ssoaas.html 17.5 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:ssoaas</title>
<meta name="generator" content="DokuWiki"/>
Xavier Guimard's avatar
Xavier Guimard committed
7
<meta name="robots" content="index,follow"/>
Xavier Guimard's avatar
Xavier Guimard committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
<meta name="keywords" content="documentation,2.0,ssoaas"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="ssoaas.html"/>
<link rel="contents" href="ssoaas.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:ssoaas","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
Xavier Guimard's avatar
Xavier Guimard committed
46 47 48 49 50 51 52
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#our_concept_of_ssoaas">Our concept of SSOaaS</a></div></li>
Xavier Guimard's avatar
Xavier Guimard committed
53 54 55 56 57 58 59 60 61 62 63 64
<li class="level1"><div class="li"><a href="#examples_of_webserver_configuration_for_dockervm_images">Examples of webserver configuration for Docker/VM images</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#nginx">Nginx</a></div></li>
<li class="level3"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level3"><div class="li"><a href="#nodejs">Node.js</a></div></li>
<li class="level3"><div class="li"><a href="#plack_application">Plack application</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#using_front_reverse-proxies">Using front reverse-proxies</a></div></li>
</ul></li>
Xavier Guimard's avatar
Xavier Guimard committed
65 66 67 68
</ul>
</div>
</div>
<!-- TOC END -->
Xavier Guimard's avatar
Xavier Guimard committed
69 70 71 72

<h1 class="sectionedit1" id="sso_as_a_service_ssoaas">SSO as a service (SSOaaS)</h1>
<div class="level1">

Xavier Guimard's avatar
Xavier Guimard committed
73 74 75 76 77
</div>
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-41] -->
<h2 class="sectionedit2" id="our_concept_of_ssoaas">Our concept of SSOaaS</h2>
<div class="level2">

Xavier Guimard's avatar
Xavier Guimard committed
78
<p>
Xavier Guimard's avatar
Xavier Guimard committed
79
Access management provides 3 services:
Xavier Guimard's avatar
Xavier Guimard committed
80 81
</p>
<ul>
Xavier Guimard's avatar
Xavier Guimard committed
82
<li class="level1"><div class="li"> Global Authentication: Single Sign-On</div>
Xavier Guimard's avatar
Xavier Guimard committed
83
</li>
Xavier Guimard's avatar
Xavier Guimard committed
84
<li class="level1"><div class="li"> Authorization: to grant authentication is not enough. User rights must be checked</div>
Xavier Guimard's avatar
Xavier Guimard committed
85
</li>
Xavier Guimard's avatar
Xavier Guimard committed
86
<li class="level1"><div class="li"> Accounting: <abbr title="Single Sign On">SSO</abbr> logs (access) + application logs <em>(transactions and results)</em></div>
Xavier Guimard's avatar
Xavier Guimard committed
87 88 89 90
</li>
</ul>

<p>
Xavier Guimard's avatar
Xavier Guimard committed
91 92 93 94 95
<abbr title="LemonLDAP::NG">LL::NG</abbr> affords all these services (except application logs of course, but headers are provided to permit this).
</p>

<p>
Headers setting is an another <abbr title="LemonLDAP::NG">LL::NG</abbr> service. <abbr title="LemonLDAP::NG">LL::NG</abbr> can provide any user attributes to an application <em>(see <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules and headers</a>)</em>
Xavier Guimard's avatar
Xavier Guimard committed
96 97 98
</p>

<p>
Xavier Guimard's avatar
Xavier Guimard committed
99
<code>*aaS</code> means that application can drive underlying layer (IaaS for infrastructure, PaaS for platform,…). So for us, <code>SSOaaS</code> must provide the ability for an app to <em class="u">manage authorizations</em> and choose <em class="u">user attributes</em> to set. Authentication can not be really “*aaS”: app must just use it, not manage it.
Xavier Guimard's avatar
Xavier Guimard committed
100 101 102
</p>

<p>
Xavier Guimard's avatar
Xavier Guimard committed
103
<abbr title="LemonLDAP::NG">LL::NG</abbr> affords some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service: a web application can manage its rules and headers. Docker or VM images (Nginx only) includes <abbr title="LemonLDAP::NG">LL::NG</abbr> Nginx configuration that aims to a global <a href="platformsoverview.html#external_servers_for_nginx" class="wikilink1" title="documentation:2.0:platformsoverview">LL::NG authorization server</a>. By default, all authenticated users can access and one header is set: <code>Auth-User</code>. If application gives a RULES_<abbr title="Uniform Resource Locator">URL</abbr> parameter that refers to a JSON file, authorization server will read it, apply specified rules and set required headers <em>(see <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>)</em>.
Xavier Guimard's avatar
Xavier Guimard committed
104 105 106
</p>

