LemonLDAP : Activer le HTTPS + Reverse-Proxy

LemonLDAP : Activer le HTTPS + Reverse-Proxy

Table of Contents

Apache / Nginx configuration

La 1ère chose à faire est de configurer le serveur web pour le passer en HTTPS.

LemonLDAP configuration

La 2nde étape est de configurer les URL en HTTPS pour le portail, cookie, ...

  • A exécuter en tant que root :

    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      set \
          portal https://auth.example.com \
          mailUrl https://auth.example.com/resetpwd \
          registerUrl https://auth.example.com/register \
          https 1 \
          securedCookie 1

Reverse-Proxy configuration

Nginx : Reverse Proxy avec SSL - slash-root.fr

Si le portail est derrière un reverse-proxy en HTTPS, il est impératif d'effectuer les manipulations plus haut.

  • Exemple d'un vhost sous Nginx pour le portail :

    server {
    listen 80;
    server_name auth.example.fr;
    rewrite ^ https://auth.example.fr permanent;
    }
    
    server {
    listen 443 ssl;
    server_name auth.example.fr;
    ssl_certificate /etc/letsencrypt/live/auth.example.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.example.fr/privkey.pem;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    error_log /var/log/nginx/error.log;
    
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://192.168.49.68:80;
    }
    }
  • Exemple d'un vhost sous Nginx pour le manager :

    server {
    listen 80;
    server_name manager.example.fr;
    rewrite ^ https://manager.example.fr permanent;
    }
    
    server {
    listen 443 ssl;
    server_name manager.example.fr;
    ssl_certificate /etc/letsencrypt/live/manager.example.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/manager.example.fr/privkey.pem;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://192.168.49.68:80;
    }
    }
  • Le serveur web doit être compilé avec le module --with-http_realip_module.

  • Pour vérifier :

    nginx -V
    
    ## Retour attendu :
    nginx version: nginx/1.14.2
    built with OpenSSL 1.1.1d  10 Sep 2019
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-m1Thpq/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-m1Thpq/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-m1Thpq/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-m1Thpq/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-m1Thpq/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-m1Thpq/nginx-1.14.2/debian/modules/http-subs-filter
Les commentaires sont fermés.