PHP 7 nginx
This commit is contained in:
		
							parent
							
								
									29ebf207a5
								
							
						
					
					
						commit
						a6bca40ea4
					
				|  | @ -1,21 +1,20 @@ | ||||||
| <?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | ||||||
| <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | ||||||
| "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> | ||||||
|   <appendix id="a_security"> | <appendix id="a_security"> | ||||||
|   <title>Security</title> |   <title>Security</title> | ||||||
| 
 | 
 | ||||||
|   <section id="a_configPasswords"> |   <section id="a_configPasswords"> | ||||||
|     <title>LAM configuration passwords</title> |     <title>LAM configuration passwords</title> | ||||||
| 
 | 
 | ||||||
|       <para>LAM supports a two level authorization system for its |     <para>LAM supports a two level authorization system for its configuration. | ||||||
|       configuration. Therefore, there are two types of configuration |     Therefore, there are two types of configuration passwords:</para> | ||||||
|       passwords:</para> |  | ||||||
| 
 | 
 | ||||||
|     <itemizedlist> |     <itemizedlist> | ||||||
|       <listitem> |       <listitem> | ||||||
|           <para><emphasis role="bold">master configuration |         <para><emphasis role="bold">master configuration password:</emphasis> | ||||||
|           password:</emphasis> needed to change general settings, |         needed to change general settings, create/delete server profiles and | ||||||
|           create/delete server profiles and self service profiles</para> |         self service profiles</para> | ||||||
|       </listitem> |       </listitem> | ||||||
| 
 | 
 | ||||||
|       <listitem> |       <listitem> | ||||||
|  | @ -26,8 +25,7 @@ | ||||||
|     </itemizedlist> |     </itemizedlist> | ||||||
| 
 | 
 | ||||||
|     <para>The master configuration password can be used to reset a server |     <para>The master configuration password can be used to reset a server | ||||||
|       profile password. Each server profile has its own profile |     profile password. Each server profile has its own profile password.</para> | ||||||
|       password.</para> |  | ||||||
| 
 | 
 | ||||||
|     <para>Both password types are stored as hash values in the configuration |     <para>Both password types are stored as hash values in the configuration | ||||||
|     files for enhanced security.</para> |     files for enhanced security.</para> | ||||||
|  | @ -36,29 +34,28 @@ | ||||||
|   <section> |   <section> | ||||||
|     <title>Use of SSL</title> |     <title>Use of SSL</title> | ||||||
| 
 | 
 | ||||||
|       <para>The data which is transfered between you and LAM is very |     <para>The data which is transfered between you and LAM is very sensitive. | ||||||
|       sensitive. Please always use SSL encrypted connections between LAM and |     Please always use SSL encrypted connections between LAM and your browser | ||||||
|       your browser to protect yourself against network sniffers.</para> |     to protect yourself against network sniffers.</para> | ||||||
|   </section> |   </section> | ||||||
| 
 | 
 | ||||||
|   <section> |   <section> | ||||||
|     <title>LDAP with SSL and TLS</title> |     <title>LDAP with SSL and TLS</title> | ||||||
| 
 | 
 | ||||||
|       <para>SSL will be used if you use ldaps://servername in your |     <para>SSL will be used if you use ldaps://servername in your configuration | ||||||
|       configuration profile. TLS can be activated with the "Activate TLS" |     profile. TLS can be activated with the "Activate TLS" option.</para> | ||||||
|       option.</para> |  | ||||||
| 
 | 
 | ||||||
|     <para>If your LDAP server uses a SSL certificate of a well-know |     <para>If your LDAP server uses a SSL certificate of a well-know | ||||||
|       certificate authority (CA) then you probably need no changes. If you use |     certificate authority (CA) then you probably need no changes. If you use a | ||||||
|       a custom CA in your company then there are two ways to setup the CA |     custom CA in your company then there are two ways to setup the CA | ||||||
|     certificates.</para> |     certificates.</para> | ||||||
| 
 | 
 | ||||||
|     <section> |     <section> | ||||||
|       <title>Setup SSL certificates in LAM general settings</title> |       <title>Setup SSL certificates in LAM general settings</title> | ||||||
| 
 | 
 | ||||||
|       <para>This is much easier than system level setup and will only affect |       <para>This is much easier than system level setup and will only affect | ||||||
|         LAM. There might be some cases where other web applications on the |       LAM. There might be some cases where other web applications on the same | ||||||
|         same web server are influenced.</para> |       web server are influenced.</para> | ||||||
| 
 | 
 | ||||||
|       <para>See <link linkend="conf_sslCert">here</link> for details.</para> |       <para>See <link linkend="conf_sslCert">here</link> for details.</para> | ||||||
|     </section> |     </section> | ||||||
|  | @ -69,11 +66,10 @@ | ||||||
|       <para>This will make the CA certificates available also to other |       <para>This will make the CA certificates available also to other | ||||||
|       applications on your system (e.g. other web applications).</para> |       applications on your system (e.g. other web applications).</para> | ||||||
| 
 | 
 | ||||||
|         <para>You will need to setup ldap.conf to trust your server |       <para>You will need to setup ldap.conf to trust your server certificate. | ||||||
|         certificate. Some installations use /etc/ldap.conf and some use |       Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. | ||||||
|         /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to |       It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. | ||||||
|         /etc/ldap/ldap.conf. Specify the server CA certificate with the |       Specify the server CA certificate with the following option:</para> | ||||||
|         following option:</para> |  | ||||||
| 
 | 
 | ||||||
|       <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> |       <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> | ||||||
| 
 | 
 | ||||||
|  | @ -94,8 +90,8 @@ | ||||||
|     <title>Selinux</title> |     <title>Selinux</title> | ||||||
| 
 | 
 | ||||||
|     <para>In case your server has selinux installed you might need to extend |     <para>In case your server has selinux installed you might need to extend | ||||||
|       the selinux ruleset. E.g. your webserver might not be allowed to write |     the selinux ruleset. E.g. your webserver might not be allowed to write in | ||||||
|       in /var/lib.</para> |     /var/lib.</para> | ||||||
| 
 | 
 | ||||||
|     <para><emphasis role="bold">Read selinux status</emphasis></para> |     <para><emphasis role="bold">Read selinux status</emphasis></para> | ||||||
| 
 | 
 | ||||||
|  | @ -112,8 +108,8 @@ | ||||||
|     <para><emphasis role="bold">Set selinux to Permissive |     <para><emphasis role="bold">Set selinux to Permissive | ||||||
|     mode</emphasis></para> |     mode</emphasis></para> | ||||||
| 
 | 
 | ||||||
|       <para>This will just log any access violations. You will need this to |     <para>This will just log any access violations. You will need this to get | ||||||
|       get a list of missing rights.</para> |     a list of missing rights.</para> | ||||||
| 
 | 
 | ||||||
|     <programlisting>setenforce Permissive</programlisting> |     <programlisting>setenforce Permissive</programlisting> | ||||||
| 
 | 
 | ||||||
|  | @ -122,8 +118,8 @@ | ||||||
| 
 | 
 | ||||||
|     <para><emphasis role="bold">Extend selinux rules</emphasis></para> |     <para><emphasis role="bold">Extend selinux rules</emphasis></para> | ||||||
| 
 | 
 | ||||||
|       <para>Selinux now has logged any violations to audit.log. You can use |     <para>Selinux now has logged any violations to audit.log. You can use this | ||||||
|       this now to extend your ruleset and enable enforcing later.</para> |     now to extend your ruleset and enable enforcing later.</para> | ||||||
| 
 | 
 | ||||||
|     <para>The following example is for httpd. You can also adapt it to e.g. |     <para>The following example is for httpd. You can also adapt it to e.g. | ||||||
|     nginx.</para> |     nginx.</para> | ||||||
|  | @ -169,12 +165,12 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|   <section> |   <section> | ||||||
|     <title>Chrooted servers</title> |     <title>Chrooted servers</title> | ||||||
| 
 | 
 | ||||||
|       <para>If your server is chrooted and you have no access to /dev/random |     <para>If your server is chrooted and you have no access to /dev/random or | ||||||
|       or /dev/urandom this can be a security risk. LAM stores your LDAP |     /dev/urandom this can be a security risk. LAM stores your LDAP password | ||||||
|       password encrypted in the session. LAM uses rand() to generate the key |     encrypted in the session. LAM uses rand() to generate the key if | ||||||
|       if /dev/random and /dev/urandom are not accessible. Therefore the key |     /dev/random and /dev/urandom are not accessible. Therefore the key can be | ||||||
|       can be easily guessed. An attaker needs read access to the session file |     easily guessed. An attaker needs read access to the session file (e.g. by | ||||||
