Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
documentation:latest:writingrulesand_headers [2016/03/09 20:52]
xguimard [Headers]
documentation:latest:writingrulesand_headers [2019/11/06 10:11]
cmaudoux [Rules based on authentication level]
Line 3: Line 3:
 Lemonldap::​NG manage applications by their hostname (Apache'​s virtualHosts). Rules are used to protect applications,​ headers are HTTP headers added to the request to give datas to the application (for logs, profiles,​...). Lemonldap::​NG manage applications by their hostname (Apache'​s virtualHosts). Rules are used to protect applications,​ headers are HTTP headers added to the request to give datas to the application (for logs, profiles,​...).
  
-<note important>​Note that variables designed by $xx correspond to the name of the [[exportedvars|exported variables]] or [[performances#​macros_and_groups|macro names]].</​note>​+<note important>​Note that variables designed by $xx correspond to the name of the [[exportedvars|exported variables]] or [[performances#​macros_and_groups|macro names]] ​except for ''​$ENV{<​cgi-header>​}''​ which correspond to CGI header //​(''​$ENV{REMOTE_ADDR}''​ for example)//.</​note>​ 
 + 
 +===== Available $ENV{} variables ===== 
 + 
 +The %ENV table provides: 
 +  * all headers in CGI format //​(''​User-Agent''​ becomes ''​HTTP_USER_AGENT''​)//​ 
 +  * some CGI variables depending on the context: 
 +    * For portal: all CGI standard variables //(you can add custom headers using ''​fastcgi_param''​ with Nginx)//, 
 +    * For Apache handler: REMOTE_ADDR,​ QUERY_STRING,​ REQUEST_URI,​ SERVER_PORT,​ REQUEST_METHOD,​ 
 +    * For Nginx handler: all variables given by ''​fastcgi_param''​ commands. 
 +  * For portal: 
 +    * $ENV{urldc} : Origin URL before Handler redirection,​ in cleartext 
 +    * $ENV{_url} : Origin URL before Handler redirection,​ base64 encoded 
 + 
 +See also [[extendedfunctions|extended functions]]. 
 ===== Rules ===== ===== Rules =====
  
Line 31: Line 46:
 ^  Goal  ^  Regular expression ​ ^  Rule  ^ ^  Goal  ^  Regular expression ​ ^  Rule  ^
 | Logout user from Lemonldap::​NG and redirect it to <​nowiki>​http://​intranet/</​nowiki> ​ |  <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_sso&​nbsp;​http://​intranet/</​html> ​ | | Logout user from Lemonldap::​NG and redirect it to <​nowiki>​http://​intranet/</​nowiki> ​ |  <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_sso&​nbsp;​http://​intranet/</​html> ​ |
-| Logout user from current application and redirect it to the menu  |  <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_app&​nbsp;​https://​auth.example.com/</​html> ​ | +| Logout user from current application and redirect it to the menu **//(Apache only)//​** ​ ​| ​ <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_app&​nbsp;​https://​auth.example.com/</​html> ​ | 
-| Logout user from current application and from Lemonldap::​NG and redirect it to <​nowiki>​http://​intranet/</​nowiki> ​ |  <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_app_sso&​nbsp;​http://​intranet/</​html> ​ |+| Logout user from current application and from Lemonldap::​NG and redirect it to <​nowiki>​http://​intranet/</​nowiki> ​**//(Apache only)//​** ​|  <​nowiki>​^/​index.php\?​logout</​nowiki> ​ |  <​html>​logout_app_sso&​nbsp;​http://​intranet/</​html> ​ |
  
-<​note ​tip>By default, user will be redirected on portal if no URL defined, or on the specified URL if any.</​note>​+<​note ​warning>''​logout_app''​ and ''​logout_app_sso''​ rules are not available on Nginx, only on Apache.</​note>​ 
 + 
 +By default, user will be redirected on portal if no URL defined, or on the specified URL if any.
  
 <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​ <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​
 +
 +==== Rules based on authentication level ====
 +
 +LLNG set an "​authentication level" during authentication process. This level depends on authentication backend used by this user. Default values are:
 +  * 0 for [[authnull|Null]]
 +  * 1 for [[authcas|CAS]],​ [[authopenid|old OpenID-2]], [[authfacebook|Facebook]],​…
 +  * 2 for web-form based authentication //​([[authldap|LDAP]],​ [[authdbi|DBI]],​…)//​
 +  * 3 for [[authyubikey|Yubikey]]
 +  * 4 for [[authapache|Kerberos]]
 +  * 5 for [[authssl|SSL]]
 +
 +There are three ways to impose users a higher authentication level:
 +  * writing a rule based on authentication level: ''​$authenticationLevel > 3''​
 +  * since 2.0, set a minimum level in virtual host options (default value for ALL access rules)
 +  * since 2.0.7, a minimum authentication level can be set for each URI access rule. Useful if URI are protected by different types of handler (AuthBasic -> level 2, Main -> level set by authentication backend).
 +
 +<note tip>​Instead of returning a 403 code, "​minimum level" returns user to a form that explain that a higher level is required and propose to reauthenticate himself.</​note>​
  
 ===== Headers ===== ===== Headers =====
Line 48: Line 82:
 | Give a static value  |  Some-Thing ​ |  "​static-value" ​ | | Give a static value  |  Some-Thing ​ |  "​static-value" ​ |
 | Give display name  |  Display-Name ​ |  $givenName."​ "​.$surName ​ | | Give display name  |  Display-Name ​ |  $givenName."​ "​.$surName ​ |
-| Give a non ascii data  |  Display-Name ​ |  <​html>​encode_base64($givenName."&​nbsp;"​.$surName, ​''​)</​html> ​ |+| Give a non ascii data  |  Display-Name ​ |  <​html>​encode_base64($givenName."&​nbsp;"​.$surName,​""​)</​html> ​ |
  
 As described in [[performances#​handler_performance|performances chapter]], you can use macros, local macros,... As described in [[performances#​handler_performance|performances chapter]], you can use macros, local macros,...
Line 54: Line 88:
 <note important>​ <note important>​
   * Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers   * Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers
-  * Don't forget to add an empty string as second argument ​of encode_base64 to avoid insert of "​newline"​ characters in result+  * Don't forget to add an empty string as second argument ​to encode_base64 ​function ​to avoid "​newline"​ characters ​insertion ​in result
   * Header names must contain only letters and "​-"​ character   * Header names must contain only letters and "​-"​ character
 </​note>​ </​note>​
  
-<note tip>By default, SSO cookie is hidden, so protected applications cannot ​get SSO session key. But you can forward this key if it is really ​needed:+<note tip>By default, SSO cookie is hidden. So protected applications cannot ​retrieve ​SSO session key. But you can forward this key if absolutely ​needed:
 <​code>​ <​code>​
 Session-ID => $_session_id Session-ID => $_session_id
 </​code>​ </​code>​
 </​note>​ </​note>​
 +
 +===== Available functions =====
 +
 +In addition to macros and name, you can use some functions in rules and headers:
 +  * [[extendedfunctions|LLNG extended functions]]
 +  * [[customfunctions|Your custom functions]]
 +
 +===== Wildcards in hostnames =====
 +
 +{{..:​new.png?​direct&​35|}} Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): ''​*.example.com''​ matches all hostnames that belong to ''​example.com''​ domain.
 +
 +Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order:
 +  - test.sub.example.com
 +  - *.sub.example.com
 +  - test.example.com
 +  - *.example.com