Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:configvhost [2019/05/27 23:05]
cmaudoux [Options]
documentation:2.1:configvhost [2020/02/28 09:03] (current)
cmaudoux [POST data]
Line 81: Line 81:
 A little floating menu can be added to application with this simple Apache configuration:​ A little floating menu can be added to application with this simple Apache configuration:​
 <file apache> <file apache>
-PerlModule Lemonldap::​NG::​Handler::​Apache2::Menu+PerlModule Lemonldap::​NG::​Handler::​ApacheMP2::Menu
 PerlOutputFilterHandler Lemonldap::​NG::​Handler::​ApacheMP2::​Menu->​run PerlOutputFilterHandler Lemonldap::​NG::​Handler::​ApacheMP2::​Menu->​run
 </​file>​ </​file>​
Line 216: Line 216:
 ==== Reverse proxy ==== ==== Reverse proxy ====
  
-Example of a protected reverse-proxy:​+Example of a protected reverse-proxy:​
  
 <file nginx> <file nginx>
Line 263: Line 263:
 </​file>​ </​file>​
  
 +* Example of a Nginx Virtual Host using uWSGI with many URIs protected by different types of handler :
 +<file nginx>
 +# Log format
 +include /​path/​to/​lemonldap-ng/​nginx-lmlog.conf;​
 +server {
 +  listen 80;
 +  server_name myserver;
 +  root /​var/​www/​html;​
 +  ​
 + # Internal MAIN handler authentication request
 +  location = /lmauth {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +
 +  # Internal AUTH_BASIC handler authentication request
 +  location = /​lmauth-basic {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    uwsgi_param VHOSTTYPE AuthBasic;
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +
 +  # Internal SERVICE_TOKEN handler authentication request
 +  location = /​lmauth-service {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    uwsgi_param VHOSTTYPE ServiceToken;​
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +  ​
 +  # Client requests
 +  location / {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /lmauth;
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    error_page 401 $lmlocation;​
 +  ​
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +  ​
 +  location /AuthBasic/ {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /​lmauth-basic;​
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    #error_page 401 $lmlocation;​
 +
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +  ​
 +  location /​web-service/​ {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /​lmauth-service;​
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    error_page 401 $lmlocation;​
 +
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +}
 +</​file>​
 ===== LemonLDAP::​NG configuration ===== ===== LemonLDAP::​NG configuration =====
  
Line 279: Line 390:
 See **[[writingrulesand_headers|Writing rules and headers]]** to learn how to configure access control and HTTP headers sent to application by LL::NG. See **[[writingrulesand_headers|Writing rules and headers]]** to learn how to configure access control and HTTP headers sent to application by LL::NG.
  
-==== POST data ==== 
- 
-See **[[formreplay|Form replay]]** to learn how to configure form replay to POST data on protected applications. 
 <note important>​With **Nginx**-based ReverseProxy,​ headers directives can be appended by a LUA script. <note important>​With **Nginx**-based ReverseProxy,​ headers directives can be appended by a LUA script.
- 
 To send more than **TEN** headers to protected applications,​ you have to edit and modify : To send more than **TEN** headers to protected applications,​ you have to edit and modify :
  
 ''/​etc/​nginx/​nginx-lua-headers.conf''​ ''/​etc/​nginx/​nginx-lua-headers.conf''​
 </​note>​ </​note>​
 +
 +<note warning>
 +* **Nginx** gets rid of any empty headers. There is no point of passing along empty values to another server; it would only serve to bloat the request. In other words, headers with **empty values are completely removed** from the passed request.
 +
 +* **Nginx**, by default, will consider any header that **contains underscores as invalid**. It will remove these from the proxied request. If you wish to have Nginx interpret these as valid, you can set the ''​underscores_in_headers''​ directive to “on”, otherwise your headers will never make it to the backend server.
 +</​note>​
 +
 +==== POST data ====
 +
 +See **[[formreplay|Form replay]]** to learn how to configure form replay to POST data on protected applications.
 ==== Options ==== ==== Options ====
  
Line 295: Line 412:
   * Maintenance mode: reject all requests with a maintenance message   * Maintenance mode: reject all requests with a maintenance message
   * Aliases: list of aliases for this virtual host //(avoid to rewrite rules,​...)//​   * Aliases: list of aliases for this virtual host //(avoid to rewrite rules,​...)//​
-  * Type: handler type //(normal, [[documentation:​2.0:​devopshandler|DevOps Handler]],​...)//​ +  * Type: handler type //(normal, [[documentation:​2.0:​servertoserver|ServiceToken Handler]], [[documentation:​2.0:​devopshandler|DevOps Handler]],​...)//​ 
-  * Authentication level required: this options avoid to reject user with a rule based on ''​$_authenticationLevel''​. When user hasn't the required level, he is redirected to an upgrade page in the portal+  * Authentication level required: this option avoids ​to reject user with a rule based on ''​$_authenticationLevel''​. When user hasn'​t ​got the required level, he is redirected to an upgrade page in the portal. This level is applied to ALL VirtualHost locations.
   * ServiceToken timeout: The Service Token is only available during 30 seconds by default. This TTL can be customized for each virtual host.   * ServiceToken timeout: The Service Token is only available during 30 seconds by default. This TTL can be customized for each virtual host.
 +
 +<note warning>
 +A same virtual host can serve many locations. Each location can be protected by a different type of handler :
 +
 +  server test1.example.com 80
 +    location ^/​AuthBasic ​ => AuthBasic handler
 +    location ^/​AuthCookie => Main handler
 +  ​
 +Keep in mind that AuthBasic handler use "​Login/​Password"​ to authenticate users. If you set "​Authentication level required"​ option to "​5"​ by example, AuthBasic requests will be ALWAYS rejected because AuthBasic authentication level is lower than required level.
 +</​note>​
  
 <note important>​ <note important>​