|       (e.g. by another Apache instance) to exploit this.</para> |     another Apache instance) to exploit this.</para> | ||||||
|   </section> |   </section> | ||||||
| 
 | 
 | ||||||
|   <section> |   <section> | ||||||
|  | @ -183,8 +179,8 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|     <para>You have to install the OpenSSL extension for PHP to enable |     <para>You have to install the OpenSSL extension for PHP to enable | ||||||
|     encryption.</para> |     encryption.</para> | ||||||
| 
 | 
 | ||||||
|       <para>Your LDAP password is stored encrypted in the session file. The |     <para>Your LDAP password is stored encrypted in the session file. The key | ||||||
|       key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to |     and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to | ||||||
|     encrypt the password. All data that was read from LDAP and needs to be |     encrypt the password. All data that was read from LDAP and needs to be | ||||||
|     stored in the session file is also encrypted.</para> |     stored in the session file is also encrypted.</para> | ||||||
|   </section> |   </section> | ||||||
|  | @ -195,21 +191,21 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|     <section> |     <section> | ||||||
|       <title>Sensitive directories</title> |       <title>Sensitive directories</title> | ||||||
| 
 | 
 | ||||||
|         <para>LAM includes several .htaccess files to protect your |       <para>LAM includes several .htaccess files to protect your configuration | ||||||
|         configuration files and temporary data. Apache is often configured to |       files and temporary data. Apache is often configured to not use | ||||||
|         not use .htaccess files by default. Therefore, please check your |       .htaccess files by default. Therefore, please check your Apache | ||||||
|         Apache configuration and change the override setting to:</para> |       configuration and change the override setting to:</para> | ||||||
| 
 | 
 | ||||||
|       <para>AllowOverride All</para> |       <para>AllowOverride All</para> | ||||||
| 
 | 
 | ||||||
|       <para>If you are experienced in configuring Apache then you can also |       <para>If you are experienced in configuring Apache then you can also | ||||||
|         copy the security settings from the .htaccess files to your main |       copy the security settings from the .htaccess files to your main Apache | ||||||
|         Apache configuration.</para> |       configuration.</para> | ||||||
| 
 | 
 | ||||||
|         <para>If possible, you should not rely on .htaccess files but also |       <para>If possible, you should not rely on .htaccess files but also move | ||||||
|         move the config and sess directory to a place outside of your WWW |       the config and sess directory to a place outside of your WWW root. You | ||||||
|         root. You can put a symbolic link in the LAM directory so that LAM |       can put a symbolic link in the LAM directory so that LAM finds the | ||||||
|         finds the configuration/session files.</para> |       configuration/session files.</para> | ||||||
| 
 | 
 | ||||||
|       <para>Security sensitive directories:</para> |       <para>Security sensitive directories:</para> | ||||||
| 
 | 
 | ||||||
|  | @ -260,8 +256,8 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|         </listitem> |         </listitem> | ||||||
| 
 | 
 | ||||||
|         <listitem> |         <listitem> | ||||||
|             <para>directory contents must be accessible by browser but |           <para>directory contents must be accessible by browser but directory | ||||||
|             directory itself needs not to be browseable</para> |           itself needs not to be browseable</para> | ||||||
|         </listitem> |         </listitem> | ||||||
|       </itemizedlist> |       </itemizedlist> | ||||||
|     </section> |     </section> | ||||||
|  | @ -269,14 +265,14 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|     <section id="apache_http_auth"> |     <section id="apache_http_auth"> | ||||||
|       <title>Use LDAP HTTP authentication for LAM</title> |       <title>Use LDAP HTTP authentication for LAM</title> | ||||||
| 
 | 
 | ||||||
|         <para>With HTTP authentication Apache will be responsible to ask for |       <para>With HTTP authentication Apache will be responsible to ask for the | ||||||
|         the user name and password. Both will then be forwarded to LAM which |       user name and password. Both will then be forwarded to LAM which will | ||||||
|         will use it to access LDAP. This approach gives you more flexibility |       use it to access LDAP. This approach gives you more flexibility to | ||||||
|         to restrict the number of users that may access LAM (e.g. by requiring |       restrict the number of users that may access LAM (e.g. by requiring | ||||||
|       group memberships).</para> |       group memberships).</para> | ||||||
| 
 | 
 | ||||||
|         <para>First of all you need to load additional Apache modules. These |       <para>First of all you need to load additional Apache modules. These are | ||||||
|         are "<ulink |       "<ulink | ||||||
|       url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>" |       url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>" | ||||||
|       and "<ulink type="" |       and "<ulink type="" | ||||||
|       url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para> |       url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para> | ||||||
|  | @ -317,9 +313,9 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|       <title>Self Service behind proxy in DMZ (LAM Pro)</title> |       <title>Self Service behind proxy in DMZ (LAM Pro)</title> | ||||||
| 
 | 
 | ||||||
|       <para>In some cases you might want to make the self service accessible |       <para>In some cases you might want to make the self service accessible | ||||||
|         via the internet. Here is an Apache config to forward only the |       via the internet. Here is an Apache config to forward only the required | ||||||
|         required URLs via a proxy server (lamproxy.company.com) in your DMZ to |       URLs via a proxy server (lamproxy.company.com) in your DMZ to the | ||||||
|         the internal LAM server (lam.company.com).</para> |       internal LAM server (lam.company.com).</para> | ||||||
| 
 | 
 | ||||||
|       <para><inlinemediaobject> |       <para><inlinemediaobject> | ||||||
|           <imageobject> |           <imageobject> | ||||||
|  | @ -379,8 +375,8 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|       <title>RPM based installations</title> |       <title>RPM based installations</title> | ||||||
| 
 | 
 | ||||||
|       <para>The RPM package has dependencies on Apache. Therefore, Nginx is |       <para>The RPM package has dependencies on Apache. Therefore, Nginx is | ||||||
|         not officially supported with this installation mode. Use tar.bz2 if |       not officially supported with this installation mode. Use tar.bz2 if you | ||||||
|         you are unsure.</para> |       are unsure.</para> | ||||||
| 
 | 
 | ||||||
|       <para>However, the package also includes an Nginx configuration file. |       <para>However, the package also includes an Nginx configuration file. | ||||||
|       Please include it in your server directive like this:</para> |       Please include it in your server directive like this:</para> | ||||||
|  | @ -392,6 +388,10 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
| 
 | 
 | ||||||
|         ... |         ... | ||||||
| }</programlisting> | }</programlisting> | ||||||
|  | 
 | ||||||
|  |       <para>The included config file uses PHP 5. In case you run with PHP 7 | ||||||
|  |       please update the parameter "fastcgi_pass" to | ||||||
|  |       "/var/run/php7-fpm.sock".</para> | ||||||
|     </section> |     </section> | ||||||
| 
 | 
 | ||||||
|     <section> |     <section> | ||||||
|  | @ -407,6 +407,10 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
| 
 | 
 | ||||||
|         ... |         ... | ||||||
| }</programlisting> | }</programlisting> | ||||||
|  | 
 | ||||||
|  |       <para>The included config file uses PHP 5. In case you run with PHP 7 | ||||||
|  |       please update the parameter "fastcgi_pass" to | ||||||
|  |       "/var/run/php7-fpm.sock".</para> | ||||||
|     </section> |     </section> | ||||||
| 
 | 
 | ||||||
|     <section> |     <section> | ||||||
|  | @ -416,8 +420,9 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
|       directive.</para> |       directive.</para> | ||||||
| 
 | 
 | ||||||
|       <para>You will need to change the alias location |       <para>You will need to change the alias location | ||||||
|         ("/usr/share/ldap-account-manager") and fastcgi_pass |       ("/usr/share/ldap-account-manager") and fastcgi_pass (e.g. | ||||||
|         ("/var/run/php5-fpm.sock") to match your installation.</para> |       "/var/run/php5-fpm.sock" or "/var/run/php7-fpm.sock") to match your | ||||||
|  |       installation.</para> | ||||||
| 
 | 
 | ||||||
|       <programlisting>location /lam { |       <programlisting>location /lam { | ||||||
|   index index.html; |   index index.html; | ||||||
|  | @ -441,4 +446,4 @@ semodule -i httpdlocal.pp</programlisting> | ||||||
| </programlisting> | </programlisting> | ||||||
|     </section> |     </section> | ||||||
|   </section> |   </section> | ||||||
|   </appendix> | </appendix> | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue