2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:authssl< / title >
< meta name = "generator" content = "DokuWiki" / >
2019-06-28 16:53:45 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:04 +02:00
< meta name = "keywords" content = "documentation,2.0,authssl" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "authssl.html" / >
< link rel = "contents" href = "authssl.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : a u t h s s l " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration" > Configuration< / a > < / div >
< ul class = "toc" >
2017-03-04 15:38:41 +01:00
< li class = "level2" > < div class = "li" > < a href = "#with_apache" > With Apache< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#enable_ssl_in_apache" > Enable SSL in Apache< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#apache_ssl_global_configuration" > Apache SSL global configuration< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#apache_portal_ssl_configuration" > Apache portal SSL configuration< / a > < / div > < / li >
< / ul >
< / li >
2019-04-09 22:26:40 +02:00
< li class = "level2" > < div class = "li" > < a href = "#with_nginx" > With Nginx< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#nginx_ssl_virtual_host_example_with_uwsgi" > Nginx SSL Virtual Host example with uWSGI< / a > < / div > < / li >
< / ul >
< / li >
2016-10-15 19:57:04 +02:00
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng" > Configuration of LemonLDAP::NG< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#auto_reloading_ssl_certificates" > Auto reloading SSL Certificates< / a > < / div > < / li >
2017-04-13 19:00:28 +02:00
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#ssl_by_ajax" > SSL by Ajax< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "ssl" > SSL< / h1 >
< div class = "level1" >
< div class = "table sectionedit2" > < table class = "inline table table-bordered table-striped" >
< thead >
< tr class = "row0 roweven" >
< th class = "col0 centeralign" > Authentication < / th > < th class = "col1 centeralign" > Users < / th > < th class = "col2 centeralign" > Password < / th >
< / tr >
< / thead >
< tr class = "row1 rowodd" >
< td class = "col0 centeralign" > ✔ < / td > < td class = "col1" > < / td > < td class = "col2" > < / td >
< / tr >
< / table > < / div >
<!-- EDIT2 TABLE [19 - 76] -->
< / div >
<!-- EDIT1 SECTION "SSL" [1 - 77] -->
< h2 class = "sectionedit3" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > uses < a href = "http://httpd.apache.org/docs/current/mod/mod_ssl.html" class = "urlextern" title = "http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel = "nofollow" > Apache SSL module< / a > , like any other < a href = "authapache.html" class = "wikilink1" title = "documentation:2.0:authapache" > Apache authentication module< / a > , with extra features:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Choice of any certificate attribute as user main login< / div >
< / li >
< li class = "level1" > < div class = "li" > Allow no certificate to chain with other authentication methods< / div >
< / li >
< / ul >
< / div >
<!-- EDIT3 SECTION "Presentation" [78 - 401] -->
< h2 class = "sectionedit4" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
2017-04-13 19:00:28 +02:00
< p >
By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG < em > (compatible with < a href = "authcombination.html" class = "wikilink1" title = "documentation:2.0:authcombination" > Combination< / a > )< / em > , you can activate “SSL by Ajax request” in the manager. See < a href = "#ssl_by_ajax" title = "documentation:2.0:authssl ↵" class = "wikilink1" > SSL by Ajax< / a > below.
< / p >
2016-10-15 19:57:04 +02:00
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT4 SECTION "Configuration" [402 - 713] -->
2017-03-04 15:38:41 +01:00
< h3 class = "sectionedit5" id = "with_apache" > With Apache< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
2017-03-04 15:38:41 +01:00
< / div >
< h4 id = "enable_ssl_in_apache" > Enable SSL in Apache< / h4 >
< div class = "level4" >
2016-10-15 19:57:04 +02:00
< p >
You have to install mod_ssl for Apache.
< / p >
< p >
For CentOS/RHEL:
< / p >
< pre class = "code shell" > yum install mod_ssl< / pre >
2017-03-04 15:38:41 +01:00
< div class = "notetip" > In Debian/Ubuntu mod_ssl is already shipped in < code > apache*-common< / code > package.
< / div > < div class = "notetip" > For CentOS/RHEL, We advice to disable the default SSL virtual host configured in /etc/httpd/conf.d/ssl.conf.
