Update to 2022-02-22 23:00

roles/lemonldap_ng/defaults/main.yml

@@ -7,6 +7,11 @@ llng_manager: False
 # Either httpd or nginx
 llng_server: httpd
 
+# When using nginx, you can choose between fastcgi or uwsgi
+# uwsgi is faster but doesn't handle UTF-8 in the portal
+# so default is fastcgi. This setting has not effet when llng_server == 'httpd'
+llng_engine: fastcgi
+
 llng_portal_vhost: auth.{{ ansible_domain }}
 llng_api_vhost: sso-api.{{ ansible_domain }}
 llng_manager_vhost: sso-manager.{{ ansible_domain }}
@@ -62,5 +67,5 @@ llng_handler_db_user: lemonldapnghandler
 # llng_db_pass: s3cr3t.
 # llng_handler_db_pass
 
-# Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much
+# Number of llng-fastcgi-server or uwsgi workers. The upstream default is 7 but you might need to adjust to your load
-llng_fcgi_workers: 6
+llng_workers: 6

roles/lemonldap_ng/handlers/main.yml

@@ -3,5 +3,8 @@
 - include: ../httpd_common/handlers/main.yml
 - include: ../nginx/handlers/main.yml
 
-- name: restart llng-fastcgi-server
+- name: restart llng
-  service: name=llng-fastcgi-server state=restarted
+  service: name={{ (llng_server == 'nginx') | ternary((llng_engine == 'uwsgi') | ternary('llng-uwsgi', 'llng-fastcgi-server'), 'httpd') }} state=restarted
+
+- name: reload llng
+  service: name={{ (llng_server == 'nginx') | ternary((llng_engine == 'uwsgi') | ternary('llng-uwsgi', 'llng-fastcgi-server'), 'httpd') }} state={{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('reloaded', 'restarted') }}

roles/lemonldap_ng/tasks/main.yml

@@ -45,7 +45,7 @@
 
 - name: Deploy Lemonldap::NG main configuration
   template: src=lemonldap-ng.ini.j2 dest=/etc/lemonldap-ng/lemonldap-ng.ini group=apache mode=640
-  notify: restart {{ (llng_server == 'nginx') | ternary('llng-fastcgi-server','httpd') }}
+  notify: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('reload', 'restart') }} {{ (llng_server == 'nginx') | ternary('llng', 'httpd') }}"
   tags: web
 
 - name: Deploy Lemonldap::NG migration configuration
@@ -120,26 +120,40 @@
   when: llng_portal == True
   tags: web
 
-- when: llng_server == 'nginx'
+- name: Deploy custom llng-fastcgi-server unit
-  block:
+  template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service
-    - name: Deploy custom llng-fastcgi-server unit
+  notify: restart llng
-      template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service
+  register: llng_fastcgi_unit
-      notify: restart llng-fastcgi-server
+  tags: web
-      register: llng_fastcgi_unit
 
-    - name: Reload systemd
+- name: Deploy llng-fastcgi-server config
-      systemd: daemon_reload=True
+  template: src=llng-fastcgi-server.j2 dest=/etc/default/llng-fastcgi-server
+  notify: restart llng
+  tags: web
 
-    - name: Deploy llng-fastcgi-server config
+- name: Deploy llng-uwsgi unit
-      template: src=llng-fastcgi-server.j2 dest=/etc/default/llng-fastcgi-server
+  template: src=llng-uwsgi.service.j2 dest=/etc/systemd/system/llng-uwsgi.service
-      notify: restart llng-fastcgi-server
+  notify: restart llng
+  register: llng_uwsgi_unit
+  tags: web
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: llng_fastcgi_unit.changed or llng_uwsgi_unit.changed
   tags: web
 
 - name: Handle Fast CGI server
   service:
     name: llng-fastcgi-server
-    state: "{{ (llng_server == 'nginx') | ternary('started','stopped') }}"
+    state: "{{ (llng_server == 'nginx' and llng_engine == 'fastcgi') | ternary('started', 'stopped') }}"
-    enabled: "{{ (llng_server == 'nginx') | ternary(True,False) }}"
+    enabled: "{{ (llng_server == 'nginx' and llng_engine == 'fastcgi') | ternary(True, False) }}"
+  tags: web
+
+- name: Handle uWSGI server
+  service:
+    name: llng-uwsgi
+    state: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('started', 'stopped') }}"
+    enabled: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary(True, False) }}"
   tags: web
 
 - name: Set correct SELinux context for Lemonldap::NG files

roles/lemonldap_ng/templates/llng-fastcgi-server.j2

@@ -1,6 +1,6 @@
 USER=apache
 GROUP=apache
-NPROC={{ llng_fcgi_workers }}
+NPROC={{ llng_workers }}
 SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
 PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
 PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }}

roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2

@@ -15,7 +15,7 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 NoNewPrivileges=yes
-MemoryLimit={{ llng_fcgi_workers * 250 }}M
+MemoryLimit={{ llng_workers * 250 }}M
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=1

