Re: NGINX and SimpleSAML Config
3,883 views
Skip to first unread message
Message has been deleted
comel
Oct 2, 2012, 4:10:41 AM10/2/12
to simple...@googlegroups.com
On Tuesday, October 2, 2012 12:46:57 AM UTC+2, Chris Killingsworth wrote:
GreetingsThis config has been proven to work and paired with a ADFS IdP running the most current versions of ADFS.
- NGINX webserver running Ubuntu 10.04 on Lucid...
- PHP 5.3.2-1ubuntu4.18 with Suhosin-Patch (cli) (built: Sep 12 2012 19:12:47)
- SimpleSAML 1.10.0-rc2
This config could not of been completed without the use of the forums and various groups. I wanted to consolidate what I found and offer it as a way of thanks for the information and to make it easier for fellow adventurers... Please re-use or publish as needed..Objective: Use NGINX with SSL to usel simplesamlphp as a SP (or anything else you might want)Prerequisites:Notes:
- Install PHP(along with appropriate modules) along with NGINX and FASTCGI
- Test PHP / NGINX Config using the standard phpinfo test.
- Once done install simplesaml as documented but switching out the appropriate Apache for NGINX. I would recommend setting simplesaml on Apache in a test env just see how it works... It takes literally 10 mins to install
- ADFS requires HTTPS connections...
- You can obtain xml files for the SP and the IDP from weblinks.
- The below config broke something so the only way to access the admin gui is to go to https://<FQDN>t/simplesaml/module.php/core/frontpage_welcome.php. Everything else if functional.
- FQDN = Fully Qualified Domain Name..
NGINX Conf File (SSL)
server {listen 443;ssl on;ssl_certificate /etc/ssl/certs/FQDN.crt;ssl_certificate_key /etc/ssl/private/FQDN.key;ssl_protocols SSLv3 TLSv1;ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;server_name FQDN;access_log /var/log/sp/access.log;error_log /var/log/sp/error.log;root /var/www/simplesaml;
This is security flaw, because the the whole simplesaml directory is available, with all configuration files and certificates, i.e. you can browse to FQDN/config/config.php and get config.php source. root should be set to /var/www/simplesaml/www.
Riccardo Valzorio
Oct 2, 2012, 4:20:45 AM10/2/12
to simple...@googlegroups.com, comel
Hi all,
this is what i did to get it working (with Filesender). If you want to
test it out, just remove Filesender' sections!
I still have an "autoindex" issue in this config.. still working on it
(you have to call URL http://.../simplesaml/index.php instead of
http://.../simplesaml/).
Bye!
Ric
server {
listen 80;
server_name blabla;
access_log /tmp/localhost.access.log;
error_log /tmp/localhost.error.log debug;
location ~ /simplesaml/.*\.php {
root /var/simplesaml/www;
fastcgi_split_path_info ^/simplesaml((?U).*\.php)(/?.*)$;
fastcgi_param SCRIPT_NAME /simplesaml$fastcgi_script_name;
fastcgi_pass backend;
fastcgi_index index.php;
##### more ...
include fastcgi_params;
}
location ~ /filesender/.*\.php {
root /home/rik/Devel/filesender/www;
fastcgi_split_path_info ^/filesender((?U).*\.php)(/?.*)$;
fastcgi_param SCRIPT_NAME /filesender$fastcgi_script_name;
fastcgi_pass backend;
fastcgi_index index.php;
##### more ...
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
#img SSP
if ($request_uri ~ /simplesaml) {
rewrite /simplesaml(.*) $1 break;
root /var/simplesaml/www;
}
#altre img ...
if ($request_uri ~ /filesender) {
rewrite /filesender(.*) $1 break;
root /home/rik/Devel/filesender/www;
}
try_files $uri $uri/ /index.php;
}
}
upstream backend {
server 127.0.0.1:9000;
> * PHP 5.3.2-1ubuntu4.18 with Suhosin-Patch (cli) (built: Sep 12
> 2012 19:12:47)
> * SimpleSAML 1.10.0-rc2
> FASTCGI
> * Test PHP / NGINX Config using the standard phpinfo test.
> * Once done install simplesaml as documented but switching out the
> * You can obtain xml files for the SP and the IDP from weblinks.
> * The below config broke something so the only way to access the
>
>
> *NGINX Conf File (SSL)
> *
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/gmmXN8SYTmoJ.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
--
Dr. Riccardo Valzorio
Servizi Sistemistici, sicurezza e reti
mail: valz...@cilea.it - skype: riccardo.valzorio
Ph: +39 02 26995.384 - mob. +39 348 1328436 - fax +39 02 2135520
CILEA - Consorzio Interuniversitario
http://www.cilea.it/disclaimer
"A computer is like air conditioning: it becomes useless when you open
windows." L. Torvalds
this is what i did to get it working (with Filesender). If you want to
test it out, just remove Filesender' sections!
I still have an "autoindex" issue in this config.. still working on it
(you have to call URL http://.../simplesaml/index.php instead of
http://.../simplesaml/).
Bye!
