Commit 0f0e4465 authored by Maxime Besson's avatar Maxime Besson

Suggest mod_remote_ip or real_ip usage in examples

As per #1612, LLNG does not support reading the real IP address from a
header anymore. These things are best delegated to the web server.
parent c7b4eb50
...@@ -35,7 +35,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503 ...@@ -35,7 +35,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
<Location /reload> <Location /reload>
<IfVersion >= 2.3> <IfVersion >= 2.3>
Require ip 127 ::1 Require ip 127 ::1
</IfVersion> </IfVersion>
<IfVersion < 2.3> <IfVersion < 2.3>
Order Deny,Allow Order Deny,Allow
Deny from all Deny from all
...@@ -49,7 +49,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503 ...@@ -49,7 +49,7 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
#<Location /status> #<Location /status>
# <IfVersion >= 2.3> # <IfVersion >= 2.3>
# Require ip 127 ::1 # Require ip 127 ::1
# </IfVersion> # </IfVersion>
# <IfVersion < 2.3> # <IfVersion < 2.3>
# Order Deny,Allow # Order Deny,Allow
# Deny from all # Deny from all
......
...@@ -21,6 +21,15 @@ server { ...@@ -21,6 +21,15 @@ server {
server_name reload.__DNSDOMAIN__; server_name reload.__DNSDOMAIN__;
root /var/www/html; root /var/www/html;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
location = /reload { location = /reload {
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;
......
...@@ -14,6 +14,15 @@ ...@@ -14,6 +14,15 @@
#CustomLog __APACHELOGDIR__/manager.log llng #CustomLog __APACHELOGDIR__/manager.log llng
#ErrorLog __APACHELOGDIR__/lm_err.log #ErrorLog __APACHELOGDIR__/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION # FASTCGI CONFIGURATION
# --------------------- # ---------------------
...@@ -65,7 +74,7 @@ ...@@ -65,7 +74,7 @@
Header append Vary User-Agent env=!dont-vary Header append Vary User-Agent env=!dont-vary
</IfModule> </IfModule>
</Location> </Location>
# Static files (javascripts, HTML forms,...) # Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/ Alias /static/ __MANAGERSTATICDIR__/
......
...@@ -75,7 +75,7 @@ ...@@ -75,7 +75,7 @@
Header append Vary User-Agent env=!dont-vary Header append Vary User-Agent env=!dont-vary
</IfModule> </IfModule>
</Location> </Location>
# Static files (javascripts, HTML forms,...) # Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/ Alias /static/ __MANAGERSTATICDIR__/
......
...@@ -69,7 +69,7 @@ ...@@ -69,7 +69,7 @@
Header append Vary User-Agent env=!dont-vary Header append Vary User-Agent env=!dont-vary
</IfModule> </IfModule>
</Location> </Location>
# Static files (javascripts, HTML forms,...) # Static files (javascripts, HTML forms,...)
Alias /static/ __MANAGERSTATICDIR__/ Alias /static/ __MANAGERSTATICDIR__/
......
...@@ -5,6 +5,15 @@ server { ...@@ -5,6 +5,15 @@ server {
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app; #access_log /var/log/nginx/portal.log lm_app;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) { if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
rewrite ^/(.*)$ /manager.psgi/$1 break; rewrite ^/(.*)$ /manager.psgi/$1 break;
} }
......
...@@ -12,6 +12,14 @@ ...@@ -12,6 +12,14 @@
# See above to set LLNG user id in Apache logs # See above to set LLNG user id in Apache logs
#CustomLog __APACHELOGDIR__/portal.log llng #CustomLog __APACHELOGDIR__/portal.log llng
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# DocumentRoot (FCGI scripts) # DocumentRoot (FCGI scripts)
DocumentRoot __PORTALSITEDIR__ DocumentRoot __PORTALSITEDIR__
<Directory __PORTALSITEDIR__> <Directory __PORTALSITEDIR__>
......
...@@ -5,6 +5,15 @@ server { ...@@ -5,6 +5,15 @@ server {
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf) # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
#access_log /var/log/nginx/portal.log lm_app; #access_log /var/log/nginx/portal.log lm_app;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) { if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break; rewrite ^/(.*)$ /index.psgi/$1 break;
} }
......
...@@ -9,6 +9,14 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu ...@@ -9,6 +9,14 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
ServerName test1.__DNSDOMAIN__ ServerName test1.__DNSDOMAIN__
ServerAlias test2.__DNSDOMAIN__ ServerAlias test2.__DNSDOMAIN__
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# SSO protection # SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2 PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
......
...@@ -3,6 +3,14 @@ server { ...@@ -3,6 +3,14 @@ server {
server_name test1.__DNSDOMAIN__ test2.__DNSDOMAIN__; server_name test1.__DNSDOMAIN__ test2.__DNSDOMAIN__;
root __TESTDIR__; root __TESTDIR__;
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
# As an alternative, you can use the PROXY protocol
#
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
# Internal authentication request # Internal authentication request
location = /lmauth { location = /lmauth {
...@@ -100,7 +108,7 @@ server { ...@@ -100,7 +108,7 @@ server {
# include /etc/nginx/fastcgi_params; # include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; # fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
# fastcgi_param LLTYPE status; # fastcgi_param LLTYPE status;
### Or with uWSGI ### Or with uWSGI
## include /etc/nginx/uwsgi_params; ## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000; ## uwsgi_pass 127.0.0.1:5000;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment