You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
176 lines
6.4 KiB
176 lines
6.4 KiB
5 years ago
|
<VirtualHost 0.0.0.0:80>
|
||
|
|
ServerName {{ llng_portal_vhost }}
|
||
|
|
Include ansible_conf.d/common_env.inc
|
||
|
|
Include ansible_conf.d/common_letsencrypt.inc
|
||
|
|
Include ansible_conf.d/common_force_ssl.inc
|
||
|
|
</VirtualHost>
|
||
|
|
<IfModule mod_ssl.c>
|
||
|
|
<VirtualHost 0.0.0.0:443>
|
||
|
|
ServerName {{ llng_portal_vhost }}
|
||
|
|
SSLEngine On
|
||
|
|
Alias /_deferror/ "/usr/share/httpd/error/"
|
||
|
|
Include ansible_conf.d/common_env.inc
|
||
|
|
Include ansible_conf.d/common_perf.inc
|
||
|
|
Include ansible_conf.d/common_filter.inc
|
||
|
|
Include ansible_conf.d/common_letsencrypt.inc
|
||
|
|
|
||
|
|
{% if llng_portal_ssl is defined %}
|
||
|
|
{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
|
||
|
|
SSLCertificateFile {{ llng_portal_ssl.cert }}
|
||
|
|
SSLCertificateKeyFile {{ llng_portal_ssl.key }}
|
||
|
|
{% if llng_portal_ssl.cert_chain is defined %}
|
||
|
|
SSLCertificateChainFile {{ llng_portal_ssl.cert_chain }}
|
||
|
|
{% endif %}
|
||
|
|
{% elif llng_portal_ssl.letsencrypt_cert is defined %}
|
||
|
|
SSLCertificateFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/cert.pem
|
||
|
|
SSLCertificateKeyFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem
|
||
|
|
SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/chain.pem
|
||
|
|
{% endif %}
|
||
|
|
{% endif %}
|
||
|
|
|
||
|
|
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
|
||
|
|
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
|
||
|
|
Require all granted
|
||
|
|
Options +ExecCGI +FollowSymLinks
|
||
|
|
</Directory>
|
||
|
|
|
||
|
|
{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
|
||
|
|
SSLCACertificateFile {{ llng_portal_ssl.ca }}
|
||
|
|
{% if llng_portal_ssl.crl is defined %}
|
||
|
|
SSLCARevocationFile {{ llng_portal_ssl.crl }}
|
||
|
|
{% endif %}
|
||
|
|
<LocationMatch "^/($|\?url=.*|cas/login.*)">
|
||
|
|
SSLVerifyClient optional
|
||
|
|
SSLVerifyDepth 1
|
||
|
|
SSLOptions +StdEnvVars
|
||
|
|
SSLUserName SSL_CLIENT_S_DN_CN
|
||
|
|
</LocationMatch>
|
||
|
|
{% endif %}
|
||
|
|
|
||
|
|
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
|
||
|
|
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
|
||
|
|
|
||
|
|
# Note that Content-Security-Policy header is generated by portal itself
|
||
|
|
<Files *.fcgi>
|
||
|
|
SetHandler fcgid-script
|
||
|
|
#CGIPassAuth on
|
||
|
|
Options +ExecCGI
|
||
|
|
header unset Lm-Remote-User
|
||
|
|
</Files>
|
||
|
|
|
||
|
|
# Uncomment this if status is enabled
|
||
|
|
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
|
||
|
|
|
||
|
|
# Static files
|
||
|
|
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static//
|
||
|
|
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
|
||
|
|
Require all granted
|
||
|
|
Options +FollowSymLinks
|
||
|
|
</Directory>
|
||
|
|
<Location /static/>
|
||
|
|
<IfModule mod_expires.c>
|
||
|
|
ExpiresActive On
|
||
|
|
ExpiresDefault "access plus 1 month"
|
||
|
|
</IfModule>
|
||
|
|
</Location>
|
||
|
|
|
||
|
|
<IfModule mod_dir.c>
|
||
|
|
DirectoryIndex index.fcgi index.html
|
||
|
|
</IfModule>
|
||
|
|
|
||
|
|
# Enabe compression
|
||
|
|
<Location />
|
||
|
|
<IfModule mod_deflate.c>
|
||
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
|
||
|
|
SetOutputFilter DEFLATE
|
||
|
|
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
||
|
|
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
