# Uncomment this if you use Auth SSL: #map $ssl_client_s_dn $ssl_client_s_dn_cn { # default ""; # ~/CN=(?<CN>[^/]+) $CN; #} #>GNUNUX map $ssl_client_s_dn $ssl_client_s_dn_cn { default ""; ~/CN=(?<CN>[^/]+) $CN; } #<GNUNUX # FastCGI backend definition upstream llng_portal_upstream { server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; } server { listen 127.0.0.1:80; server_name localhost; root /usr/share/lemonldap-ng/portal/htdocs/; if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) { rewrite ^/(.*)$ /index.psgi/$1 break; } location ~ ^(?<sc>/.*\.psgi)(?:$|/) { include /etc/nginx/fastcgi_params; fastcgi_pass llng_portal_upstream; fastcgi_param REQUEST_URI /.well-known/openid-configuration; fastcgi_param HTTP_HOST %%domain_name_eth0; fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; } } #>GNUNUX geo $zone_name { default ext; %%gateway_eth0 ext; %%network_eth0 int; } #<GNUNUX server { # GNUNUX listen 80; # GNUNUX listen [::]:80; # GNUNUX server_name auth.example.com; #>GNUNUX listen 443 ssl; server_name %%{revprox_client_external_domainnames[0]}; ssl_certificate %%revprox_client_cert_file; ssl_certificate_key %%revprox_client_key_file; ssl_client_certificate %%revprox_ca_file; ssl_session_cache shared:SSL:10m; #<GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/; # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) #access_log /var/log/nginx/portal.log lm_app; # Uncomment this if you are running behind a reverse proxy and want # LemonLDAP::NG to see the real IP address of the end user # Adjust the settings to match the IP address of your reverse proxy # and the header containing the original IP address # As an alternative, you can use the PROXY protocol # #set_real_ip_from 127.0.0.1; #real_ip_header X-Forwarded-For; #>GNUNUX set_real_ip_from %%revprox_client_server_ip; real_ip_header X-Forwarded-For; #<GNUNUX if ($uri !~ ^/((static|javascript|favicon|.well-known).*|.*\.psgi)) { rewrite ^/(.*)$ /index.psgi/$1 break; } location ~ ^(?<sc>/.*\.psgi)(?:$|/) { # Note that Content-Security-Policy header is generated by portal itself # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass llng_portal_upstream; fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; # Uncomment this if you use Auth SSL: #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; #>GNUNUX fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; #<GNUNUX # OR TO USE uWSGI #include /etc/nginx/uwsgi_params; #uwsgi_pass 127.0.0.1:5000; #uwsgi_param LLTYPE psgi; #uwsgi_param SCRIPT_FILENAME $document_root$sc; #uwsgi_param SCRIPT_NAME $sc; # Uncomment this if you use Auth SSL: #uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; #>GNUNUX uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; #<GNUNUX # REST/SOAP functions for sessions management (disabled by default) location ~ ^/index.psgi/adminSessions { fastcgi_pass llng_portal_upstream; allow %%revprox_client_server_ip; deny all; } # REST/SOAP functions for proxy auth and password reset (disabled by default) location ~ ^/index.psgi/proxy { fastcgi_pass llng_portal_upstream; allow %%revprox_client_server_ip; deny all; } # REST/SOAP functions for sessions access (disabled by default) location ~ ^/index.psgi/sessions { fastcgi_pass llng_portal_upstream; allow %%revprox_client_server_ip; deny all; } # REST/SOAP functions for configuration access (disabled by default) location ~ ^/index.psgi/config { fastcgi_pass llng_portal_upstream; allow %%revprox_client_server_ip; deny all; } # REST/SOAP functions for notification insertion (disabled by default) location ~ ^/index.psgi/notification { fastcgi_pass llng_portal_upstream; allow %%revprox_client_server_ip; deny all; } } index index.psgi; location / { try_files $uri $uri/ =404; # Uncomment this if you use https only #add_header Strict-Transport-Security "max-age=15768000"; #>GNUNUX add_header Strict-Transport-Security "max-age=15768000"; #<GNUNUX } location /static/ { alias /usr/share/lemonldap-ng/portal/htdocs/static/; } #>GNUNUX location /static/risotto/ { alias /usr/local/lib/static/; } location /static/common/apps/risotto/ { alias /usr/local/lib/static/; } #<GNUNUX # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this location /javascript/ { alias /usr/share/javascript/; } #>GNUNUX # rewrite well-known rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break; location /.well-known/openid-configuration { root /var/www/html; } #<GNUNUX }