WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PHP 7 nginx

This commit is contained in:
Roland Gruber 2017-08-27 09:48:54 +02:00
parent 29ebf207a5
commit a6bca40ea4
1 changed files with 281 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
lam/docs/manual-sources/appendix-security.xml
View File

@ -7,15 +7,14 @@
<section id="a_configPasswords"> <section id="a_configPasswords">
<title>LAM configuration passwords</title> <title>LAM configuration passwords</title>
<para>LAM supports a two level authorization system for its <para>LAM supports a two level authorization system for its configuration.
configuration. Therefore, there are two types of configuration Therefore, there are two types of configuration passwords:</para>
passwords:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><emphasis role="bold">master configuration <para><emphasis role="bold">master configuration password:</emphasis>
password:</emphasis> needed to change general settings, needed to change general settings, create/delete server profiles and
create/delete server profiles and self service profiles</para> self service profiles</para>
</listitem> </listitem>
<listitem> <listitem>
@ -26,8 +25,7 @@
</itemizedlist> </itemizedlist>
<para>The master configuration password can be used to reset a server <para>The master configuration password can be used to reset a server
profile password. Each server profile has its own profile profile password. Each server profile has its own profile password.</para>
password.</para>
<para>Both password types are stored as hash values in the configuration <para>Both password types are stored as hash values in the configuration
files for enhanced security.</para> files for enhanced security.</para>
@ -36,29 +34,28 @@
<section> <section>
<title>Use of SSL</title> <title>Use of SSL</title>
<para>The data which is transfered between you and LAM is very <para>The data which is transfered between you and LAM is very sensitive.
sensitive. Please always use SSL encrypted connections between LAM and Please always use SSL encrypted connections between LAM and your browser
your browser to protect yourself against network sniffers.</para> to protect yourself against network sniffers.</para>
</section> </section>
<section> <section>
<title>LDAP with SSL and TLS</title> <title>LDAP with SSL and TLS</title>
<para>SSL will be used if you use ldaps://servername in your <para>SSL will be used if you use ldaps://servername in your configuration
configuration profile. TLS can be activated with the "Activate TLS" profile. TLS can be activated with the "Activate TLS" option.</para>
option.</para>
<para>If your LDAP server uses a SSL certificate of a well-know <para>If your LDAP server uses a SSL certificate of a well-know
certificate authority (CA) then you probably need no changes. If you use certificate authority (CA) then you probably need no changes. If you use a
a custom CA in your company then there are two ways to setup the CA custom CA in your company then there are two ways to setup the CA
certificates.</para> certificates.</para>
<section> <section>
<title>Setup SSL certificates in LAM general settings</title> <title>Setup SSL certificates in LAM general settings</title>
<para>This is much easier than system level setup and will only affect <para>This is much easier than system level setup and will only affect
LAM. There might be some cases where other web applications on the LAM. There might be some cases where other web applications on the same
same web server are influenced.</para> web server are influenced.</para>
<para>See <link linkend="conf_sslCert">here</link> for details.</para> <para>See <link linkend="conf_sslCert">here</link> for details.</para>
</section> </section>
@ -69,11 +66,10 @@
<para>This will make the CA certificates available also to other <para>This will make the CA certificates available also to other
applications on your system (e.g. other web applications).</para> applications on your system (e.g. other web applications).</para>
<para>You will need to setup ldap.conf to trust your server <para>You will need to setup ldap.conf to trust your server certificate.
certificate. Some installations use /etc/ldap.conf and some use Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf.
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf.
