forked from apluslms/a-plus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aplus-nginx-shib.conf
135 lines (118 loc) · 3.43 KB
/
aplus-nginx-shib.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
upstream aplus-web {
server unix:/run/aplus/web-uwsgi.socket;
}
upstream aplus-api {
server unix:/run/aplus/api-uwsgi.socket;
}
# Add admin IP addresses/blocks to the list below to bypass the
# maintenance mode
geo $is_admin_ip {
# 0 = not admin
default 0;
# 1 = is admin
# 192.0.2.1/32 1;
# 192.0.2.2/32 1;
# 192.0.2.3/32 1;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name __HOSTNAME__;
underscores_in_headers on;
location / {
return 302 https://$server_name$request_uri;
}
}
server {
# Redirect users to an error page if aplus is in maintenance mode
set $maintenance 0;
if (-f /srv/aplus/a-plus/maintenance) {
set $maintenance 1;
}
# Admins are never redirected
if ($is_admin_ip) {
set $maintenance 0;
}
# Uncomment below to customise the maintenance notification
# Default location for the file in Ubuntu is /usr/share/nginx/html
# error_page 503 @maintenance;
# location @maintenance {
# rewrite ^(.*)$ /maintenance.html break;
# }
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name __HOSTNAME__;
underscores_in_headers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:MEDIUM:!aNULL:!RC4:!ADH:!MD5;
ssl_dhparam dhparams.pem;
ssl_session_timeout 10m;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# About the certificate chain: http://nginx.org/en/docs/http/configuring_https_servers.html#chains
# Shibboleth2
location /shibboleth-sp {
# Static files including main.css
alias /var/www/shibboleth-sp/;
}
# FastCGI authorizer for Shibboleth Auth Request module
location = /shibauthorizer {
internal;
include fastcgi_params;
fastcgi_pass unix:/run/shibboleth/shibauthorizer.sock;
}
# FastCGI responder for SSO
location /Shibboleth.sso {
include fastcgi_params;
fastcgi_pass unix:/run/shibboleth/shibresponder.sock;
}
# A+
location = /favicon.ico {
alias /srv/aplus/a-plus/static/favicons/favicon.ico;
}
location /static {
alias /srv/aplus/a-plus/static;
}
location /media/public {
alias /srv/aplus/a-plus/media/public;
}
location / {
if ($maintenance) { return 503; }
include uwsgi_params;
uwsgi_pass aplus-web;
}
location /api/ {
if ($maintenance) { return 503; }
include uwsgi_params;
uwsgi_pass aplus-api;
}
location /shibboleth {
if ($maintenance) { return 503; }
# shibboleth
shib_request /shibauthorizer;
shib_request_use_headers on;
# Attributes from Shibboleth are introduced as headers by the FastCGI
# authorizer so we must prevent spoofing.
# from: https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/includes/shib_clear_headers
include shib_clear_headers;
# NOTE: add all fields which might be read by your A+ installation!
# TODO: get newer headers-more module with wildcard support!
more_clear_input_headers
shib-eppn
shib-givenName
shib-sn
shib-cn
shib-displayName
shib-mail
shib-preferredLanguage
shib-schacPersonalUniqueCode
shib-schacHomeOrganization
persistent-id
shib-targeted-id;
include uwsgi_params;
uwsgi_pass aplus-web;
}
}