PHP 7 nginx
This commit is contained in:
parent
29ebf207a5
commit
a6bca40ea4
|
@ -7,15 +7,14 @@
|
|||
<section id="a_configPasswords">
|
||||
<title>LAM configuration passwords</title>
|
||||
|
||||
<para>LAM supports a two level authorization system for its
|
||||
configuration. Therefore, there are two types of configuration
|
||||
passwords:</para>
|
||||
<para>LAM supports a two level authorization system for its configuration.
|
||||
Therefore, there are two types of configuration passwords:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">master configuration
|
||||
password:</emphasis> needed to change general settings,
|
||||
create/delete server profiles and self service profiles</para>
|
||||
<para><emphasis role="bold">master configuration password:</emphasis>
|
||||
needed to change general settings, create/delete server profiles and
|
||||
self service profiles</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -26,8 +25,7 @@
|
|||
</itemizedlist>
|
||||
|
||||
<para>The master configuration password can be used to reset a server
|
||||
profile password. Each server profile has its own profile
|
||||
password.</para>
|
||||
profile password. Each server profile has its own profile password.</para>
|
||||
|
||||
<para>Both password types are stored as hash values in the configuration
|
||||
files for enhanced security.</para>
|
||||
|
@ -36,29 +34,28 @@
|
|||
<section>
|
||||
<title>Use of SSL</title>
|
||||
|
||||
<para>The data which is transfered between you and LAM is very
|
||||
sensitive. Please always use SSL encrypted connections between LAM and
|
||||
your browser to protect yourself against network sniffers.</para>
|
||||
<para>The data which is transfered between you and LAM is very sensitive.
|
||||
Please always use SSL encrypted connections between LAM and your browser
|
||||
to protect yourself against network sniffers.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>LDAP with SSL and TLS</title>
|
||||
|
||||
<para>SSL will be used if you use ldaps://servername in your
|
||||
configuration profile. TLS can be activated with the "Activate TLS"
|
||||
option.</para>
|
||||
<para>SSL will be used if you use ldaps://servername in your configuration
|
||||
profile. TLS can be activated with the "Activate TLS" option.</para>
|
||||
|
||||
<para>If your LDAP server uses a SSL certificate of a well-know
|
||||
certificate authority (CA) then you probably need no changes. If you use
|
||||
a custom CA in your company then there are two ways to setup the CA
|
||||
certificate authority (CA) then you probably need no changes. If you use a
|
||||
custom CA in your company then there are two ways to setup the CA
|
||||
certificates.</para>
|
||||
|
||||
<section>
|
||||
<title>Setup SSL certificates in LAM general settings</title>
|
||||
|
||||
<para>This is much easier than system level setup and will only affect
|
||||
LAM. There might be some cases where other web applications on the
|
||||
same web server are influenced.</para>
|
||||
LAM. There might be some cases where other web applications on the same
|
||||
web server are influenced.</para>
|
||||
|
||||
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
|
||||
</section>
|
||||
|
@ -69,11 +66,10 @@
|
|||
<para>This will make the CA certificates available also to other
|
||||
applications on your system (e.g. other web applications).</para>
|
||||
|
||||
<para>You will need to setup ldap.conf to trust your server
|
||||
certificate. Some installations use /etc/ldap.conf and some use
|
||||
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
|
||||
/etc/ldap/ldap.conf. Specify the server CA certificate with the
|
||||
following option:</para>
|
||||
<para>You will need to setup ldap.conf to trust your server certificate.
|
||||
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf.
|
||||
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf.