Ric
server {
listen 80;
server_name blabla;
access_log /tmp/localhost.access.log;
error_log /tmp/localhost.error.log debug;
location ~ /simplesaml/.*\.php {
root /var/simplesaml/www;
fastcgi_split_path_info ^/simplesaml((?U).*\.php)(/?.*)$;
fastcgi_param SCRIPT_NAME /simplesaml$fastcgi_script_name;
fastcgi_pass backend;
fastcgi_index index.php;
##### more ...
include fastcgi_params;
}
location ~ /filesender/.*\.php {
root /home/rik/Devel/filesender/www;
fastcgi_split_path_info ^/filesender((?U).*\.php)(/?.*)$;
fastcgi_param SCRIPT_NAME /filesender$fastcgi_script_name;
fastcgi_pass backend;
fastcgi_index index.php;
##### more ...
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
#img SSP
if ($request_uri ~ /simplesaml) {
rewrite /simplesaml(.*) $1 break;
root /var/simplesaml/www;
}
#altre img ...
if ($request_uri ~ /filesender) {
rewrite /filesender(.*) $1 break;
root /home/rik/Devel/filesender/www;
}
try_files $uri $uri/ /index.php;
}
}
upstream backend {
server 127.0.0.1:9000;
}
On 02/10/2012 10:10, comel wrote:
>
>
> On Tuesday, October 2, 2012 12:46:57 AM UTC+2, Chris Killingsworth wrote:
>
> Greetings
>
> This config has been proven to work and paired with a ADFS IdP
> running the most current versions of ADFS.
>
> * NGINX webserver running Ubuntu 10.04 on Lucid...
On 02/10/2012 10:10, comel wrote:
>
>
> On Tuesday, October 2, 2012 12:46:57 AM UTC+2, Chris Killingsworth wrote:
>
> Greetings
>
> This config has been proven to work and paired with a ADFS IdP
> running the most current versions of ADFS.
>
> * PHP 5.3.2-1ubuntu4.18 with Suhosin-Patch (cli) (built: Sep 12
> 2012 19:12:47)
> * SimpleSAML 1.10.0-rc2
>
> This config could not of been completed without the use of the
> forums and various groups. I wanted to consolidate what I found and
> offer it as a way of thanks for the information and to make it
> easier for fellow adventurers... Please re-use or publish as needed..
>
>
> Objective: Use NGINX with SSL to usel simplesamlphp as a SP (or
> anything else you might want)
>
> Prerequisites:
>
> * Install PHP(along with appropriate modules) along with NGINX and
> This config could not of been completed without the use of the
> forums and various groups. I wanted to consolidate what I found and
> offer it as a way of thanks for the information and to make it
> easier for fellow adventurers... Please re-use or publish as needed..
>
>
> Objective: Use NGINX with SSL to usel simplesamlphp as a SP (or
> anything else you might want)
>
> Prerequisites:
>
> FASTCGI
> * Test PHP / NGINX Config using the standard phpinfo test.
> * Once done install simplesaml as documented but switching out the
> appropriate Apache for NGINX. I would recommend setting
> simplesaml on Apache in a test env just see how it works... It
> takes literally 10 mins to install
>
> Notes:
>
> * ADFS requires HTTPS connections...
> simplesaml on Apache in a test env just see how it works... It
> takes literally 10 mins to install
>
> Notes:
>
> * You can obtain xml files for the SP and the IDP from weblinks.
> * The below config broke something so the only way to access the
> admin gui is to go
> to https://<FQDN>t/simplesaml/module.php/core/frontpage_welcome.php.
> Everything else if functional.
> * FQDN = Fully Qualified Domain Name..
> to https://<FQDN>t/simplesaml/module.php/core/frontpage_welcome.php.
> Everything else if functional.
>
>
> *NGINX Conf File (SSL)
> *
>
>
>
> |server {|
> |listen 443;|
> |ssl on;|
> |ssl_certificate /etc/ssl/certs/FQDN.crt;|
> |ssl_certificate_key /etc/ssl/private/FQDN.key;|
> |ssl_protocols SSLv3 TLSv1;|
> |ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;|
> |server_name FQDN;|
> |access_log /var/log/sp/access.log;|
> |error_log /var/log/sp/error.log;|
> |root /var/www/simplesaml;|
>
>
> This is security flaw, because the the whole simplesaml directory is
> available, with all configuration files and certificates, i.e. you can
> browse to FQDN/config/config.php and get config.php source. root should
> be set to /var/www/simplesaml/www.
>
> --
>
>
> |server {|
> |listen 443;|
> |ssl on;|
> |ssl_certificate /etc/ssl/certs/FQDN.crt;|
> |ssl_certificate_key /etc/ssl/private/FQDN.key;|
> |ssl_protocols SSLv3 TLSv1;|
> |ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;|
> |server_name FQDN;|
> |access_log /var/log/sp/access.log;|
> |error_log /var/log/sp/error.log;|
> |root /var/www/simplesaml;|
>
>
> This is security flaw, because the the whole simplesaml directory is
> available, with all configuration files and certificates, i.e. you can
> browse to FQDN/config/config.php and get config.php source. root should
> be set to /var/www/simplesaml/www.
>
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/gmmXN8SYTmoJ.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
--
Dr. Riccardo Valzorio
Servizi Sistemistici, sicurezza e reti
mail: valz...@cilea.it - skype: riccardo.valzorio
Ph: +39 02 26995.384 - mob. +39 348 1328436 - fax +39 02 2135520
CILEA - Consorzio Interuniversitario
http://www.cilea.it/disclaimer
"A computer is like air conditioning: it becomes useless when you open
windows." L. Torvalds
Reply all
Reply to author
Forward
Message has been deleted
0 new messages