2016-10-15 19:57:54 +02:00
<!DOCTYPE html>
< html lang = "fr" dir = "ltr" >
< head >
< meta http-equiv = "content-type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" / >
2017-02-07 17:35:26 +01:00
< title > documentation:2.0:configvhost< / title > <!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else --><!-- //endif -->
2016-10-15 19:57:54 +02:00
< meta name = "generator" content = "DokuWiki" / >
2018-02-21 22:17:33 +01:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:54 +02:00
< meta name = "keywords" content = "documentation,2.0,configvhost" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "configvhost.html" / >
< link rel = "contents" href = "configvhost.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
2016-10-15 19:57:54 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : c o n f i g v h o s t " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
2017-02-07 17:35:26 +01:00
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script > <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script > <!-- //endif --> <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.js" > < / script > <!-- //endif -->
2016-10-15 19:57:54 +02:00
< / head >
< body >
< div class = "dokuwiki export container" > <!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#apache_configuration" > Configuration d'Apache< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#hosted_application" > Application hébergée< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#reverse_proxy" > Proxy inverse< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#add_a_floating_menu" > Ajouter un menu flottant< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#nginx_configuration" > Configuration de Nginx< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#hosted_application1" > Application hébergée< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#reverse_proxy1" > Proxy inverse< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#lemonldapng_configuration" > Configuration de LemonLDAP::NG< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#access_rules_and_http_headers" > Règles d'accès et en-têtes HTTP< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#post_data" > Données POST< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#options" > Options< / a > < / div > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div > <!-- TOC END -->
< h1 class = "sectionedit1" id = "manage_virtual_hosts" > Gérer les hôtes virtuels< / h1 >
< div class = "level1" >
< p >
La configuration de LemonLDAP::NG est construite autour des hôtes virtuels Apache ou Nginx. Chaque hôte virtuel est une ressource protégée, avec règles d'accès, en-têtes, options et données POST.
< / p >
< / div > <!-- EDIT1 SECTION "Manage virtual hosts" [1 - 206] -->
< h2 class = "sectionedit2" id = "apache_configuration" > Configuration d'Apache< / h2 >
< div class = "level2" >
< p >
Pour protéger un hôte virtuel dans Apache, l'agent LemonLDAP::NG doit être activé (voir < a href = "configlocation.html#apache" class = "wikilink1" title = "documentation:2.0:configlocation" > configuration globale d'Apache< / a > ).
< / p >
< p >
Ainsi n'importe quel hôte virtuel peut être protégé en ajoutant cette ligne :
< / p >
< pre class = "code file apache" > PerlHeaderParserHandler Lemonldap::NG::Handler< / pre >
< / div > <!-- EDIT2 SECTION "Apache configuration" [207 - 530] -->
< h3 class = "sectionedit3" id = "hosted_application" > Application hébergée< / h3 >
< div class = "level3" >
< p >
Exemple d'hôte virtuel protégé pour une application locale :
< / p >
< pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > *:< span class = "nu0" > 80< / span > >
< span class = "kw1" > ServerName< / span > localsite.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
< span class = "kw1" > DocumentRoot< / span > /var/www/localsite
< span class = "kw1" > ErrorLog< / span > /var/log/apache2/localsite_error.log
< span class = "kw1" > CustomLog< / span > /var/log/apache2/localsite_access.log combined
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< / div > <!-- EDIT3 SECTION "Hosted application" [531 - 938] -->
< h3 class = "sectionedit4" id = "reverse_proxy" > Proxy inverse< / h3 >
< div class = "level3" >
< p >
Exemple d'hôte virtuel protégé avec Lemonldap::NG en proxy-inverse :
< / p >
< pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > *:< span class = "nu0" > 80< / span > >
< span class = "kw1" > ServerName< / span > application.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
< span class = "co1" > # Reverse-Proxy< / span >
< span class = "kw1" > ProxyPass< / span > / http://private-name/
< span class = "co1" > # Changer l'en-tête "Location" dans les redirections< / span >
< span class = "kw1" > ProxyPassReverse< / span > / http://private-name/
< span class = "co1" > # Changer le domaine des cookies< / span >
< span class = "kw1" > ProxyPassReverseCookieDomain< / span > private-name application.example.com
< span class = "kw1" > ErrorLog< / span > /var/log/apache2/proxysite_error.log
< span class = "kw1" > CustomLog< / span > /var/log/apache2/proxysite_access.log combined
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< p >
La même chose avec le serveur distant configuré avec le même nom d'hôte :
< / p >
< pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > *:< span class = "nu0" > 80< / span > >
< span class = "kw1" > ServerName< / span > application.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
< span class = "co1" > # Reverse-Proxy< / span >
< span class = "kw1" > ProxyPass< / span > / http://APPLICATION_IP/
< span class = "kw1" > ProxyPreserveHost< / span > < span class = "kw2" > on< / span >
< span class = "kw1" > ErrorLog< / span > /var/log/apache2/proxysite_error.log
< span class = "kw1" > CustomLog< / span > /var/log/apache2/proxysite_access.log combined
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< div class = "noteclassic" > La directive < code > ProxyPreserveHost< / code > transfère l'en-tête Host à l'application protégée.< br / > Pour en savoir plus sur l'utilisation d' Apache en reverse-proxy, consultez la < a href = "http://httpd.apache.org/docs/current/mod/mod_proxy.html" class = "urlextern" title = "http://httpd.apache.org/docs/current/mod/mod_proxy.html" rel = "nofollow" > documentation d'Apache< / a > .
