2018-05-15 21:50:12 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:ssoaas< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-06-07 13:48:21 +02:00
< meta name = "robots" content = "index,follow" / >
2018-05-15 21:50:12 +02:00
< meta name = "keywords" content = "documentation,2.0,ssoaas" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "ssoaas.html" / >
< link rel = "contents" href = "ssoaas.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : s s o a a s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
2018-05-17 21:42:46 +02:00
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#our_concept_of_ssoaas" > Our concept of SSOaaS< / a > < / div > < / li >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > < a href = "#examples_of_webserver_configuration_for_dockervm_images" > Examples of webserver configuration for Docker/VM images< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#using_a_global_fastcgi_or_uwsgi_server" > Using a global FastCGI (or uWSGI) server< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#nginx" > Nginx< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#apache" > Apache< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#nodejs" > Node.js< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#plack_application" > Plack application< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level2" > < div class = "li" > < a href = "#using_front_reverse-proxies" > Using front reverse-proxies< / a > < / div > < / li >
< / ul > < / li >
2018-05-17 21:42:46 +02:00
< / ul >
< / div >
< / div >
<!-- TOC END -->
2018-05-15 21:50:12 +02:00
< h1 class = "sectionedit1" id = "sso_as_a_service_ssoaas" > SSO as a service (SSOaaS)< / h1 >
< div class = "level1" >
2018-05-17 21:42:46 +02:00
< / div >
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1 - 41] -->
< h2 class = "sectionedit2" id = "our_concept_of_ssoaas" > Our concept of SSOaaS< / h2 >
< div class = "level2" >
2018-05-15 21:50:12 +02:00
< p >
2018-05-17 21:42:46 +02:00
Access management provides 3 services:
2018-05-15 21:50:12 +02:00
< / p >
< ul >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > Global Authentication: Single Sign-On< / div >
2018-05-15 21:50:12 +02:00
< / li >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > Authorization: to grant authentication is not enough. User rights must be checked< / div >
2018-05-17 21:42:46 +02:00
< / li >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > Accounting: < abbr title = "Single Sign On" > SSO< / abbr > logs (access) + application logs < em > (transactions and results)< / em > < / div >
2018-05-17 21:42:46 +02:00
< / li >
< / ul >
< p >
2018-06-07 13:48:21 +02:00
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > affords all these services (except application logs of course, but headers are provided to permit this).
< / p >
< p >
Headers setting is an another < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > service. < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > can provide any user attributes to an application < em > (see < a href = "writingrulesand_headers.html" class = "wikilink1" title = "documentation:2.0:writingrulesand_headers" > Rules and headers< / a > )< / em >
2018-05-17 21:42:46 +02:00
< / p >
< p >
2019-09-23 22:41:16 +02:00
< code > *aaS< / code > means that application can drive underlying layer (IaaS for infrastructure, PaaS for platform,…). So for us, < code > SSOaaS< / code > must provide the ability for an app to < em class = "u" > manage authorizations< / em > and choose < em class = "u" > user attributes< / em > to set. Authentication can not be really " *aaS" : app must just use it, not manage it.
2018-05-17 21:42:46 +02:00
< / p >
< p >
2018-06-07 13:48:21 +02:00
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > affords some features that can be used to provide < abbr title = "Single Sign On" > SSO< / abbr > as a service: a web application can manage its rules and headers. Docker or VM images (Nginx only) includes < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > Nginx configuration that aims to a global < a href = "platformsoverview.html#external_servers_for_nginx" class = "wikilink1" title = "documentation:2.0:platformsoverview" > LL::NG authorization server< / a > . By default, all authenticated users can access and one header is set: < code > Auth-User< / code > . If application gives a RULES_< abbr title = "Uniform Resource Locator" > URL< / abbr > parameter that refers to a JSON file, authorization server will read it, apply specified rules and set required headers < em > (see < a href = "devopshandler.html" class = "wikilink1" title = "documentation:2.0:devopshandler" > DevOps Handler< / a > )< / em > .
