Update to 2022-02-22 23:00

2025-07-26 15:55:56 +02:00 · 2022-02-22 23:00:05 +01:00
parent 6b0f3de36b
commit aaec7274f9
14 changed files with 136 additions and 30 deletions
--- a/roles/lemonldap_ng/templates/llng-fastcgi-server.j2
+++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.j2
@@ -1,6 +1,6 @@
 USER=apache
 GROUP=apache
-NPROC={{ llng_fcgi_workers }}
+NPROC={{ llng_workers }}
 SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
 PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
 PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }}
--- a/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2
+++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2
@@ -15,7 +15,7 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 NoNewPrivileges=yes
-MemoryLimit={{ llng_fcgi_workers * 250 }}M
+MemoryLimit={{ llng_workers * 250 }}M
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=1
--- a/roles/lemonldap_ng/templates/llng-uwsgi.service.j2
+++ b/roles/lemonldap_ng/templates/llng-uwsgi.service.j2
@@ -0,0 +1,44 @@
+[Unit]
+Description=uWSGI server for Lemonldap::NG websso system
+After=network.target
+
+[Service]
+Type=simple
+RuntimeDirectory=llng-uwsgi
+PIDFile=/run/llng-uwsgi/llng-uwsgi.pid
+User=apache
+# So we can restrict the socket to 660
+Group=nginx
+# So we can read /etc/lemonldap-ng/lemonldap-ng.ini
+SupplementaryGroups=apache
+WorkingDirectory=/usr/share/lemonldap-ng/llng-server
+ExecStart=/usr/sbin/uwsgi \
+             --plugin psgi \
+             --psgi llng-server.psgi \
+             --plugin systemd_logger \
+             --logger systemd \
+             --socket /run/llng-uwsgi/llng-uwsgi.sock \
+             --chmod-socket=660 \
+             --master \
+             --workers {{ llng_workers }} \
+             --max-worker-lifetime 604800 \
+             --max-requests 100000 \
+             --disable-logging \
+             --harakiri 30 \
+             --buffer-size 65535 \
+             --limit-post 0 \
+             --safe-pidfile /run/llng-uwsgi/llng-uwsgi.pid \
+             --die-on-term
+ExecReload=kill -HUP $MAINPID
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit={{ llng_workers * 250 }}M
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/lemonldap_ng/templates/nginx_handler.conf.j2
+++ b/roles/lemonldap_ng/templates/nginx_handler.conf.j2
@@ -3,7 +3,13 @@ location /llng-reload {
  allow {{ ip }};
 {% endfor %}
  deny all;
+{% if llng_engine == 'fastcgi' %}
  include /etc/nginx/fastcgi_params;
  fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
  fastcgi_param LLTYPE reload;
+{% elif llng_engine == 'uwsgi' %}
+  include /etc/nginx/uwsgi_params;
+  uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+  uwsgi_param LLTYPE reload;
+{% endif %}
 }
--- a/roles/lemonldap_ng/templates/nginx_manager.conf.j2
+++ b/roles/lemonldap_ng/templates/nginx_manager.conf.j2
@@ -23,12 +23,20 @@ server {
  }

  location  ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+{% if llng_engine == 'fastcgi' %}
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-    fastcgi_param LLTYPE manager;
+    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
  }

  location / {
--- a/roles/lemonldap_ng/templates/nginx_portal.conf.j2
+++ b/roles/lemonldap_ng/templates/nginx_portal.conf.j2
@@ -23,20 +23,26 @@ server {
  }

  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+{% if llng_engine == 'fastcgi' %}
    include /etc/nginx/fastcgi_params;
-
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
-
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
 {% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
    map $ssl_client_s_dn $ssl_client_s_dn_cn {
      default           "";
      ~/CN=(?<CN>[^/]+) $CN;
    }
-    fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+    {{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
 {% endif %}
  }

@@ -82,12 +88,20 @@ server {
 {% endif %}

  location ~ /index.psgi/(adminSessions|sessions|config|notification) {
+{% if llng_engine == 'fastcgi' %}
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
 {% for ip in llng_api_src_ip %}
    allow {{ ip }};
 {% endfor %}