<p>
Xavier Guimard's avatar
Xavier Guimard committed
107
There are two different architectures to do this:
Xavier Guimard's avatar
Xavier Guimard committed
108 109
</p>
<ul>
Xavier Guimard's avatar
Xavier Guimard committed
110
<li class="level1"><div class="li"> Using a <a href="psgi.html" class="wikilink1" title="documentation:2.0:psgi">global FastCGI (or uWSGI) server</a></div>
Xavier Guimard's avatar
Xavier Guimard committed
111
</li>
Xavier Guimard's avatar
Xavier Guimard committed
112
<li class="level1"><div class="li"> Using front reverse-proxies <em>(some cloud installations use reverse-proxies in front-end)</em></div>
Xavier Guimard's avatar
Xavier Guimard committed
113
</li>
Xavier Guimard's avatar
Xavier Guimard committed
114 115 116 117 118 119 120
</ul>

<p>
In both case, Handler type must be set to <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a>.
</p>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
121 122
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42-1764] -->
<h2 class="sectionedit3" id="examples_of_webserver_configuration_for_dockervm_images">Examples of webserver configuration for Docker/VM images</h2>
Xavier Guimard's avatar
Xavier Guimard committed
123 124
<div class="level2">

Xavier Guimard's avatar
Xavier Guimard committed
125 126 127 128 129 130 131 132 133
</div>
<!-- EDIT3 SECTION "Examples of webserver configuration for Docker/VM images" [1765-1834] -->
<h3 class="sectionedit4" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h3>
<div class="level3">

</div>

<h4 id="nginx">Nginx</h4>
<div class="level4">
Xavier Guimard's avatar
Xavier Guimard committed
134 135

<p>
Xavier Guimard's avatar
Xavier Guimard committed
136
In this example, web server templates (Nginx only) are configured to request authorization from a central FastCGI server:
Xavier Guimard's avatar
Xavier Guimard committed
137 138 139 140
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.0.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
<dd><pre class="code file nginx">server {
Xavier Guimard's avatar
Xavier Guimard committed
141
  server_name myapp.domain.com;
Xavier Guimard's avatar
Xavier Guimard committed
142 143 144
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
Xavier Guimard's avatar
Xavier Guimard committed
145 146
    # Pass authorization requests to Central FastCGI server:
    fastcgi_pass 10.1.2.3:9090;
Xavier Guimard's avatar
Xavier Guimard committed
147 148 149 150 151 152
    fastcgi_param VHOSTTYPE DevOps;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH &quot;&quot;;
    # Keep original hostname
    fastcgi_param HOST $http_host;
Xavier Guimard's avatar
Xavier Guimard committed
153
    # Keep original request (LLNG server will received /lmauth)
Xavier Guimard's avatar
Xavier Guimard committed
154
    fastcgi_param X_ORIGINAL_URI  $request_uri;
Xavier Guimard's avatar
Xavier Guimard committed
155 156 157
&nbsp;
    # Set dynamically rules (LLNG will poll it every 10 mn)
    fastcgi_param RULES_URL http://rulesserver/my.json
Xavier Guimard's avatar
Xavier Guimard committed
158 159 160
  }
  location /rules.json {
    auth_request off;
Xavier Guimard's avatar
Xavier Guimard committed
161
    allow 10.1.2.3;
Xavier Guimard's avatar
Xavier Guimard committed
162 163
    deny all;
  }
Xavier Guimard's avatar
Xavier Guimard committed
164
  location ~ ^(.*\.php)$ {
Xavier Guimard's avatar
Xavier Guimard committed
165 166 167 168 169
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
Xavier Guimard's avatar
Xavier Guimard committed
170 171 172 173 174 175 176
    ...
    # Example with php-fpm:
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  }
  location / {
    try_files $uri $uri/ =404;
Xavier Guimard's avatar
Xavier Guimard committed
177 178 179 180 181
  }
}</pre>
</dd></dl>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203

<h4 id="apache">Apache</h4>
<div class="level4">

<p>
There is an experimental FactCGI client in LLNG. You just have to install FCGI::Client and add this in your apache2.conf:
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.1.code" title="Download Snippet" class="mediafile mf_conf">apache2.conf</a></dt>
<dd><pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> ...&gt;
    PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2::FCGIClient
    PerlSetVar LLNG_SERVER 127.0.0.1:<span class="nu0">9090</span>
    PerlSetVar VHOSTTYPE DevOps
    PerlSetVar RULES_URL http://app.tld/rules.json
    ...
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</dd></dl>

