Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:configvhost [2019/10/15 21:57]
cmaudoux [Options]
documentation:latest:configvhost [2020/02/28 08:52] (current)
Line 216: Line 216:
 ==== Reverse proxy ==== ==== Reverse proxy ====
  
-Example of a protected reverse-proxy:​+Example of a protected reverse-proxy:​
  
 <file nginx> <file nginx>
Line 262: Line 262:
 } }
 </​file>​ </​file>​
 +
 +* Example of a Nginx Virtual Host using uWSGI with many URIs protected by different types of handler :
 +
 +<file nginx>
 +# Log format
 +include /​path/​to/​lemonldap-ng/​nginx-lmlog.conf;​
 +server {
 +  listen 80;
 +  server_name myserver;
 +  root /​var/​www/​html;​
 +  ​
 + # Internal MAIN handler authentication request
 +  location = /lmauth {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +
 +  # Internal AUTH_BASIC handler authentication request
 +  location = /​lmauth-basic {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    uwsgi_param VHOSTTYPE AuthBasic;
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +
 +  # Internal SERVICE_TOKEN handler authentication request
 +  location = /​lmauth-service {
 +    internal;
 +    # uWSGI Configuration
 +    include /​etc/​nginx/​uwsgi_params;​
 +    uwsgi_pass 127.0.0.1:​5000;​
 +    uwsgi_pass_request_body ​ off;
 +    uwsgi_param CONTENT_LENGTH "";​
 +    uwsgi_param HOST $http_host;
 +    uwsgi_param X_ORIGINAL_URI ​ $request_uri;​
 +    uwsgi_param VHOSTTYPE ServiceToken;​
 +    # Improve performances
 +    uwsgi_buffer_size 32k;
 +    uwsgi_buffers 32 32k;
 +  }
 +  ​
 +  # Client requests
 +  location / {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /lmauth;
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    error_page 401 $lmlocation;​
 +  ​
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +  ​
 +  location /AuthBasic/ {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /​lmauth-basic;​
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    #error_page 401 $lmlocation;​
 +
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +  ​
 +  location /​web-service/​ {
 +    ##################################​
 +    # CALLING AUTHENTICATION ​        #
 +    ##################################​
 +    auth_request /​lmauth-service;​
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    # Remove this for AuthBasic handler
 +    error_page 401 $lmlocation;​
 +
 +    ##################################​
 +    # PASSING HEADERS TO APPLICATION #
 +    ##################################​
 +    # IF LUA IS SUPPORTED
 +    include /​etc/​nginx/​nginx-lua-headers.conf;​
 +  }
 +}
 +</​file>​
 +
  
 ===== LemonLDAP::​NG configuration ===== ===== LemonLDAP::​NG configuration =====
Line 279: Line 393:
 See **[[writingrulesand_headers|Writing rules and headers]]** to learn how to configure access control and HTTP headers sent to application by LL::NG. See **[[writingrulesand_headers|Writing rules and headers]]** to learn how to configure access control and HTTP headers sent to application by LL::NG.
  
-<note important>​With **Nginx**-based ReverseProxy, ​headers ​directives can be appended by a LUA script.+<note important>​With **Nginx**-based ReverseProxy, ​header ​directives can be appended by a LUA script.
  
 To send more than **TEN** headers to protected applications,​ you have to edit and modify : To send more than **TEN** headers to protected applications,​ you have to edit and modify :
  
 ''/​etc/​nginx/​nginx-lua-headers.conf''​ ''/​etc/​nginx/​nginx-lua-headers.conf''​
 +</​note>​
 +
 +<note warning>
 +* **Nginx** gets rid of any empty headers. There is no point of passing along empty values to another server; it would only serve to bloat the request. In other words, headers with **empty values are completely removed** from the passed request.
 +
 +* **Nginx**, by default, will consider any header that **contains underscores as invalid**. It will remove these from the proxied request. If you wish to have Nginx interpret these as valid, you can set the ''​underscores_in_headers''​ directive to “on”, otherwise your headers will never make it to the backend server.
 </​note>​ </​note>​
 ==== POST data ==== ==== POST data ====