2018-05-17 21:42:46 +02:00
< / p >
< p >
2018-06-07 13:48:21 +02:00
There are two different architectures to do this:
2018-05-17 21:42:46 +02:00
< / p >
< ul >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > Using a < a href = "psgi.html" class = "wikilink1" title = "documentation:2.0:psgi" > global FastCGI (or uWSGI) server< / a > < / div >
2018-05-15 21:50:12 +02:00
< / li >
2018-06-07 13:48:21 +02:00
< li class = "level1" > < div class = "li" > Using front reverse-proxies < em > (some cloud installations use reverse-proxies in front-end)< / em > < / div >
2018-05-17 21:42:46 +02:00
< / li >
2018-05-15 21:50:12 +02:00
< / ul >
2019-09-23 22:41:16 +02:00
< p >
Example of a global FastCGI architecture:
< / p >
< p >
< a href = "documentation/devops.png_documentation_2.0_ssoaas.html" class = "media" title = "documentation:devops.png" > < img src = "documentation/devops.png" class = "media" alt = "" / > < / a >
< / p >
2018-05-15 21:50:12 +02:00
< p >
In both case, Handler type must be set to < a href = "devopshandler.html" class = "wikilink1" title = "documentation:2.0:devopshandler" > DevOps< / a > .
< / p >
< / div >
2019-09-23 22:41:16 +02:00
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42 - 1839] -->
2018-06-07 13:48:21 +02:00
< h2 class = "sectionedit3" id = "examples_of_webserver_configuration_for_dockervm_images" > Examples of webserver configuration for Docker/VM images< / h2 >
2018-05-15 21:50:12 +02:00
< div class = "level2" >
2018-06-07 13:48:21 +02:00
< / div >
2019-09-23 22:41:16 +02:00
<!-- EDIT3 SECTION "Examples of webserver configuration for Docker/VM images" [1840 - 1909] -->
2018-06-07 13:48:21 +02:00
< h3 class = "sectionedit4" id = "using_a_global_fastcgi_or_uwsgi_server" > Using a global FastCGI (or uWSGI) server< / h3 >
< div class = "level3" >
< / div >
< h4 id = "nginx" > Nginx< / h4 >
< div class = "level4" >
2018-05-15 21:50:12 +02:00
< p >
2018-06-07 13:48:21 +02:00
In this example, web server templates (Nginx only) are configured to request authorization from a central FastCGI server:
2018-05-15 21:50:12 +02:00
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.0.code" title = "Download Snippet" class = "mediafile mf_conf" > test-nginx.conf< / a > < / dt >
< dd > < pre class = "code file nginx" > server {
2018-06-07 13:48:21 +02:00
server_name myapp.domain.com;
2018-05-15 21:50:12 +02:00
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
2018-06-07 13:48:21 +02:00
# Pass authorization requests to Central FastCGI server:
fastcgi_pass 10.1.2.3:9090;
2018-05-15 21:50:12 +02:00
fastcgi_param VHOSTTYPE DevOps;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH " " ;
# Keep original hostname
fastcgi_param HOST $http_host;
2018-05-17 21:42:46 +02:00
# Keep original request (LLNG server will received /lmauth)
2018-05-15 21:50:12 +02:00
fastcgi_param X_ORIGINAL_URI $request_uri;
2018-06-07 13:48:21 +02:00
# Set dynamically rules (LLNG will poll it every 10 mn)
fastcgi_param RULES_URL http://rulesserver/my.json
2018-05-15 21:50:12 +02:00
}
location /rules.json {
auth_request off;
2018-06-07 13:48:21 +02:00
allow 10.1.2.3;
2018-05-15 21:50:12 +02:00
deny all;
}
2018-06-07 13:48:21 +02:00
location ~ ^(.*\.php)$ {
2018-05-15 21:50:12 +02:00
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
2018-06-07 13:48:21 +02:00
...
# Example with php-fpm:
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location / {
try_files $uri $uri/ =404;
2018-05-15 21:50:12 +02:00
}
}< / pre >
< / dd > < / dl >
< / div >
2018-06-07 13:48:21 +02:00
< h4 id = "apache" > Apache< / h4 >
< div class = "level4" >
< p >
2019-09-23 22:41:16 +02:00
There is an experimental FactCGI client in LLNG. You just have to install FCGI::Client and add this in the apache2.conf or your web applications or proxies.
< / p >
< p >
The following configuration example assumes that you are in a " central FastCGI" configuration.
2018-06-07 13:48:21 +02:00
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.1.code" title = "Download Snippet" class = "mediafile mf_conf" > apache2.conf< / a > < / dt >
< dd > < pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > ...>
2019-09-23 22:41:16 +02:00
< span class = "kw1" > ServerName< / span > app.tls
2018-06-07 13:48:21 +02:00
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2::FCGIClient
2019-09-23 22:41:16 +02:00
< span class = "co1" > # This must point to the central FastCGI server< / span >
PerlSetVar LLNG_SERVER 192.0.2.1:< span class = "nu0" > 9090< / span >
< span class = "co1" > # Declare this vhost as a DevOps vhost, so that we do not have< / span >
< span class = "co1" > # to declare it in the LemonLDAP::NG Manager< / span >
2018-06-07 13:48:21 +02:00
PerlSetVar VHOSTTYPE DevOps
2019-09-23 22:41:16 +02:00
< span class = "co1" > # This URL will be fetched by the central FastCGI server and< / span >
< span class = "co1" > # used to make the authentication decision about this virtualhost< / span >
< span class = "co1" > # Make sure the central FastCGI server can reach it< / span >
2018-06-07 13:48:21 +02:00
PerlSetVar RULES_URL http://app.tld/rules.json
...
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< / dd > < / dl >
< / div >
< h4 id = "nodejs" > Node.js< / h4 >
< div class = "level4" >
2018-05-15 21:50:12 +02:00
< p >
2018-06-07 13:48:21 +02:00
Using < a href = "https://github.com/expressjs/express#readme" class = "urlextern" title = "https://github.com/expressjs/express#readme" rel = "nofollow" > express< / a > and < a href = "https://github.com/LemonLDAPNG/node-fastcgi-authz-client" class = "urlextern" title = "https://github.com/LemonLDAPNG/node-fastcgi-authz-client" rel = "nofollow" > fastcgi-authz-client< / a > , you can protect also an Express server. Example:
2018-05-15 21:50:12 +02:00
< / p >
< dl class = "file" >
2018-06-07 13:48:21 +02:00
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.2.code" title = "Download Snippet" class = "mediafile mf_js" > app.js< / a > < / dt >
< dd > < pre class = "code file javascript" > < span class = "kw1" > var< / span > express < span class = "sy0" > =< / span > require< span class = "br0" > ( < / span > < span class = "st0" > 'express'< / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "kw1" > var< / span > app < span class = "sy0" > =< / span > express< span class = "br0" > ( < / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "kw1" > var< / span > FcgiAuthz < span class = "sy0" > =< / span > require< span class = "br0" > ( < / span > < span class = "st0" > 'fastcgi-authz-client'< / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "kw1" > var< / span > handler < span class = "sy0" > =< / span > FcgiAuthz< span class = "br0" > ( < / span > < span class = "br0" > { < / span >
host< span class = "sy0" > :< / span > < span class = "st0" > '127.0.0.1'< / span > < span class = "sy0" > ,< / span >
port< span class = "sy0" > :< / span > < span class = "nu0" > 9090< / span > < span class = "sy0" > ,< / span >
PARAMS< span class = "sy0" > :< / span > < span class = "br0" > { < / span >
RULES_URL< span class = "sy0" > :< / span > < span class = "st0" > 'http://my-server/rules.json'< / span >
< span class = "br0" > } < / span >
< span class = "br0" > } < / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
app.< span class = "me1" > use< / span > < span class = "br0" > ( < / span > handler< span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "co1" > // Simple express application< / span >
app.< span class = "kw1" > get< / span > < span class = "br0" > ( < / span > < span class = "st0" > '/'< / span > < span class = "sy0" > ,< / span > < span class = "kw1" > function< / span > < span class = "br0" > ( < / span > req< span class = "sy0" > ,< / span > res< span class = "br0" > ) < / span > < span class = "br0" > { < / span >
< span class = "kw1" > return< / span > res.< span class = "me1" > send< / span > < span class = "br0" > ( < / span > < span class = "st0" > 'Hello '< / span > < span class = "sy0" > +< / span > req.< span class = "me1" > upstreamHeaders< / span > < span class = "br0" > [ < / span > < span class = "st0" > 'auth-user'< / span > < span class = "br0" > ] < / span > < span class = "sy0" > +< / span > < span class = "st0" > ' !'< / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "br0" > } < / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "co1" > // Launch server< / span >
app.< span class = "me1" > listen< / span > < span class = "br0" > ( < / span > < span class = "nu0" > 3000< / span > < span class = "sy0" > ,< / span > < span class = "kw1" > function< / span > < span class = "br0" > ( < / span > < span class = "br0" > ) < / span > < span class = "br0" > { < / span >
< span class = "kw1" > return< / span > console.< span class = "me1" > log< / span > < span class = "br0" > ( < / span > < span class = "st0" > 'Example app listening on port 3000!'< / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span >
< span class = "br0" > } < / span > < span class = "br0" > ) < / span > < span class = "sy0" > ;< / span > < / pre >
< / dd > < / dl >
< / div >
< h4 id = "plack_application" > Plack application< / h4 >
< div class = "level4" >
< p >
You just have to enable < a href = "https://metacpan.org/pod/Plack::Middleware::Auth::FCGI" class = "urlextern" title = "https://metacpan.org/pod/Plack::Middleware::Auth::FCGI" rel = "nofollow" > Plack::Middleware::Auth::FCGI< / a > . Simple example:
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.3.code" title = "Download Snippet" class = "mediafile mf_psgi" > app.psgi< / a > < / dt >
< dd > < pre class = "code file perl" > < span class = "kw2" > use< / span > Plack< span class = "sy0" > ::< / span > < span class = "me2" > Builder< / span > < span class = "sy0" > ;< / span >
< span class = "kw1" > my< / span > < span class = "re0" > $app< / span > < span class = "sy0" > =< / span > < span class = "kw2" > sub< / span > < span class = "br0" > { < / span >
< span class = "kw1" > my< / span > < span class = "re0" > $env< / span > < span class = "sy0" > =< / span > < a href = "http://perldoc.perl.org/functions/shift.html" > < span class = "kw3" > shift< / span > < / a > < span class = "sy0" > ;< / span >
< span class = "kw1" > my< / span > < span class = "re0" > $user< / span > < span class = "sy0" > =< / span > < span class = "re0" > $env< / span > < span class = "sy0" > -> < / span > < span class = "br0" > { < / span > fcgiauth< span class = "sy0" > -< / span > auth< span class = "sy0" > -< / span > user< span class = "br0" > } < / span > < span class = "sy0" > ;< / span >
< a href = "http://perldoc.perl.org/functions/return.html" > < span class = "kw3" > return< / span > < / a > < span class = "br0" > [ < / span > < span class = "nu0" > 200< / span > < span class = "sy0" > ,< / span > < span class = "br0" > [ < / span > < span class = "st_h" > 'Content-Type'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'text/plain'< / span > < span class = "br0" > ] < / span > < span class = "sy0" > ,< / span > < span class = "br0" > [ < / span > < span class = "st0" > " Hello $user" < / span > < span class = "br0" > ] < / span > < span class = "br0" > ] < / span > < span class = "sy0" > ;< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span >