roles/lemonldap_ng/templates/llng-uwsgi.service.j2

@@ -0,0 +1,44 @@
+[Unit]
+Description=uWSGI server for Lemonldap::NG websso system
+After=network.target
+
+[Service]
+Type=simple
+RuntimeDirectory=llng-uwsgi
+PIDFile=/run/llng-uwsgi/llng-uwsgi.pid
+User=apache
+# So we can restrict the socket to 660
+Group=nginx
+# So we can read /etc/lemonldap-ng/lemonldap-ng.ini
+SupplementaryGroups=apache
+WorkingDirectory=/usr/share/lemonldap-ng/llng-server
+ExecStart=/usr/sbin/uwsgi \
+             --plugin psgi \
+             --psgi llng-server.psgi \
+             --plugin systemd_logger \
+             --logger systemd \
+             --socket /run/llng-uwsgi/llng-uwsgi.sock \
+             --chmod-socket=660 \
+             --master \
+             --workers {{ llng_workers }} \
+             --max-worker-lifetime 604800 \
+             --max-requests 100000 \
+             --disable-logging \
+             --harakiri 30 \
+             --buffer-size 65535 \
+             --limit-post 0 \
+             --safe-pidfile /run/llng-uwsgi/llng-uwsgi.pid \
+             --die-on-term
+ExecReload=kill -HUP $MAINPID
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit={{ llng_workers * 250 }}M
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target

roles/lemonldap_ng/templates/nginx_handler.conf.j2

@@ -3,7 +3,13 @@ location /llng-reload {
   allow {{ ip }};
 {% endfor %}
   deny all;
+{% if llng_engine == 'fastcgi' %}
   include /etc/nginx/fastcgi_params;
   fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
   fastcgi_param LLTYPE reload;
+{% elif llng_engine == 'uwsgi' %}
+  include /etc/nginx/uwsgi_params;
+  uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+  uwsgi_param LLTYPE reload;
+{% endif %}
 }

roles/lemonldap_ng/templates/nginx_manager.conf.j2

@@ -23,12 +23,20 @@ server {
   }
 
   location  ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+{% if llng_engine == 'fastcgi' %}
     include /etc/nginx/fastcgi_params;
     fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-    fastcgi_param LLTYPE manager;
+    fastcgi_param LLTYPE psgi;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO $fastcgi_path_info;
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
   }
 
   location / {

roles/lemonldap_ng/templates/nginx_portal.conf.j2

@@ -23,20 +23,26 @@ server {
   }
 
   location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+{% if llng_engine == 'fastcgi' %}
     include /etc/nginx/fastcgi_params;
-
     fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
     fastcgi_param LLTYPE psgi;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
-
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
 {% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
     map $ssl_client_s_dn $ssl_client_s_dn_cn {
       default           "";
       ~/CN=(?<CN>[^/]+) $CN;
     }
-    fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+    {{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
 {% endif %}
   }
 
@@ -82,12 +88,20 @@ server {
 {% endif %}
 
   location ~ /index.psgi/(adminSessions|sessions|config|notification) {
+{% if llng_engine == 'fastcgi' %}
     include /etc/nginx/fastcgi_params;
     fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
     fastcgi_param LLTYPE psgi;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
 {% for ip in llng_api_src_ip %}
     allow {{ ip }};
 {% endfor %}

roles/lemonldap_ng/vars/RedHat-7.yml

@@ -4,6 +4,8 @@ llng_common_packages:
   - lemonldap-ng-conf
   - perl-Cache-Cache
   - lemonldap-ng-fastcgi-server
+  - uwsgi-plugin-psgi
+  - uwsgi-logger-systemd
 
 llng_portal_packages:
   - python-passlib

roles/lemonldap_ng/vars/RedHat-8.yml

@@ -5,6 +5,8 @@ llng_common_packages:
   - perl-Cache-Cache
   - lemonldap-ng-fastcgi-server
   - python3-mysql
+  - uwsgi-plugin-psgi
+  - uwsgi-logger-systemd
 
 llng_portal_packages:
   - python3-passlib

roles/matrix_synapse/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
 # Synapse version to deploy
-synapse_version: 1.52.0
+synapse_version: 1.53.0
 
 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True

roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2

@@ -78,22 +78,30 @@ server {
 {% if vhost.auth == 'llng' or vhost.auth == 'llng_basic' %}
   ## lmauth endpoint for llng authentication
   location = /lmauth {
+{% if llng_engine | default('fastcgi') == 'fastcgi' %}
     internal;
     include /etc/nginx/fastcgi_params;
     fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-    # Drop post datas
     fastcgi_pass_request_body off;
     fastcgi_param CONTENT_LENGTH "";
-    # Keep original hostname
     fastcgi_param HOST $http_host;
-    # Keep original request (LLNG server will received /llauth)
+    fastcgi_param X_ORIGINAL_URI $request_uri;
-    fastcgi_param X_ORIGINAL_URI  $request_uri;
     # Use bigger buffers (see GLPI #49915)
     fastcgi_buffers 16 32k;
     fastcgi_buffer_size 64k;
+{% elif llng_engine | default('fastcgi') == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_pass_request_body off;
+    uwsgi_param CONTENT_LENGTH "";
+    uwsgi_param HOST $http_host;
+    uwsgi_param X_ORIGINAL_URI $request_uri;
+    uwsgi_buffers 16 32k;
+    uwsgi_buffer_size 64k;
+{% endif %}
 {% if vhost.auth == 'llng_basic' %}
     # Use basic auth on this vhost
-    fastcgi_param VHOSTTYPE AuthBasic;
+    {{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param VHOSTTYPE AuthBasic;
 {% endif %}
   }
 {% endif %}