dataset/seed/lemonldap/templates/portal-nginx.conf

182 lines
5.6 KiB
Text
Raw Permalink Normal View History

2022-03-08 19:42:28 +01:00
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
#>GNUNUX
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
}
#<GNUNUX
# FastCGI backend definition
upstream llng_portal_upstream {
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
}
server {
listen 127.0.0.1:80;
server_name localhost;
root /usr/share/lemonldap-ng/portal/htdocs/;
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream;
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
2023-06-23 08:12:05 +02:00
fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
#>GNUNUX
geo $zone_name {
default ext;
2023-06-23 08:12:05 +02:00
{{ general.network.interface_0.gateway_eth0 }} ext;
{% for interface in range(zones_list|length) %}
{{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
{% endfor %}
}
#<GNUNUX
2022-03-08 19:42:28 +01:00
server {
# GNUNUX listen 80;
# GNUNUX listen [::]:80;
# GNUNUX server_name auth.example.com;
#>GNUNUX
2023-06-23 08:12:05 +02:00
listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
2022-03-08 19:42:28 +01:00
ssl_session_cache shared:SSL:10m;
#<GNUNUX
root /usr/share/lemonldap-ng/portal/htdocs/;
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
#>GNUNUX
2023-06-23 08:12:05 +02:00
set_real_ip_from {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
real_ip_header X-Forwarded-For;
#<GNUNUX
if ($uri !~ ^/((static|javascript|favicon|.well-known).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#>GNUNUX
fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#<GNUNUX
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
# Uncomment this if you use Auth SSL:
#uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#>GNUNUX
uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#<GNUNUX
# REST/SOAP functions for sessions management (disabled by default)
location ~ ^/index.psgi/adminSessions {
fastcgi_pass llng_portal_upstream;
2023-06-23 08:12:05 +02:00
allow {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
deny all;
}
# REST/SOAP functions for proxy auth and password reset (disabled by default)
location ~ ^/index.psgi/proxy {
fastcgi_pass llng_portal_upstream;
2023-06-23 08:12:05 +02:00
allow {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
deny all;
}
# REST/SOAP functions for sessions access (disabled by default)
location ~ ^/index.psgi/sessions {
fastcgi_pass llng_portal_upstream;
2023-06-23 08:12:05 +02:00
allow {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
deny all;
}
# REST/SOAP functions for configuration access (disabled by default)
location ~ ^/index.psgi/config {
fastcgi_pass llng_portal_upstream;
2023-06-23 08:12:05 +02:00
allow {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
deny all;
}
# REST/SOAP functions for notification insertion (disabled by default)
location ~ ^/index.psgi/notification {
fastcgi_pass llng_portal_upstream;
2023-06-23 08:12:05 +02:00
allow {{ general.revprox.revprox_client_server_ip }};
2022-03-08 19:42:28 +01:00
deny all;
}
}
index index.psgi;
location / {
try_files $uri $uri/ =404;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
#>GNUNUX
add_header Strict-Transport-Security "max-age=15768000";
#<GNUNUX
}
location /static/ {
alias /usr/share/lemonldap-ng/portal/htdocs/static/;
}
2022-03-29 16:33:20 +02:00
#>GNUNUX
location /static/risotto/ {
alias /usr/local/lib/static/;
}
location /static/common/apps/risotto/ {
alias /usr/local/lib/static/;
}
#<GNUNUX
2022-03-08 19:42:28 +01:00
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
location /javascript/ {
alias /usr/share/javascript/;
}
#>GNUNUX
# rewrite well-known
rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
2022-03-08 19:42:28 +01:00
location /.well-known/openid-configuration {
root /var/www/html;
}
#<GNUNUX
}