|
||||
Specify the server CA certificate with the following option:</para>
|
||||
|
||||
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
||||
|
||||
|
@ -94,8 +90,8 @@
|
|||
<title>Selinux</title>
|
||||
|
||||
<para>In case your server has selinux installed you might need to extend
|
||||
the selinux ruleset. E.g. your webserver might not be allowed to write
|
||||
in /var/lib.</para>
|
||||
the selinux ruleset. E.g. your webserver might not be allowed to write in
|
||||
/var/lib.</para>
|
||||
|
||||
<para><emphasis role="bold">Read selinux status</emphasis></para>
|
||||
|
||||
|
@ -112,8 +108,8 @@
|
|||
<para><emphasis role="bold">Set selinux to Permissive
|
||||
mode</emphasis></para>
|
||||
|
||||
<para>This will just log any access violations. You will need this to
|
||||
get a list of missing rights.</para>
|
||||
<para>This will just log any access violations. You will need this to get
|
||||
a list of missing rights.</para>
|
||||
|
||||
<programlisting>setenforce Permissive</programlisting>
|
||||
|
||||
|
@ -122,8 +118,8 @@
|
|||
|
||||
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
|
||||
|
||||
<para>Selinux now has logged any violations to audit.log. You can use
|
||||
this now to extend your ruleset and enable enforcing later.</para>
|
||||
<para>Selinux now has logged any violations to audit.log. You can use this
|
||||
now to extend your ruleset and enable enforcing later.</para>
|
||||
|
||||
<para>The following example is for httpd. You can also adapt it to e.g.
|
||||
nginx.</para>
|
||||
|
@ -169,12 +165,12 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<section>
|
||||
<title>Chrooted servers</title>
|
||||
|
||||
<para>If your server is chrooted and you have no access to /dev/random
|
||||
or /dev/urandom this can be a security risk. LAM stores your LDAP
|
||||
password encrypted in the session. LAM uses rand() to generate the key
|
||||
if /dev/random and /dev/urandom are not accessible. Therefore the key
|
||||
can be easily guessed. An attaker needs read access to the session file
|
||||
(e.g. by another Apache instance) to exploit this.</para>
|
||||
<para>If your server is chrooted and you have no access to /dev/random or
|
||||
/dev/urandom this can be a security risk. LAM stores your LDAP password
|
||||
encrypted in the session. LAM uses rand() to generate the key if
|
||||
/dev/random and /dev/urandom are not accessible. Therefore the key can be
|
||||
easily guessed. An attaker needs read access to the session file (e.g. by
|
||||
another Apache instance) to exploit this.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -183,8 +179,8 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<para>You have to install the OpenSSL extension for PHP to enable
|
||||
encryption.</para>
|
||||
|
||||
<para>Your LDAP password is stored encrypted in the session file. The
|
||||
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
|
||||
<para>Your LDAP password is stored encrypted in the session file. The key
|
||||
and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
|
||||
encrypt the password. All data that was read from LDAP and needs to be
|
||||
stored in the session file is also encrypted.</para>
|
||||
</section>
|
||||
|
@ -195,21 +191,21 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<section>
|
||||
<title>Sensitive directories</title>
|
||||
|
||||
<para>LAM includes several .htaccess files to protect your
|
||||
configuration files and temporary data. Apache is often configured to
|
||||
not use .htaccess files by default. Therefore, please check your
|
||||
Apache configuration and change the override setting to:</para>
|
||||
<para>LAM includes several .htaccess files to protect your configuration
|
||||
files and temporary data. Apache is often configured to not use
|
||||
.htaccess files by default. Therefore, please check your Apache
|
||||
configuration and change the override setting to:</para>
|
||||
|
||||
<para>AllowOverride All</para>
|
||||
|
||||
<para>If you are experienced in configuring Apache then you can also
|
||||
copy the security settings from the .htaccess files to your main
|
||||
Apache configuration.</para>
|
||||
copy the security settings from the .htaccess files to your main Apache
|
||||
configuration.</para>
|
||||
|
||||
<para>If possible, you should not rely on .htaccess files but also
|
||||
move the config and sess directory to a place outside of your WWW
|
||||