2016-10-15 19:57:04 +02:00
< / div >
< / div >
2017-03-04 15:38:41 +01:00
< h4 id = "apache_ssl_global_configuration" > Apache SSL global configuration< / h4 >
< div class = "level4" >
2016-10-15 19:57:04 +02:00
< p >
You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:
< / p >
< pre class = "code file apache" > < span class = "kw1" > SSLProtocol< / span > < span class = "kw2" > all< / span > -SSLv2
< span class = "kw1" > SSLCipherSuite< / span > HIGH:MEDIUM
< span class = "kw1" > SSLCertificateFile< / span > /etc/httpd/certs/ow2.cert
< span class = "kw1" > SSLCertificateKeyFile< / span > /etc/httpd/certs/ow2.key
< span class = "kw1" > SSLCACertificateFile< / span > /etc/httpd/certs/ow2-ca.cert< / pre >
< div class = "noteclassic" > Put your own files instead of < code > ow2.cert< / code > , < code > ow2.key< / code > , < code > ow2-ca.cert< / code > :< ul >
< li class = "level1" > < div class = "li" > < strong > SSLCertificateFile< / strong > : Server certificate< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > SSLCertificateKeyFile< / strong > : Server private key< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > SSLCACertificateFile< / strong > : CA certificate to validate client certificates< / div >
< / li >
< / ul >
< / div >
< p >
If you specify port in virtual host, then declare SSL port:
< / p >
< pre class = "code file apache" > < span class = "kw1" > NameVirtualHost< / span > *:< span class = "nu0" > 80< / span >
< span class = "kw1" > NameVirtualHost< / span > *:< span class = "nu0" > 443< / span > < / pre >
< / div >
2017-03-04 15:38:41 +01:00
< h4 id = "apache_portal_ssl_configuration" > Apache portal SSL configuration< / h4 >
< div class = "level4" >
2016-10-15 19:57:04 +02:00
< p >
Edit the portal virtual host to enable SSL double authentication:
< / p >
< pre class = "code file apache" > < span class = "kw1" > SSLEngine< / span > < span class = "kw2" > On< / span >
< span class = "kw1" > SSLVerifyClient< / span > optional
< span class = "kw1" > SSLVerifyDepth< / span > < span class = "nu0" > 10< / span >
< span class = "kw1" > SSLOptions< / span > +StdEnvVars
< span class = "kw1" > SSLUserName< / span > SSL_CLIENT_S_DN_CN< / pre >
< p >
All SSL options are documented in < a href = "http://httpd.apache.org/docs/current/mod/mod_ssl.html" class = "urlextern" title = "http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel = "nofollow" > Apache mod_ssl page< / a > .
< / p >
< p >
Here are the main options used by < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > SSLVerifyClient< / strong > : set to < code > optional< / code > to allow user with a bad certificate to access to < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal page. To switch to another authentication backend, use the < a href = "authmulti.html" class = "wikilink1" title = "documentation:2.0:authmulti" > Multi< / a > module, for example: < code > Multi SSL;LDAP< / code > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > SSLOptions< / strong > : set to < code > +StdEnvVars< / code > to get certificate fields in environment variables< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > SSLUserName< / strong > (optional): certificate field that will be used to identify user in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal virtual host< / div >
< / li >
< / ul >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT5 SECTION "With Apache" [714 - 2684] -->
2017-03-04 15:38:41 +01:00
< h3 class = "sectionedit6" id = "with_nginx" > With Nginx< / h3 >
< div class = "level3" >
< p >
Enable SSL:
< / p >
< pre class = "code file nginx" > ssl on;
ssl_verify_client optional;
ssl_certificate /etc/letsencrypt/live/my/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my/privkey.pem;
ssl_verify_depth 3;
ssl_client_certificate /etc/nginx/ssl/ca.pem;
ssl_crl /etc/nginx/ssl/crl/my.crl;< / pre >
< p >
You must also export SSL_CLIENT_S_< abbr title = "Distinguished Name" > DN< / abbr > _CN in FastCGI params:
< / p >
2019-04-09 22:26:40 +02:00
< pre class = "code file nginx" > # map directive must be in http context
map $ssl_client_s_dn $ssl_client_s_dn_cn {
2017-03-04 15:38:41 +01:00
default " " ;
2019-06-28 16:53:45 +02:00
~/CN=(?< CN> [^/]+) $CN; # prior Nginx 1.11.6
#~,CN=(?< CN> [^,]+) $CN; # Nginx > = 1.11.6
2017-03-04 15:38:41 +01:00
}
fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;< / pre >
< / div >
2019-04-09 22:26:40 +02:00
< h4 id = "nginx_ssl_virtual_host_example_with_uwsgi" > Nginx SSL Virtual Host example with uWSGI< / h4 >
< div class = "level4" >
< pre class = "code file nginx" > server {
listen 443;
server_name authssl.example.com;
root /usr/share/lemonldap-ng/portal/htdocs/;
# Use " lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
access_log /var/log/nginx/access.log lm_app;
ssl_verify_client on;
ssl_verify_depth 3;
# Full chain CRL is required
# All CRLs must be concatenated in a single .pem format file
ssl_crl /etc/nginx/ssl/crl/crls.pem;
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^(?< sc> /.*\.psgi)(?:$|/) {
# uWSGI Configuration
include /etc/nginx/uwsgi_params;
uwsgi_pass 127.0.0.1:5000;
uwsgi_param LLTYPE psgi;
uwsgi_param SCRIPT_FILENAME $document_root$sc;
uwsgi_param SCRIPT_NAME $sc;
uwsgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
}
#index index.psgi;
location / {
try_files $uri $uri/ =404;
2019-05-12 16:33:56 +02:00
add_header Strict-Transport-Security " max-age=15768000" ;
2019-04-09 22:26:40 +02:00
}
}< / pre >
2019-06-28 16:53:45 +02:00
< div class = "noteimportant" > Nginx 1.11.6 change: format of the $ssl_client_s_dn and $ssl_client_i_dn variables
has been changed to follow < abbr title = "Request for Comments" > RFC< / abbr > 2253 (< abbr title = "Request for Comments" > RFC< / abbr > 4514); values in the old format are available
in the $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
2019-04-09 22:26:40 +02:00
< / div >
2019-06-28 16:53:45 +02:00
< / div >
<!-- EDIT6 SECTION "With Nginx" [2685 - 4659] -->
2017-03-04 15:38:41 +01:00
< h3 class = "sectionedit7" id = "configuration_of_lemonldapng" > Configuration of LemonLDAP::NG< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
In Manager, go in < code > General Parameters< / code > > < code > Authentication modules< / code > and choose SSL for authentication.
< / p >
< div class = "notetip" > You can then choose any other module for users and password.
< / div >
< p >
Then, go in < code > SSL parameters< / code > :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > Authentication level< / strong > : authentication level for this module< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Extracted certificate field< / strong > : field of the certificate affected to $user internal variable< / div >
< / li >
< / ul >
< / div >
2019-06-28 16:53:45 +02:00
<!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [4660 - 5085] -->
2017-03-04 15:38:41 +01:00
< h3 class = "sectionedit8" id = "auto_reloading_ssl_certificates" > Auto reloading SSL Certificates< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
A known problematic is that many browser (Firefox, Chrome) remembers the fact that the certificate is not available at a certain time.
It is particularly important for smart cards: when the card is not inserted before the browser starts, the user must restart his browser, or at least refresh (F5) the page.
< / p >
< p >
It is possible with AJAX code and 3 Apache locations to bypass this limitation.
