dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Suggest mod_remote_ip or real_ip usage in examples

Browse Source 
As per #1612, LLNG does not support reading the real IP address from a
header anymore. These things are best delegated to the web server.
This commit is contained in:
Maxime Besson 2019-02-07 11:26:19 +01:00
parent c7b4eb5051
commit 0f0e446512
10 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_example/etc/handler-apache2.X.conf
View File

@ -35,7 +35,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
<Location /reload>
<IfVersion >= 2.3>
Require ip 127 ::1
</IfVersion>
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
@ -49,7 +49,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
#<Location /status>
# <IfVersion >= 2.3>
# Require ip 127 ::1
# </IfVersion>
# </IfVersion>
# <IfVersion < 2.3>
# Order Deny,Allow
# Deny from all

9
_example/etc/handler-nginx.conf
View File

@ -21,6 +21,15 @@ server {
server_name reload.__DNSDOMAIN__;
root /var/www/html;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
location = /reload {
allow 127.0.0.1;
deny all;

11
_example/etc/manager-apache2.4.conf
View File

@ -14,6 +14,15 @@
#CustomLog __APACHELOGDIR__/manager.log llng
#ErrorLog __APACHELOGDIR__/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION
# ---------------------
@ -65,7 +74,7 @@
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/

2
_example/etc/manager-apache2.X.conf
View File

@ -75,7 +75,7 @@
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/

2
_example/etc/manager-apache2.conf
View File

@ -69,7 +69,7 @@
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/

9
_example/etc/manager-nginx.conf
View File

@ -5,6 +5,15 @@ server {
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}

8
_example/etc/portal-apache2.4.conf
View File

@ -12,6 +12,14 @@
# See above to set LLNG user id in Apache logs
#CustomLog __APACHELOGDIR__/portal.log llng
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# DocumentRoot (FCGI scripts)
DocumentRoot __PORTALSITEDIR__
<Directory __PORTALSITEDIR__>

9
_example/etc/portal-nginx.conf
View File

@ -5,6 +5,15 @@ server {
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}

8
_example/etc/test-apache2.4.conf
View File

@ -9,6 +9,14 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
ServerName test1.__DNSDOMAIN__
ServerAlias test2.__DNSDOMAIN__
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2

10
_example/etc/test-nginx.conf
View File

@ -3,6 +3,14 @@ server {
server_name test1.__DNSDOMAIN__ test2.__DNSDOMAIN__;
root __TESTDIR__;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
# Internal authentication request
location = /lmauth {
@ -100,7 +108,7 @@ server {
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;