</div>

<h4 id="nodejs">Node.js</h4>
<div class="level4">
Xavier Guimard's avatar
Xavier Guimard committed
204 205

<p>
Xavier Guimard's avatar
Xavier Guimard committed
206
Using <a href="https://github.com/expressjs/express#readme" class="urlextern" title="https://github.com/expressjs/express#readme"  rel="nofollow">express</a> and <a href="https://github.com/LemonLDAPNG/node-fastcgi-authz-client" class="urlextern" title="https://github.com/LemonLDAPNG/node-fastcgi-authz-client"  rel="nofollow">fastcgi-authz-client</a>, you can protect also an Express server. Example:
Xavier Guimard's avatar
Xavier Guimard committed
207 208
</p>
<dl class="file">
Xavier Guimard's avatar
Xavier Guimard committed
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.2.code" title="Download Snippet" class="mediafile mf_js">app.js</a></dt>
<dd><pre class="code file javascript"><span class="kw1">var</span> express <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'express'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> app <span class="sy0">=</span> express<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> FcgiAuthz <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'fastcgi-authz-client'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> handler <span class="sy0">=</span> FcgiAuthz<span class="br0">&#40;</span><span class="br0">&#123;</span>
  host<span class="sy0">:</span> <span class="st0">'127.0.0.1'</span><span class="sy0">,</span>
  port<span class="sy0">:</span> <span class="nu0">9090</span><span class="sy0">,</span>
  PARAMS<span class="sy0">:</span> <span class="br0">&#123;</span>
    RULES_URL<span class="sy0">:</span> <span class="st0">'http://my-server/rules.json'</span>
  <span class="br0">&#125;</span>
<span class="br0">&#125;</span><span class="br0">&#41;</span><span class="sy0">;</span>
&nbsp;
app.<span class="me1">use</span><span class="br0">&#40;</span>handler<span class="br0">&#41;</span><span class="sy0">;</span>
&nbsp;
<span class="co1">// Simple express application</span>
app.<span class="kw1">get</span><span class="br0">&#40;</span><span class="st0">'/'</span><span class="sy0">,</span> <span class="kw1">function</span><span class="br0">&#40;</span>req<span class="sy0">,</span> res<span class="br0">&#41;</span> <span class="br0">&#123;</span>
  <span class="kw1">return</span> res.<span class="me1">send</span><span class="br0">&#40;</span><span class="st0">'Hello '</span> <span class="sy0">+</span> req.<span class="me1">upstreamHeaders</span><span class="br0">&#91;</span><span class="st0">'auth-user'</span><span class="br0">&#93;</span> <span class="sy0">+</span> <span class="st0">' !'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="br0">&#125;</span><span class="br0">&#41;</span><span class="sy0">;</span>
&nbsp;
<span class="co1">// Launch server</span>
app.<span class="me1">listen</span><span class="br0">&#40;</span><span class="nu0">3000</span><span class="sy0">,</span> <span class="kw1">function</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="br0">&#123;</span>
  <span class="kw1">return</span> console.<span class="me1">log</span><span class="br0">&#40;</span><span class="st0">'Example app listening on port 3000!'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="br0">&#125;</span><span class="br0">&#41;</span><span class="sy0">;</span></pre>
</dd></dl>