root. You can put a symbolic link in the LAM directory so that LAM
|
||||
finds the configuration/session files.</para>
|
||||
<para>If possible, you should not rely on .htaccess files but also move
|
||||
the config and sess directory to a place outside of your WWW root. You
|
||||
can put a symbolic link in the LAM directory so that LAM finds the
|
||||
configuration/session files.</para>
|
||||
|
||||
<para>Security sensitive directories:</para>
|
||||
|
||||
|
@ -260,8 +256,8 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>directory contents must be accessible by browser but
|
||||
directory itself needs not to be browseable</para>
|
||||
<para>directory contents must be accessible by browser but directory
|
||||
itself needs not to be browseable</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
@ -269,14 +265,14 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<section id="apache_http_auth">
|
||||
<title>Use LDAP HTTP authentication for LAM</title>
|
||||
|
||||
<para>With HTTP authentication Apache will be responsible to ask for
|
||||
the user name and password. Both will then be forwarded to LAM which
|
||||
will use it to access LDAP. This approach gives you more flexibility
|
||||
to restrict the number of users that may access LAM (e.g. by requiring
|
||||
<para>With HTTP authentication Apache will be responsible to ask for the
|
||||
user name and password. Both will then be forwarded to LAM which will
|
||||
use it to access LDAP. This approach gives you more flexibility to
|
||||
restrict the number of users that may access LAM (e.g. by requiring
|
||||
group memberships).</para>
|
||||
|
||||
<para>First of all you need to load additional Apache modules. These
|
||||
are "<ulink
|
||||
<para>First of all you need to load additional Apache modules. These are
|
||||
"<ulink
|
||||
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
|
||||
and "<ulink type=""
|
||||
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
|
||||
|
@ -317,9 +313,9 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<title>Self Service behind proxy in DMZ (LAM Pro)</title>
|
||||
|
||||
<para>In some cases you might want to make the self service accessible
|
||||
via the internet. Here is an Apache config to forward only the
|
||||
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
|
||||
the internal LAM server (lam.company.com).</para>
|
||||
via the internet. Here is an Apache config to forward only the required
|
||||
URLs via a proxy server (lamproxy.company.com) in your DMZ to the
|
||||
internal LAM server (lam.company.com).</para>
|
||||
|
||||
<para><inlinemediaobject>
|
||||
<imageobject>
|
||||
|
@ -379,8 +375,8 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<title>RPM based installations</title>
|
||||
|
||||
<para>The RPM package has dependencies on Apache. Therefore, Nginx is
|
||||
not officially supported with this installation mode. Use tar.bz2 if
|
||||
you are unsure.</para>
|
||||
not officially supported with this installation mode. Use tar.bz2 if you
|
||||
are unsure.</para>
|
||||
|
||||
<para>However, the package also includes an Nginx configuration file.
|
||||
Please include it in your server directive like this:</para>
|
||||
|
@ -392,6 +388,10 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
|
||||
...
|
||||
}</programlisting>
|
||||
|
||||
<para>The included config file uses PHP 5. In case you run with PHP 7
|
||||
please update the parameter "fastcgi_pass" to
|
||||
"/var/run/php7-fpm.sock".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -407,6 +407,10 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
|
||||
...
|
||||
}</programlisting>
|
||||
|
||||
<para>The included config file uses PHP 5. In case you run with PHP 7
|
||||
please update the parameter "fastcgi_pass" to
|
||||
"/var/run/php7-fpm.sock".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -416,8 +420,9 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
directive.</para>
|
||||
|
||||
<para>You will need to change the alias location
|
||||
("/usr/share/ldap-account-manager") and fastcgi_pass
|
||||
("/var/run/php5-fpm.sock") to match your installation.</para>
|
||||
("/usr/share/ldap-account-manager") and fastcgi_pass (e.g.
|
||||
"/var/run/php5-fpm.sock" or "/var/run/php7-fpm.sock") to match your
|
||||
installation.</para>
|
||||
|
||||
<programlisting>location /lam {
|
||||
index index.html;
|
||||
|
|
Loading…
Reference in New Issue