< / div > < div class = "notetip" > Certaines applications ont besoin de la variable d'environnement < code > REMOTE_USER< / code > pour connaître le nom d'utilisateur connecté, qui n'est pas renseignée en mode reverse-proxy. Dans ce cas, voir < a href = "header_remote_user_conversion.html" class = "wikilink1" title = "documentation:2.0:header_remote_user_conversion" > comment convertir les en-têtes en variable d'environnement< / a > .
< / div >
< / div > <!-- EDIT4 SECTION "Reverse proxy" [939 - 2531] -->
< h3 class = "sectionedit5" id = "add_a_floating_menu" > Ajouter un menu flottant< / h3 >
< div class = "level3" >
< p >
Un petit menu flottant peut être ajouté aux applications par une seimple configuration Apache :
< / p >
< pre class = "code file apache" > PerlModule Lemonldap::NG::Handler::Menu
PerlOutputFilterHandler Lemonldap::NG::Handler::Menu-> run< / pre >
< p >
Les pages où ce menu est affiché peuvent être restreintes, par exemple :
< / p >
< pre class = "code file apache" > < < span class = "kw3" > Location< / span > /var/www/html/index.php>
PerlOutputFilterHandler Lemonldap::NG::Handler::Menu-> run
< /< span class = "kw3" > Location< / span > > < / pre >
< div class = "noteimportant" > Il faut désactiver mod_deflate pour utiliser le menu flottant
< / div >
< / div > <!-- EDIT5 SECTION "Add a floating menu" [2532 - 3048] -->
< h2 class = "sectionedit6" id = "nginx_configuration" > Configuration de Nginx< / h2 >
< div class = "level2" >
< p >
Pour protéger un hôte virtuel dans Nginx, le serveur FastCGI de LemonLDAP::NG doit être lancé (voir < a href = "fastcgiserver.html" class = "wikilink1" title = "documentation:2.0:fastcgiserver" > Serveur FastCGI de LemonLDAP::NG< / a > ).
< / p >
< p >
Then you can take any virtual host and modify it:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Declare the /lmauth endpoint< / div >
< / li >
< / ul >
< pre class = "code file nginx" > location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Ignorer les données postées
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Conserver le nom d'hôte original
fastcgi_param HOST $http_host;
# Conserver la requête originale (le serveur LLNG va recevoir /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}< / pre >
< ul >
< li class = "level1" > < div class = "li" > Protect the application (/ or /path/to/protect):< / div >
< / li >
< / ul >
< pre class = "code file nginx" > location /path/to/protect {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
2017-03-30 07:08:56 +02:00
auth_request_set $cookie_value $upstream_http_set_cookie;
add_header Set-Cookie $cookie_value;
2016-10-15 19:57:54 +02:00
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
}< / pre >
< ul >
< li class = "level1" > < div class = "li" > Use LUA or set manually the headers:< / div >
< / li >
< / ul >
< pre class = "code file nginx" > location /path/to/protect {
...
# SI LUA EST SUPPORTÉ
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
# SINON
# Définir manuellement les en-têtes
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OU
#fastcgi_param HTTP_AUTH_USER $authuser;
# Ensuite (si LUA n'est pas supporté), changer l'en-tête Cookie pour masquer celui de LLNG
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OU dans le bloc correspondant
#fastcgi_param HTTP_COOKIE $lmcookie;
# Définir REMOTE_USER (pour les applications FastCGI seulement)
#fastcgi_param REMOTE_USER $lmremote_user;
}< / pre >
2017-03-30 07:08:56 +02:00
< / div > <!-- EDIT6 SECTION "Nginx configuration" [3049 - 4936] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit7" id = "hosted_application1" > Application hébergée< / h3 >
< div class = "level3" >
< p >
Exemple d'hôte virtuel protégé pour une application locale :
< / p >
< pre class = "code file nginx" > # Format des journaux
include /path/to/lemonldap-ng/nginx-lmlog.conf;
server {
listen 80;
server_name myserver;
root /var/www/html;
# Requête interne d'authentification
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass /path/to/llng-fastcgi-server.sock;
# Ignorer les données postées
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Conserver le nom d'hôte original
fastcgi_param HOST $http_host;
# Conserver la requête originale (le serveur LLNG va recevoir /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Requêtes clients
location ~ \.php$ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
include fastcgi_params;
try_files $fastcgi_script_name =404;
fastcgi_pass /path/to/php-fpm/socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_hide_header X-Powered-By;
######################################
# PASSER LES ENTÊTES À L'APPLICATION #
######################################
# SI LUA EST SUPPORTÉ
#include /path/to/nginx-lua-headers.conf
# SINON
# Définir manuellement les en-têtes
#auth_request_set $authuser $upstream_http_auth_user;
#fastcgi_param HTTP_AUTH_USER $authuser;
