Release 2.0.80 - See CHANGELOG.md

Author: tiredofit

CHANGELOG.md

@@ -1,3 +1,10 @@
+## 2.0.80 2025-04-25 <dave at tiredofit dot ca>
+
+   ### Added
+      - Pin to tiredofit/nginx:6.5.17
+      - Update Nginx configuration to support fixes for Handler
+
+
 ## 2.0.79 2025-04-08 <dave at tiredofit dot ca>
 
    ### Added

Dockerfile

@@ -1,7 +1,7 @@
 ARG DISTRO="alpine"
 ARG DISTRO_VARIANT="3.21"
 
-FROM docker.io/tiredofit/nginx:${DISTRO}-${DISTRO_VARIANT}-6.5.10
+FROM docker.io/tiredofit/nginx:${DISTRO}-${DISTRO_VARIANT}-6.5.17
 LABEL maintainer="Dave Conroy (github.com/tiredofit)"
 
 ARG LEMONLDAP_VERSION

install/etc/nginx/sites.available/api.conf

@@ -16,18 +16,23 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
         fastcgi_param PATH_INFO  $fastcgi_path_info;
+        fastcgi_param UNIQUE_ID $request_id;
         # Uncomment this if you use https only
         #add_header Strict-Transport-Security "15768000";
     }
 
     location / {
         rewrite ^/(.*)$ /api.psgi/$1;
         allow 127.0.0.0/8;
+        allow ::1/128;
         deny all;
     }
 
     location /doc/ {
         alias /usr/share/lemonldap-ng/doc/;
+        allow 127.0.0.0/8;
+        allow ::1/128;
+        deny all;
         index index.html start.html;
     }
 

install/etc/nginx/sites.available/handler.conf

@@ -8,20 +8,23 @@ server {
     error_log {{NGINX_LOG_ERROR_LOCATION}}/error-handler.log;
 
     location = /reload {
-        allow 127.0.0.1;
+        allow 127.0.0.0/8;
+        allow ::1/128;
         deny all;
         include /etc/nginx/fastcgi_params;
         fastcgi_pass {{HANDLER_SOCKET}};
         fastcgi_param LLTYPE reload;
     }
 
-    # Client requests
-        location / {
+    location / {
+        auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+        auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
         deny all;
     }
 
     location = /status {
         allow 127.0.0.1;
+        allow ::1/128;
         deny all;
         include /etc/nginx/fastcgi_params;
         fastcgi_pass {{HANDLER_SOCKET}};

install/etc/nginx/sites.available/manager.conf

@@ -5,7 +5,7 @@ server {
     access_log {{NGINX_LOG_ACCESS_LOCATION}}/access-manager.log {{NGINX_LOG_ACCESS_FORMAT}};
     error_log {{NGINX_LOG_ERROR_LOCATION}}/error-manager.log;
 
-    if ($uri !~ ^/(.*\.psgi|static|doc|fr-doc|lib|javascript|favicon)) {
+    if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
         rewrite ^/(.*)$ /manager.psgi/$1 break;
     }
 
@@ -16,14 +16,14 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
         fastcgi_param PATH_INFO  $fastcgi_path_info;
-        # Uncomment this if you use https only
-        #add_header Strict-Transport-Security "15768000";
+        fastcgi_param UNIQUE_ID $request_id;
     }
 
     location / {
         index manager.psgi;
         try_files $uri $uri/ =404;
         allow 127.0.0.0/8;
+        allow ::1/128;
         deny all;
     }
 

install/etc/nginx/sites.available/portal.conf

@@ -8,7 +8,7 @@ server {
     rewrite ^/oauth2/gitlab_(authorize.*)$ https://{{PORTAL_HOSTNAME}}/oauth2/$1?scope=openid%20gitlab ;
 
     if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
-        rewrite ^/(.*)$ /index.psgi/$1 break;
+      rewrite ^/(.*)$ /index.psgi/$1 break;
     }
 
     location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
@@ -18,6 +18,8 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
         fastcgi_param PATH_INFO  $fastcgi_path_info;
+        fastcgi_param UNIQUE_ID $request_id;
+
 
         ### REST functions for sessions management (disabled by default)
         location ~ ^/index.psgi/adminSessions {
@@ -52,12 +54,12 @@ server {
     }
 
     index index.psgi;
-
     location / {
         try_files $uri $uri/ =404;
     }
 
     location /static/ {
+        expires 30d;
         alias /usr/share/lemonldap-ng/portal/static/;
     }
 

install/etc/nginx/sites.available/test.conf

@@ -23,6 +23,7 @@ server {
 
         # Keep original request (LLNG server will received /llauth)
         fastcgi_param X_ORIGINAL_URI $original_uri;
+        fastcgi_param UNIQUE_ID $request_id;
     }
 
     # Client requests
@@ -41,6 +42,7 @@ server {
         set $original_uri $uri$is_args$args;
         auth_request /lmauth;
         auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+        auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
         auth_request_set $lmlocation $upstream_http_location;
         # Uncomment this if CDA is used
         #auth_request_set $cookie_value $upstream_http_set_cookie;
@@ -83,6 +85,7 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_split_path_info ^(.*\.pl)(/.+)$;
         fastcgi_param REMOTE_USER $lmremote_user;
+        fastcgi_param REMOTE_CUSTOM $lmremote_custom;
     }
 
     #location = /status {