</div>

<h4 id="plack_application">Plack application</h4>
<div class="level4">

<p>
You just have to enable <a href="https://metacpan.org/pod/Plack::Middleware::Auth::FCGI" class="urlextern" title="https://metacpan.org/pod/Plack::Middleware::Auth::FCGI"  rel="nofollow">Plack::Middleware::Auth::FCGI</a>. Simple example:
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.3.code" title="Download Snippet" class="mediafile mf_psgi">app.psgi</a></dt>
<dd><pre class="code file perl"><span class="kw2">use</span> Plack<span class="sy0">::</span><span class="me2">Builder</span><span class="sy0">;</span>
&nbsp;
<span class="kw1">my</span> <span class="re0">$app</span>   <span class="sy0">=</span> <span class="kw2">sub</span> <span class="br0">&#123;</span>
  <span class="kw1">my</span> <span class="re0">$env</span> <span class="sy0">=</span> <a href="http://perldoc.perl.org/functions/shift.html"><span class="kw3">shift</span></a><span class="sy0">;</span>
  <span class="kw1">my</span> <span class="re0">$user</span> <span class="sy0">=</span> <span class="re0">$env</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span>fcgiauth<span class="sy0">-</span>auth<span class="sy0">-</span>user<span class="br0">&#125;</span><span class="sy0">;</span>
  <a href="http://perldoc.perl.org/functions/return.html"><span class="kw3">return</span></a> <span class="br0">&#91;</span> <span class="nu0">200</span><span class="sy0">,</span> <span class="br0">&#91;</span> <span class="st_h">'Content-Type'</span> <span class="sy0">=&gt;</span> <span class="st_h">'text/plain'</span> <span class="br0">&#93;</span><span class="sy0">,</span> <span class="br0">&#91;</span> <span class="st0">&quot;Hello $user&quot;</span> <span class="br0">&#93;</span> <span class="br0">&#93;</span><span class="sy0">;</span>
<span class="br0">&#125;</span><span class="sy0">;</span>
&nbsp;
<span class="co1"># Optionally ($fcgiResponse is the PSGI response of remote FCGI auth server)</span>
<span class="co1">#sub on_reject {</span>
<span class="co1">#    my($self,$env,$fcgiResponse) = @_;</span>
<span class="co1">#    my $statusCode = $fcgiResponse-&gt;{status};</span>
<span class="co1">#    ...</span>
<span class="co1">#}</span>
&nbsp;
builder
<span class="br0">&#123;</span>
  enable <span class="st0">&quot;Auth::FCGI&quot;</span><span class="sy0">,</span>
    host <span class="sy0">=&gt;</span> <span class="st_h">'127.0.0.1'</span><span class="sy0">,</span>
    port <span class="sy0">=&gt;</span> <span class="st_h">'9090'</span><span class="sy0">,</span>
    fcgi_auth_params <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
      RULES_URL <span class="sy0">=&gt;</span> <span class="st_h">'https://my-server/my.json'</span><span class="sy0">,</span>
    <span class="br0">&#125;</span><span class="sy0">,</span>
    <span class="co1"># Optional rejection subroutine</span>
    <span class="co1">#on_reject =&gt; \&amp;on_reject;</span>
    <span class="sy0">;</span>
  <span class="re0">$app</span><span class="sy0">;</span>
<span class="br0">&#125;</span><span class="sy0">;</span></pre>
</dd></dl>

</div>
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [1835-5202] -->
<h3 class="sectionedit5" id="using_front_reverse-proxies">Using front reverse-proxies</h3>
<div class="level3">

<p>
This is a simple Nginx configuration file. It looks like a standard <abbr title="LemonLDAP::NG">LL::NG</abbr> nginx configuration file except for:
</p>
<ul>
<li class="level1"><div class="li"> VHOSTTYPE parameter forced to use DevOps handler</div>
</li>
<li class="level1"><div class="li"> /rules.json must not be protected by <abbr title="LemonLDAP::NG">LL::NG</abbr> but by the web server itself</div>
</li>
</ul>

<p>
This configuration handles <code>*.dev.sso.my.domain</code> <abbr title="Uniform Resource Locator">URL</abbr> and forwards authenticated requests to <code>&lt;vhost&gt;.internal.domain</code>. Rules can be defined in <code>/rules.json</code> which is located at the website root directory.
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.4.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
Xavier Guimard's avatar
Xavier Guimard committed
294
<dd><pre class="code file nginx">server {
Xavier Guimard's avatar
Xavier Guimard committed
295
  server_name &quot;~^(?&lt;vhost&gt;.+?)\.dev\.sso\.my\.domain$&quot;;
Xavier Guimard's avatar
Xavier Guimard committed
296 297 298
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
Xavier Guimard's avatar
Xavier Guimard committed
299 300
    fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
    # Force handler type:
Xavier Guimard's avatar
Xavier Guimard committed
301 302 303 304 305 306
    fastcgi_param VHOSTTYPE DevOps;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH &quot;&quot;;
    # Keep original hostname
    fastcgi_param HOST $http_host;
Xavier Guimard's avatar
Xavier Guimard committed
307
    # Keep original request (LLNG server will received /lmauth)
Xavier Guimard's avatar
Xavier Guimard committed
308 309 310 311
    fastcgi_param X_ORIGINAL_URI  $request_uri;
  }
  location /rules.json {
    auth_request off;
Xavier Guimard's avatar
Xavier Guimard committed
312
    allow 127.0.0.0/8;
Xavier Guimard's avatar
Xavier Guimard committed
313 314
    deny all;
  }
Xavier Guimard's avatar
Xavier Guimard committed
315
  location / {
Xavier Guimard's avatar
Xavier Guimard committed
316 317 318 319 320
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
Xavier Guimard's avatar
Xavier Guimard committed
321
    proxy_pass https://$vhost.internal.domain;
Xavier Guimard's avatar
Xavier Guimard committed
322 323 324 325 326
  }
}</pre>
</dd></dl>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
327
<!-- EDIT5 SECTION "Using front reverse-proxies" [5203-] --></div>
Xavier Guimard's avatar
Xavier Guimard committed
328 329
</body>
</html>