}
location / {
try_files $uri $uri/ =404;
}
}< / pre >
2017-03-30 07:08:56 +02:00
< / div > <!-- EDIT7 SECTION "Hosted application" [4937 - 6566] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit8" id = "reverse_proxy1" > Proxy inverse< / h3 >
< div class = "level3" >
< p >
Exemple de reverse-proxy protégé :
< / p >
< pre class = "code file nginx" > # Format des journaux
include /path/to/lemonldap-ng/nginx-lmlog.conf;
server {
listen 80;
server_name myserver;
root /var/www/html;
# Requête interne d'authentification
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass /path/to/llng-fastcgi-server.sock;
# Ignorer les données postées
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Conserver le nom d'hôte original
fastcgi_param HOST $http_host;
# Conserver la requête originale (le serveur LLNG va recevoir /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Requêtes clients
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
proxy_pass http://remote.server/;
include /etc/nginx/proxy_params;
######################################
# PASSER LES ENTÊTES À L'APPLICATION #
######################################
# SI LUA EST SUPPORTÉ
#include /path/to/nginx-lua-headers.conf
# SINON
# Définir manuellement les en-têtes
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header HTTP_AUTH_USER $authuser;
}
}< / pre >
2017-03-30 07:08:56 +02:00
< / div > <!-- EDIT8 SECTION "Reverse proxy" [6567 - 7861] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit9" id = "lemonldapng_configuration" > Configuration de LemonLDAP::NG< / h2 >
< div class = "level2" >
< p >
2017-10-24 13:04:03 +02:00
A virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration.
2016-10-15 19:57:54 +02:00
< / p >
< p >
2017-10-24 13:04:03 +02:00
Pour ce faire, utiliser le manager, et aller dans la branche < code > Virtual Hosts< / code > . Il est possible d'ajouter, effacer ou modifier un hôte virtuel ici. Enter the exact virtual host name (for example < code > test.example.com< / code > ) or use a wildcard (for example < code > *.example.com< / code > ).
2016-10-15 19:57:54 +02:00
< / p >
< p >
Un hôte vituel contient :
< / p >
< ul >
< li class = "level1" > < div class = "li" > Des règles d'accès : examine les droits de l'utilisateur via des expressions sur les < abbr title = "Uniform Resource Locator" > URL< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > En-têtes HTTP : construit l'information à envoyer aux applications protégées< / div >
< / li >
< li class = "level1" > < div class = "li" > Des données POST : à utiliser pour répondre aux formulaires< / div >
< / li >
< li class = "level1" > < div class = "li" > Des options : port de redirection et protocole< / div >
< / li >
< / ul >
2017-10-24 13:04:03 +02:00
< / div > <!-- EDIT9 SECTION "LemonLDAP::NG configuration" [7862 - 8461] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit10" id = "access_rules_and_http_headers" > Règles d'accès et en-têtes HTTP< / h3 >
< div class = "level3" >
< p >
Voir < strong > < a href = "writingrulesand_headers.html" class = "wikilink1" title = "documentation:2.0:writingrulesand_headers" > Écrire des règles et des en-têtes< / a > < / strong > pour savoir comment configurer le contrôle d'accès et les en-têtes HTTP transmis à l'application par < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / p >
2017-10-24 13:04:03 +02:00
< / div > <!-- EDIT10 SECTION "Access rules and HTTP headers" [8462 - 8654] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit11" id = "post_data" > Données POST< / h3 >
< div class = "level3" >
< p >
Voir < strong > < a href = "formreplay.html" class = "wikilink1" title = "documentation:2.0:formreplay" > Rejeu des formulaires< / a > < / strong > pour savoir comment configurer le rejeu des formulaires pour poster des données à une applications protégée.
< / p >
2017-10-24 13:04:03 +02:00
< / div > <!-- EDIT11 SECTION "POST data" [8655 - 8789] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit12" id = "options" > Options< / h3 >
< div class = "level3" >
< p >
Quelques options sont disponibles :
< / p >
< ul >
< li class = "level1" > < div class = "li" > Port< / div >
< / li >
< li class = "level1" > < div class = "li" > HTTPS< / div >
< / li >
< li class = "level1" > < div class = "li" > Mode maintenance< / div >
< / li >
< / ul >
< p >
Ces options sont utilisées dans la construction des < abbr title = "Uniform Resource Locator" > URL< / abbr > de redirection (lorsque l'utilisateur n'est pas connecté ou pour les requêtes < abbr title = "Authentification inter-domaines" > CDA< / abbr > ). Sauf modification, les valeurs par défaut sont utilisées. Ces options ne sont à utiliser que pour surcharger les valeurs par défaut.
< / p >
2017-10-24 13:04:03 +02:00
< / div > <!-- EDIT12 SECTION "Options" [8790 - ] -->
2016-10-15 19:57:54 +02:00
< / div >
< / body >
< / html >