< / p >
< p >
1. Modify the portal virtual host to match this example:
< / p >
< pre class = "code file apache" > < span class = "kw1" > SSLEngine< / span > < span class = "kw2" > On< / span >
< span class = "kw1" > SSLCACertificateFile< / span > /etc/apache2/ssl/ca.crt
< span class = "kw1" > SSLCertificateKeyFile< / span > /etc/apache2/ssl/lemonldap.key
< span class = "kw1" > SSLCertificateFile< / span > /etc/apache2/ssl/lemonldap.crt
< span class = "kw1" > SSLVerifyDepth< / span > < span class = "nu0" > 10< / span >
< span class = "kw1" > SSLOptions< / span > +StdEnvVars
< span class = "kw1" > SSLUserName< / span > SSL_CLIENT_S_DN_CN
< span class = "co1" > # DocumentRoot< / span >
< span class = "kw1" > DocumentRoot< / span > /var/lib/lemonldap-ng/portal/
< < span class = "kw3" > Directory< / span > /var/lib/lemonldap-ng/portal/>
< span class = "kw1" > Order< / span > < span class = "kw1" > Deny< / span > ,< span class = "kw1" > Allow< / span >
< span class = "kw1" > Allow< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > Options< / span > +ExecCGI +< span class = "kw2" > FollowSymLinks< / span >
< span class = "kw1" > SSLVerifyClient< / span > < span class = "kw2" > none< / span >
< /< span class = "kw3" > Directory< / span > >
< < span class = "kw3" > Location< / span > /index>
< span class = "kw1" > Order< / span > < span class = "kw1" > Deny< / span > ,< span class = "kw1" > Allow< / span >
< span class = "kw1" > Allow< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > SSLVerifyClient< / span > < span class = "kw2" > none< / span >
< /< span class = "kw3" > Location< / span > >
< < span class = "kw3" > Location< / span > /testssl>
< span class = "kw1" > Order< / span > < span class = "kw1" > Deny< / span > ,< span class = "kw1" > Allow< / span >
< span class = "kw1" > Allow< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > SSLVerifyClient< / span > < span class = "kw1" > require< / span >
< /< span class = "kw3" > Location< / span > >
< span class = "kw1" > Alias< / span > /sslok /var/lib/lemonldap-ng/portal
< < span class = "kw3" > Location< / span > /sslok>
< span class = "kw1" > Order< / span > < span class = "kw1" > Deny< / span > ,< span class = "kw1" > Allow< / span >
< span class = "kw1" > Allow< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > SSLVerifyClient< / span > < span class = "kw1" > require< / span >
< /< span class = "kw3" > Location< / span > > < / pre >
< ul >
< li class = "level1" > < div class = "li" > /index/ is an unprotected page to display a SSL test button< / div >
< / li >
< li class = "level1" > < div class = "li" > /testssl/ is a SSL protected page to check the certificate< / div >
< / li >
2019-02-12 17:32:02 +01:00
< li class = "level1" > < div class = "li" > /sslok/ is the new LemonLDAP::NG portal. You need to declare the new url in the manager: Portal -> < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://auth.example.com/sslok/" class = "urlextern" title = "https://auth.example.com/sslok/" rel = "nofollow" > https://auth.example.com/sslok/< / a > < / div >
2016-10-15 19:57:04 +02:00
< / li >
< / ul >
< p >
2. Then you need to construct the Ajax page, for example in /index/bouton.html. It looks like this:
< / p >
< pre class = "code file html4strict" > < span class = "sc2" > < < a href = "http://december.com/html/4/element/body.html" > < span class = "kw2" > body< / span > < / a > > < / span >
< span class = "sc2" > < < a href = "http://december.com/html/4/element/script.html" > < span class = "kw2" > script< / span > < / a > < span class = "kw3" > src< / span > < span class = "sy0" > =< / span > < span class = "st0" > " ./jquery-2.1.4.min.js" < / span > < span class = "kw3" > type< / span > < span class = "sy0" > =< / span > < span class = "st0" > " text/javascript" < / span > > < / span > < span class = "sc2" > < < span class = "sy0" > /< / span > < a href = "http://december.com/html/4/element/script.html" > < span class = "kw2" > script< / span > < / a > > < / span >
< span class = "sc-1" > < !--< script src=" ./jquery-ui-1.8-rass.js" type=" text/javascript" > < /script> --> < / span >
< span class = "sc2" > < < a href = "http://december.com/html/4/element/a.html" > < span class = "kw2" > a< / span > < / a > < span class = "kw3" > href< / span > < span class = "sy0" > =< / span > < span class = "st0" > " http://www.google.fr" < / span > < span class = "kw3" > class< / span > < span class = "sy0" > =< / span > < span class = "st0" > " enteteBouton" < / span > < span class = "kw3" > id< / span > < span class = "sy0" > =< / span > < span class = "st0" > " continuerButton" < / span > > < < a href = "http://december.com/html/4/element/img.html" > < span class = "kw2" > img< / span > < / a > < span class = "kw3" > src< / span > < span class = "sy0" > =< / span > authent.png> < < span class = "sy0" > /< / span > < a href = "http://december.com/html/4/element/a.html" > < span class = "kw2" > a< / span > < / a > > < / span >
< span class = "sc2" > < < a href = "http://december.com/html/4/element/script.html" > < span class = "kw2" > script< / span > < / a > > < / span >
$('.enteteBouton').click( function (e) {
var b=navigator.userAgent.toLowerCase();
if(b.indexOf(" msie" )!==-1){
document.execCommand(" ClearAuthenticationCache" )
}
e.preventDefault();
$.ajax({
url:" https://auth.example.com/testssl" ,
beforeSend:function(){},
type:" GET" ,
dataType:" html" ,
success:function(c,a){
if (c !== " " ) {
alert(" Carte OK" );
window.location.href = " https://auth.example.com/sslok/" ;
}
else {
alert('Carte KO');
}
},
error:function (xhr, ajaxOptions, thrownError){
if(xhr.status==404) {
alert(" Carte OK" );
window.location.href = " https://auth.example.com/sslok/" ;
}
else {
alert('Carte KO');
}
},
complete:function(c,a){}
});
});
< span class = "sc2" > < < span class = "sy0" > /< / span > < a href = "http://december.com/html/4/element/script.html" > < span class = "kw2" > script< / span > < / a > > < / span >
< span class = "sc2" > < < span class = "sy0" > /< / span > < a href = "http://december.com/html/4/element/body.html" > < span class = "kw2" > body< / span > < / a > > < / span > < / pre >
2017-04-13 19:00:28 +02:00
< div class = "notewarning" > It is incompatible with authentication combination because of Apache parameter “SSLVerifyClient”, which must have the value “require”. To enable SSL with < a href = "authcombination.html" class = "wikilink1" title = "documentation:2.0:authcombination" > Combination< / a > , use < a href = "#ssl_by_ajax" title = "documentation:2.0:authssl ↵" class = "wikilink1" > SSL by Ajax< / a >
2016-10-15 19:57:04 +02:00
< / div >
< / div >
2019-06-28 16:53:45 +02:00
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [5086 - 8349] -->
2017-04-13 19:00:28 +02:00
< h2 class = "sectionedit9" id = "ssl_by_ajax" > SSL by Ajax< / h2 >
< div class = "level2" >
< p >
If you enable this feature, you must configure 2 portal virtual hosts:
< / p >
< ul >
< li class = "level1" > < div class = "li" > the main < em > (which corresponds to portal < abbr title = "Uniform Resource Locator" > URL< / abbr > )< / em > with < code > SSLVerifyClient none< / code > < / div >
< / li >
< li class = "level1" > < div class = "li" > the second with < code > SSLVerifyClient require< / code > and a < code > Header set Allow-Control-Allow-Origin https://portal-main-url< / code > < / div >
< / li >
< / ul >
< p >
then declare the second < abbr title = "Uniform Resource Locator" > URL< / abbr > in SSL options in the Manager. That' s all ! Then you can chain it in a < a href = "authcombination.html" class = "wikilink1" title = "documentation:2.0:authcombination" > combination< / a > .
< / p >
2019-04-09 22:26:40 +02:00
< div class = "noteclassic" > With < a href = "authchoice.html" class = "wikilink1" title = "documentation:2.0:authchoice" > choice< / a > , the second < abbr title = "Uniform Resource Locator" > URL< / abbr > should be also declared in module < abbr title = "Uniform Resource Locator" > URL< / abbr > parameter to redirect user to Portal menu.
< / div > < div class = "noteimportant" > < strong > Content Security Policy< / strong > may prevent to submit Ajax Request.
To avoid security warning,
< p >
Go to : < code > General Parameters > Advanced Parameters > Security > Content security policy< / code >
< / p >
< p >
and set :
< / p >
< p >
< strong > Default value< / strong > => ' self' “Ajax request < abbr title = "Uniform Resource Locator" > URL< / abbr > ”
< / p >
2017-04-13 19:00:28 +02:00
2019-04-09 22:26:40 +02:00
< p >
< strong > Form destinations< / strong > => ' self' “Ajax request < abbr title = "Uniform Resource Locator" > URL< / abbr > ”
< / p >
< p >
< strong > Ajax destinations< / strong > => ' self' “Ajax request < abbr title = "Uniform Resource Locator" > URL< / abbr > ”
< / p >
< / div >
2017-04-13 19:00:28 +02:00
< / div >
2019-06-28 16:53:45 +02:00
<!-- EDIT9 SECTION "SSL by Ajax" [8350 - ] --> < / div >
2016-10-15 19:57:04 +02:00
< / body >
< / html >