||
|
|
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
||
|
|
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
|
||
|
|
</IfModule>
|
||
|
|
<IfModule mod_headers.c>
|
||
|
|
Header append Vary User-Agent env=!dont-vary
|
||
|
|
</IfModule>
|
||
|
|
</Location>
|
||
|
|
</VirtualHost>
|
||
|
|
</IfModule>
|
||
|
|
|
||
|
|
{% if (llng_soap_src_ip is defined and llng_soap_src_ip | length > 0) or (llng_soap_htpasswd is defined) %}
|
||
|
|
<IfModule mod_ssl.c>
|
||
|
|
<VirtualHost 0.0.0.0:443>
|
||
|
|
ServerName {{ llng_soap_vhost }}
|
||
|
|
SSLEngine On
|
||
|
|
Alias /_deferror/ "/usr/share/httpd/error/"
|
||
|
|
Include ansible_conf.d/common_env.inc
|
||
|
|
Include ansible_conf.d/common_filter.inc
|
||
|
|
Include ansible_conf.d/common_letsencrypt.inc
|
||
|
|
|
||
|
|
{% if llng_soap_ssl is defined %}
|
||
|
|
{% if llng_soap_ssl.cert is defined and llng_soap_ssl.key is defined %}
|
||
|
|
SSLCertificateFile {{ llng_soap_ssl.cert }}
|
||
|
|
SSLCertificateKeyFile {{ llng_soap_ssl.key }}
|
||
|
|
{% if llng_soap_ssl.cert_chain is defined %}
|
||
|
|
SSLCertificateChainFile {{ llng_soap_ssl.cert_chain }}
|
||
|
|
{% endif %}
|
||
|
|
{% elif llng_soap_ssl.letsencrypt_cert is defined %}
|
||
|
|
SSLCertificateFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/cert.pem
|
||
|
|
SSLCertificateKeyFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/privkey.pem
|
||
|
|
SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/chain.pem
|
||
|
|
{% endif %}
|
||
|
|
{% endif %}
|
||
|
|
|
||
|
|
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
|
||
|
|
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
|
||
|
|
{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
|
||
|
|
{% if llng_soap_pass is defined %}
|
||
|
|
<RequireAll>
|
||
|
|
{% endif %}
|
||
|
|
Require ip {{ llng_soap_src_ip | join(' ') }}
|
||
|
|
{% endif %}
|
||
|
|
{% if llng_soap_pass is defined %}
|
||
|
|
AuthName "Lemonldap::NG SOAP endpoint"
|
||
|
|
AuthType Basic
|
||
|
|
AuthBasicProvider file
|
||
|
|
AuthUserFile /etc/lemonldap-ng/soap.htpasswd
|
||
|
|
Require valid-user
|
||
|
|
{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
|
||
|
|
</RequireAll>
|
||
|
|
{% endif %}
|
||
|
|
{% endif %}
|
||
|
|
Options +ExecCGI +FollowSymlinks
|
||
|
|
</Directory>
|
||
|
|
|
||
|
|
RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
|
||
|
|
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
|
||
|
|
|
||
|
|
# Note that Content-Security-Policy header is generated by portal itself
|
||
|
|
<Files *.fcgi>
|
||
|
|
SetHandler fcgid-script
|
||
|
|
#CGIPassAuth on
|
||
|
|
Options +ExecCGI
|
||
|
|
header unset Lm-Remote-User
|
||
|
|
</Files>
|
||
|
|
|
||
|
|
<LocationMatch "^(?!/index\.pl/(adminSessions|sessions|config|notifications))">
|
||
|
|
Require all denied
|
||
|
|
</LocationMatch>
|
||
|
|
|
||
|
|
# Enabe compression
|
||
|
|
<Location />
|
||
|
|
<IfModule mod_deflate.c>
|
||
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
|
||
|
|
SetOutputFilter DEFLATE
|
||
|
|
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
||
|
|
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
||
|
|
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
||
|
|
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
|
||
|
|
</IfModule>
|
||
|
|
<IfModule mod_headers.c>
|
||
|
|
Header append Vary User-Agent env=!dont-vary
|
||
|
|
</IfModule>
|
||
|
|
</Location>
|
||
|
|
|
||
|
|
</VirtualHost>
|
||
|
|
</IfModule>
|
||
|
|
{% endif %}
|