/etc/ldap/ldap.conf. Specify the server CA certificate with the Specify the server CA certificate with the following option:</para>
following option:</para>
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
@ -94,8 +90,8 @@
<title>Selinux</title> <title>Selinux</title>
<para>In case your server has selinux installed you might need to extend <para>In case your server has selinux installed you might need to extend
the selinux ruleset. E.g. your webserver might not be allowed to write the selinux ruleset. E.g. your webserver might not be allowed to write in
in /var/lib.</para> /var/lib.</para>
<para><emphasis role="bold">Read selinux status</emphasis></para> <para><emphasis role="bold">Read selinux status</emphasis></para>
@ -112,8 +108,8 @@
<para><emphasis role="bold">Set selinux to Permissive <para><emphasis role="bold">Set selinux to Permissive
mode</emphasis></para> mode</emphasis></para>
<para>This will just log any access violations. You will need this to <para>This will just log any access violations. You will need this to get
get a list of missing rights.</para> a list of missing rights.</para>
<programlisting>setenforce Permissive</programlisting> <programlisting>setenforce Permissive</programlisting>
@ -122,8 +118,8 @@
<para><emphasis role="bold">Extend selinux rules</emphasis></para> <para><emphasis role="bold">Extend selinux rules</emphasis></para>
<para>Selinux now has logged any violations to audit.log. You can use <para>Selinux now has logged any violations to audit.log. You can use this
this now to extend your ruleset and enable enforcing later.</para> now to extend your ruleset and enable enforcing later.</para>
<para>The following example is for httpd. You can also adapt it to e.g. <para>The following example is for httpd. You can also adapt it to e.g.
nginx.</para> nginx.</para>
@ -169,12 +165,12 @@ semodule -i httpdlocal.pp</programlisting>
<section> <section>
<title>Chrooted servers</title> <title>Chrooted servers</title>
<para>If your server is chrooted and you have no access to /dev/random <para>If your server is chrooted and you have no access to /dev/random or
or /dev/urandom this can be a security risk. LAM stores your LDAP /dev/urandom this can be a security risk. LAM stores your LDAP password
password encrypted in the session. LAM uses rand() to generate the key encrypted in the session. LAM uses rand() to generate the key if
if /dev/random and /dev/urandom are not accessible. Therefore the key /dev/random and /dev/urandom are not accessible. Therefore the key can be
can be easily guessed. An attaker needs read access to the session file easily guessed. An attaker needs read access to the session file (e.g. by
(e.g. by another Apache instance) to exploit this.</para> another Apache instance) to exploit this.</para>
</section> </section>
<section> <section>
@ -183,8 +179,8 @@ semodule -i httpdlocal.pp</programlisting>
<para>You have to install the OpenSSL extension for PHP to enable <para>You have to install the OpenSSL extension for PHP to enable
encryption.</para> encryption.</para>
<para>Your LDAP password is stored encrypted in the session file. The <para>Your LDAP password is stored encrypted in the session file. The key
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
encrypt the password. All data that was read from LDAP and needs to be encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.</para> stored in the session file is also encrypted.</para>
</section> </section>
@ -195,21 +191,21 @@ semodule -i httpdlocal.pp</programlisting>
<section> <section>
<title>Sensitive directories</title> <title>Sensitive directories</title>
<para>LAM includes several .htaccess files to protect your <para>LAM includes several .htaccess files to protect your configuration
configuration files and temporary data. Apache is often configured to files and temporary data. Apache is often configured to not use
not use .htaccess files by default. Therefore, please check your .htaccess files by default. Therefore, please check your Apache
Apache configuration and change the override setting to:</para> configuration and change the override setting to:</para>
<para>AllowOverride All</para> <para>AllowOverride All</para>
<para>If you are experienced in configuring Apache then you can also <para>If you are experienced in configuring Apache then you can also
copy the security settings from the .htaccess files to your main copy the security settings from the .htaccess files to your main Apache
Apache configuration.</para> configuration.</para>
<para>If possible, you should not rely on .htaccess files but also <para>If possible, you should not rely on .htaccess files but also move
move the config and sess directory to a place outside of your WWW the config and sess directory to a place outside of your WWW root. You
root. You can put a symbolic link in the LAM directory so that LAM can put a symbolic link in the LAM directory so that LAM finds the
finds the configuration/session files.</para> configuration/session files.</para>
<para>Security sensitive directories:</para> <para>Security sensitive directories:</para>
@ -260,8 +256,8 @@ semodule -i httpdlocal.pp</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>directory contents must be accessible by browser but <para>directory contents must be accessible by browser but directory
directory itself needs not to be browseable</para> itself needs not to be browseable</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
@ -269,14 +265,14 @@ semodule -i httpdlocal.pp</programlisting>
<section id="apache_http_auth"> <section id="apache_http_auth">
<title>Use LDAP HTTP authentication for LAM</title> <title>Use LDAP HTTP authentication for LAM</title>
<para>With HTTP authentication Apache will be responsible to ask for <para>With HTTP authentication Apache will be responsible to ask for the
the user name and password. Both will then be forwarded to LAM which user name and password. Both will then be forwarded to LAM which will
will use it to access LDAP. This approach gives you more flexibility use it to access LDAP. This approach gives you more flexibility to
to restrict the number of users that may access LAM (e.g. by requiring restrict the number of users that may access LAM (e.g. by requiring
group memberships).</para> group memberships).</para>
<para>First of all you need to load additional Apache modules. These <para>First of all you need to load additional Apache modules. These are
are "<ulink "<ulink
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>" url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
and "<ulink type="" and "<ulink type=""
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para> url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
@ -317,9 +313,9 @@ semodule -i httpdlocal.pp</programlisting>
<title>Self Service behind proxy in DMZ (LAM Pro)</title> <title>Self Service behind proxy in DMZ (LAM Pro)</title>
<para>In some cases you might want to make the self service accessible <para>In some cases you might want to make the self service accessible
via the internet. Here is an Apache config to forward only the via the internet. Here is an Apache config to forward only the required
required URLs via a proxy server (lamproxy.company.com) in your DMZ to URLs via a proxy server (lamproxy.company.com) in your DMZ to the
the internal LAM server (lam.company.com).</para> internal LAM server (lam.company.com).</para>
<para><inlinemediaobject> <para><inlinemediaobject>
<imageobject> <imageobject>
@ -379,8 +375,8 @@ semodule -i httpdlocal.pp</programlisting>
<title>RPM based installations</title> <title>RPM based installations</title>
<para>The RPM package has dependencies on Apache. Therefore, Nginx is <para>The RPM package has dependencies on Apache. Therefore, Nginx is
not officially supported with this installation mode. Use tar.bz2 if not officially supported with this installation mode. Use tar.bz2 if you
you are unsure.</para> are unsure.</para>
<para>However, the package also includes an Nginx configuration file. <para>However, the package also includes an Nginx configuration file.
Please include it in your server directive like this:</para> Please include it in your server directive like this:</para>
@ -392,6 +388,10 @@ semodule -i httpdlocal.pp</programlisting>
... ...
}</programlisting> }</programlisting>
<para>The included config file uses PHP 5. In case you run with PHP 7
please update the parameter "fastcgi_pass" to
"/var/run/php7-fpm.sock".</para>
</section> </section>
<section> <section>
@ -407,6 +407,10 @@ semodule -i httpdlocal.pp</programlisting>
... ...
}</programlisting> }</programlisting>
<para>The included config file uses PHP 5. In case you run with PHP 7
please update the parameter "fastcgi_pass" to
"/var/run/php7-fpm.sock".</para>
</section> </section>
<section> <section>
@ -416,8 +420,9 @@ semodule -i httpdlocal.pp</programlisting>
directive.</para> directive.</para>
<para>You will need to change the alias location <para>You will need to change the alias location
("/usr/share/ldap-account-manager") and fastcgi_pass ("/usr/share/ldap-account-manager") and fastcgi_pass (e.g.
("/var/run/php5-fpm.sock") to match your installation.</para> "/var/run/php5-fpm.sock" or "/var/run/php7-fpm.sock") to match your
installation.</para>
<programlisting>location /lam { <programlisting>location /lam {
index index.html; index index.html;