server.fcgi +
- +
-    # Or if you prefer ​to use CGI, use /​psgi/​manager-server.cgi instead of +
-    # /​psgi/​manager-server.fcgi and adapt the rewrite rules. +
-</​file>​ +
- +
-Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see ''​lemonldap-ng.ini''​). +
- +
-==== Handler ====+
  
   * Load Handler in Apache memory:   * Load Handler in Apache memory:
  
 +(in a global configuration file)
 <file apache> <file apache>
 PerlOptions +GlobalRequest PerlOptions +GlobalRequest
-PerlModule Lemonldap::​NG::​Handler::​Apache2+PerlModule Lemonldap::​NG::​Handler::​ApacheMP2
 </​file>​ </​file>​
  
Line 312: Line 226:
 </​file>​ </​file>​
  
-  * Reload virtual host: 
- 
-<file apache> 
-<​VirtualHost *:80> 
-    ServerName reload.example.com 
- 
-    # Configuration reload mechanism (only 1 per physical server is 
-    # needed): choose your URL to avoid restarting Apache when 
-    # configuration change 
-    <​Location /reload> 
-        Order deny,allow 
-        Deny from all 
-        Allow from 127.0.0.0/8 
-        SetHandler perl-script 
-        PerlResponseHandler Lemonldap::​NG::​Handler::​Apache2->​reload 
-    </​Location>​ 
- 
-    # Uncomment this to activate status module 
-    #<​Location /status> 
-    #    Order deny,allow 
-    #    Deny from all 
-    #    Allow from 127.0.0.0/8 
-    #    SetHandler perl-script 
-    #    PerlResponseHandler Lemonldap::​NG::​Handler::​Apache2->​status 
-    #</​Location>​ 
- 
-</​VirtualHost>​ 
-</​file>​ 
  
 Then, to protect a standard virtual host, the only configuration line to add is: Then, to protect a standard virtual host, the only configuration line to add is:
  
 <file apache> <file apache>
-PerlHeaderParserHandler Lemonldap::​NG::​Handler::​Apache2+PerlHeaderParserHandler Lemonldap::​NG::​Handler::​ApacheMP2
 </​file>​ </​file>​
 +
 +See **test-apache2.conf** for a complete example of a protected application
  
 ===== Nginx ===== ===== Nginx =====
Line 355: Line 243:
   * **manager-nginx.conf**:​ Manager virtual host   * **manager-nginx.conf**:​ Manager virtual host
   * **handler-nginx.conf** : Handler reload virtual hosts   * **handler-nginx.conf** : Handler reload virtual hosts
 +  * **test-nginx.conf** : Example protected application
  
 See [[confignginx|how to deploy them]]. See [[confignginx|how to deploy them]].
  
-<note warning>​[[fastcgiserver|LL::​NG FastCGI]] server must be loaded ​separately.</​note>​+<note warning>​[[fastcgiserver|LL::​NG FastCGI]] server must be enabled and started ​separately.</​note>​
  
 ==== Portal ==== ==== Portal ====
  
-In Portal virtual host, you will find several ​configuration ​parts:+After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the **portal-nginx.conf** ​configuration ​file. 
  
-  * Standard virtual host directives, to serve portal pages:+By defaultaccess ​to those URLs is denied:
  
 <file nginx> <file nginx>
-## Map directive must be in http context +    location ~ ^/​index.psgi/​adminSessions ​
-# Uncomment this if you use Auth SSL: +      ​fastcgi_pass llng_portal_upstream
-#map $ssl_client_s_dn ​ $ssl_client_s_dn_cn ​+      deny all
-#  default ​          ""​+    
-#  ~/​CN=(?<​CN>​[^/​]+) $CN+</​file>​
-#+
-#​fastcgi_param ​ SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn+
  
-server { +==== Allowing configuration reload ====
-  listen 80; +
-  server_name auth.example.com;​ +
-  root /​var/​lib/​lemonldap-ng/​portal/;​ +
-  if ($uri !~ ^/​((static|javascript|favicon).*|.*\.psgi)) { +
-    rewrite ^/(.*)$ /​index.psgi/​$1 break; +
-  }+
  
