Update to 2021-12-01 19:13

2025-08-03 23:26:58 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/lemonldap_ng/templates/httpd_portal.conf.j2
+++ b/roles/lemonldap_ng/templates/httpd_portal.conf.j2
@@ -0,0 +1,175 @@
+<VirtualHost 0.0.0.0:80>
+  ServerName {{ llng_portal_vhost }}
+  Include ansible_conf.d/common_env.inc
+  Include ansible_conf.d/common_letsencrypt.inc
+  Include ansible_conf.d/common_force_ssl.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost 0.0.0.0:443>
+    ServerName {{ llng_portal_vhost }}
+    SSLEngine On
+    Alias /_deferror/ "/usr/share/httpd/error/"
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_perf.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_letsencrypt.inc
+
+{% if llng_portal_ssl is defined %}
+{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
+    SSLCertificateFile {{ llng_portal_ssl.cert }}
+    SSLCertificateKeyFile {{ llng_portal_ssl.key }}
+{% if llng_portal_ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ llng_portal_ssl.cert_chain }}
+{% endif %}
+{% elif llng_portal_ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+{% endif %}
+
+    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
+        Require all granted
+        Options +ExecCGI +FollowSymLinks
+    </Directory>
+
+{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
+    SSLCACertificateFile {{ llng_portal_ssl.ca }}
+{% if llng_portal_ssl.crl is defined %}
+    SSLCARevocationFile {{ llng_portal_ssl.crl }}
+{% endif %}
+    <LocationMatch "^/($|\?url=.*|cas/login.*)">
+        SSLVerifyClient optional
+        SSLVerifyDepth 1
+        SSLOptions +StdEnvVars
+        SSLUserName SSL_CLIENT_S_DN_CN
+    </LocationMatch>
+{% endif %}
+
+    RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+        # Note that Content-Security-Policy header is generated by portal itself
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        #CGIPassAuth on
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    # Uncomment this if status is enabled
+    #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
+
+    # Static files
+    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static//
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
+        Require all granted
+        Options +FollowSymLinks
+    </Directory>
+    <Location /static/>
+        <IfModule mod_expires.c>
+            ExpiresActive On
+            ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.fcgi index.html
+    </IfModule>
+
+    # Enabe compression
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+  </VirtualHost>
+</IfModule>
+
+{% if (llng_soap_src_ip is defined and llng_soap_src_ip | length > 0) or (llng_soap_htpasswd is defined) %}
+<IfModule mod_ssl.c>
+  <VirtualHost 0.0.0.0:443>
+    ServerName {{ llng_soap_vhost }}
+    SSLEngine On
+    Alias /_deferror/ "/usr/share/httpd/error/"
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_letsencrypt.inc
+
+{% if llng_soap_ssl is defined %}
+{% if llng_soap_ssl.cert is defined and llng_soap_ssl.key is defined %}
+    SSLCertificateFile {{ llng_soap_ssl.cert }}
+    SSLCertificateKeyFile {{ llng_soap_ssl.key }}
+{% if llng_soap_ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ llng_soap_ssl.cert_chain }}
+{% endif %}
+{% elif llng_soap_ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+{% endif %}
+
+    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
+{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
+{% if llng_soap_pass is defined %}
+        <RequireAll>
+{% endif %}
+          Require ip {{ llng_soap_src_ip | join(' ') }}
+{% endif %}
+{% if llng_soap_pass is defined %}
+          AuthName "Lemonldap::NG SOAP endpoint"
+          AuthType Basic
+          AuthBasicProvider file
+          AuthUserFile /etc/lemonldap-ng/soap.htpasswd
+          Require valid-user
+{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
+        </RequireAll>
+{% endif %}
+{% endif %}
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+
+    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
+    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+    # Note that Content-Security-Policy header is generated by portal itself
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        #CGIPassAuth on
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    <LocationMatch "^(?!/index\.pl/(adminSessions|sessions|config|notifications))">
+      Require all denied
+    </LocationMatch>
+
+    # Enabe compression
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+
+  </VirtualHost>
+</IfModule>
+{% endif %}