< span class = "co1" > # Optionally ($fcgiResponse is the PSGI response of remote FCGI auth server)< / span >
< span class = "co1" > #sub on_reject {< / span >
< span class = "co1" > # my($self,$env,$fcgiResponse) = @_;< / span >
< span class = "co1" > # my $statusCode = $fcgiResponse-> {status};< / span >
< span class = "co1" > # ...< / span >
< span class = "co1" > #}< / span >
builder
< span class = "br0" > { < / span >
enable < span class = "st0" > " Auth::FCGI" < / span > < span class = "sy0" > ,< / span >
host < span class = "sy0" > => < / span > < span class = "st_h" > '127.0.0.1'< / span > < span class = "sy0" > ,< / span >
port < span class = "sy0" > => < / span > < span class = "st_h" > '9090'< / span > < span class = "sy0" > ,< / span >
fcgi_auth_params < span class = "sy0" > => < / span > < span class = "br0" > { < / span >
RULES_URL < span class = "sy0" > => < / span > < span class = "st_h" > 'https://my-server/my.json'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ,< / span >
< span class = "co1" > # Optional rejection subroutine< / span >
< span class = "co1" > #on_reject => \& on_reject;< / span >
< span class = "sy0" > ;< / span >
< span class = "re0" > $app< / span > < span class = "sy0" > ;< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span > < / pre >
< / dd > < / dl >
< / div >
2019-09-23 22:41:16 +02:00
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [1910 - 5805] -->
2018-06-07 13:48:21 +02:00
< h3 class = "sectionedit5" id = "using_front_reverse-proxies" > Using front reverse-proxies< / h3 >
< div class = "level3" >
< p >
This is a simple Nginx configuration file. It looks like a standard < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > nginx configuration file except for:
< / p >
< ul >
< li class = "level1" > < div class = "li" > VHOSTTYPE parameter forced to use DevOps handler< / div >
< / li >
< li class = "level1" > < div class = "li" > /rules.json must not be protected by < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > but by the web server itself< / div >
< / li >
< / ul >
< p >
This configuration handles < code > *.dev.sso.my.domain< / code > < abbr title = "Uniform Resource Locator" > URL< / abbr > and forwards authenticated requests to < code > < vhost> .internal.domain< / code > . Rules can be defined in < code > /rules.json< / code > which is located at the website root directory.
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.4.code" title = "Download Snippet" class = "mediafile mf_conf" > test-nginx.conf< / a > < / dt >
2018-05-15 21:50:12 +02:00
< dd > < pre class = "code file nginx" > server {
2018-06-07 13:48:21 +02:00
server_name " ~^(?< vhost> .+?)\.dev\.sso\.my\.domain$" ;
2018-05-15 21:50:12 +02:00
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
2019-06-28 16:53:45 +02:00
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
2018-06-07 13:48:21 +02:00
# Force handler type:
2018-05-15 21:50:12 +02:00
fastcgi_param VHOSTTYPE DevOps;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH " " ;
# Keep original hostname
fastcgi_param HOST $http_host;
2018-06-07 13:48:21 +02:00
# Keep original request (LLNG server will received /lmauth)
2018-05-15 21:50:12 +02:00
fastcgi_param X_ORIGINAL_URI $request_uri;
}
location /rules.json {
auth_request off;
2018-06-07 13:48:21 +02:00
allow 127.0.0.0/8;
2018-05-15 21:50:12 +02:00
deny all;
}
2018-06-07 13:48:21 +02:00
location / {
2018-05-15 21:50:12 +02:00
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
2018-06-07 13:48:21 +02:00
proxy_pass https://$vhost.internal.domain;
2018-05-15 21:50:12 +02:00
}
}< / pre >
< / dd > < / dl >
< / div >
2019-09-23 22:41:16 +02:00
<!-- EDIT5 SECTION "Using front reverse - proxies" [5806 - ] --> < / div >
2018-05-15 21:50:12 +02:00
< / body >
< / html >