-  location ~ \.psgi(?:$|/{ +In order to allow configuration reload from a different server ​(if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in  
-    # Note that Content-Security-Policy header is generated by portal itself +**handler-nginx.conf**
-    include /etc/nginx/​fastcgi_params;​ +
-    fastcgi_pass unix:​__FASTCGISOCKDIR__/​llng-fastcgi.sock;​ +
-    fastcgi_param LLTYPE psgi; +
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;​ +
-    fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +
-    fastcgi_param PATH_INFO ​ $fastcgi_path_info;​ +
-  } +
- +
-  index index.psgi;​ +
-  location / { +
-    try_files $uri $uri/ =404; +
- +
-    # Uncomment this if you use https only +
-    #add_header Strict-Transport-Security "​15768000";​ +
-  } +
- +
-  location /static/ { +
-    alias __PORTALSTATICDIR__;​ +
-  } +
-+
-</​file>​ +
- +
-  * REST/SOAP end points (inactivated by default):+
  
 <file nginx> <file nginx>
-  ​# REST/SOAP functions for sessions management (disabled by default) +  location ​/reload ​{ 
-  ​location /index.psgi/​adminSessions ​{+    
 +    ## CHANGE THIS # 
 +    allow 127.0.0.1;​ 
 +    ######​^^^^^^^^^#​ 
 +   
     deny all;     deny all;
-  } 
  
-  ​REST/SOAP functions for sessions access (disabled by default) +    ​FastCGI ​configuration
-  location /​index.psgi/​sessions { +
-    deny all; +
-  } +
- +
-  # REST/SOAP functions for configuration access (disabled by default) +
-  location /​index.psgi/​config { +
-    deny all; +
-  } +
- +
-  # REST/SOAP functions for notification insertion (disabled by default) +
-  location /​index.psgi/​notification { +
-    deny all; +
-  } +
-</​file>​ +
- +
-==== Manager ==== +
- +
-Manager virtual host is used to serve configuration ​interface and local documentation. +
- +
-<file nginx> +
-server { +
-  listen 80; +
-  server_name manager.example.com;​ +
-  root /​usr/​share/​lemonldap-ng/​manager/;​ +
- +
-  if ($uri !~ ^/​(static|doc|lib|javascript)) { +
-    rewrite ^/(.*)$ /​manager.psgi/​$1 break; +
-  } +
- +
-  location /​manager.psgi {+
     include /​etc/​nginx/​fastcgi_params;​     include /​etc/​nginx/​fastcgi_params;​
-    fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +    fastcgi_pass unix:__FASTCGISOCKDIR__/​llng-fastcgi.sock;​ 
-    fastcgi_param LLTYPE ​manager; +    fastcgi_param LLTYPE ​reload;
-    fastcgi_param SCRIPT_NAME /​manager.psgi;​ +
-  } +
- +
-  location / { +
-    index manager.psgi;​ +
-    try_files $uri $uri/ =404;+
   }   }
-} 
 </​file>​ </​file>​
  
-By default, configuration interface access is not protected by Nginx but by LemonLDAP::​NG itself (see ''​lemonldap-ng.ini''​). 
  
 ==== Handler ==== ==== Handler ====
Line 474: Line 297:
 </​file>​ </​file>​
  
-  * Reload virtual host: +To protect a standard virtual host, you must insert this (or create an included file):
- +
-<file nginx> +
-server {                                                                +
-  listen 80;                                                         +
-  server_name reload.example.com; ​                                      +
-  root /​var/​www/​html;​ +
-   +
-  location = /reload {                                                  +
-    allow 127.0.0.1;  +
-    deny all; +
-    include /​etc/​nginx/​fastcgi_params;​ +
-    fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +
-    fastcgi_param LLTYPE reload; +
-  }  +
- +
-  # Other requests ​                                                    +
-  location / {                                                          +
-    deny all; +
-  }  +
-     +
-  # Uncomment this if status is enabled ​                                +
-  #location = /status {                                               +
-  #  allow 127.0.0.1;​ +
-  #  deny all; +
-  #  include /​etc/​nginx/​fastcgi_params; ​                                +
-  #  fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​ +
-  #  fastcgi_param LLTYPE status; +
-  #} +
-+
-</​file>​ +
- +
-Then, to protect a standard virtual host, you must insert this (or create an included file):+
  
 <file nginx> <file nginx>
Line 566: Line 357:
 You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds. You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
  
-<note important>​Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable "Don 't compact configuration file" option.</​note>​+<note important>​Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable "​Don'​t compact configuration file" option.</​note>​
  
 These parameters can be overwritten in LemonLDAP::​NG ini file, in the section ''​apply''​. These parameters can be overwritten in LemonLDAP::​NG ini file, in the section ''​apply''​.