diff --git a/group_vars/all b/group_vars/all index 0ae244ca..6ffd2da3 100644 --- a/group_vars/all +++ b/group_vars/all @@ -133,7 +133,7 @@ whitelisted_anonymous_docker_volumes: [] nginx_configuration_directory: "/etc/nginx/conf.d/" # General configuration dir nginx_servers_directory: "{{nginx_configuration_directory}}servers/" # Contains server blogs nginx_maps_directory: "{{nginx_configuration_directory}}maps/" # Contains mappins -nginx_upstreams_directory: "{{nginx_configuration_directory}}upstreams/" # Contains upstream configurations +nginx_streams_directory: "{{nginx_configuration_directory}}streams/" # Contains streams configuration e.g. for ldaps nginx_well_known_root: "/usr/share/nginx/well-known/" # Path where well-known files are stored nginx_homepage_root: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index 233b1f87..d844d552 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -125,6 +125,9 @@ The following directories are mounted in the container: - [Bitnami OpenLDAP](https://hub.docker.com/r/bitnami/openldap) - [phpLDAPadmin Documentation](https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container) - [LDAP Account Manager](https://github.com/LDAPAccountManager/docker) +- https://github.com/bitnami/containers/issues/53392 +- https://kb.i-doit.com/de/administration/troubleshooting/ldap-via-tls.html +- https://forum.ubuntuusers.de/topic/tls-verbindung-mit-openldap/ --- diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index d92864a9..89f16622 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -5,16 +5,18 @@ - name: "include tasks nginx-docker-proxy-domain.yml" include_tasks: nginx-docker-proxy-domain.yml +- name: create {{domain}}.conf + template: + src: "nginx.stream.conf.j2" + dest: "{{nginx_streams_directory}}{{domain}}.conf" + notify: restart nginx + - name: "create {{docker_compose_instance_directory}}" file: path: "{{docker_compose_instance_directory}}" state: directory mode: 0755 -- name: "include the nginx-docker-cert-deploy role" - include_role: - name: nginx-docker-cert-deploy - - name: add docker-compose.yml template: src: "docker-compose.yml.j2" diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 4752f4f3..a76762c0 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -16,28 +16,23 @@ services: driver: journald restart: {{docker_restart_policy}} ports: - - '127.0.0.1:389:389' # Expose just on local host for security reasons, phpLDAPadmin requires this - - '636:636' # Expose to internet + - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}} # Expose just on localhost so that nginx stream proxy can use it + - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost environment: # @See https://hub.docker.com/r/bitnami/openldap - + # GENERAL - LDAP_ADMIN_USERNAME: {{ldap_administrator_username}} # LDAP database admin user. - LDAP_ADMIN_PASSWORD: {{ldap_administrator_password}} # LDAP database admin password. - #LDAP_USERS: user01,user02 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 - #LDAP_PASSWORDS: password1,password2 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami - LDAP_ROOT: {{ldap_root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org - LDAP_ADMIN_DN: {{ldap_admin_dn}} - LDAP_PORT_NUMBER: 389 # Route to default port + LDAP_ADMIN_USERNAME: {{ldap_administrator_username}} # LDAP database admin user. + LDAP_ADMIN_PASSWORD: {{ldap_administrator_password}} # LDAP database admin password. + #LDAP_USERS: user01,user02 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 + #LDAP_PASSWORDS: password1,password2 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami + LDAP_ROOT: {{ldap_root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org + LDAP_ADMIN_DN: {{ldap_admin_dn}} + LDAP_PORT_NUMBER: {{ldap_localhost_port}} # Route to default port # TLS - LDAP_ENABLE_TLS: yes # Whether to enable TLS for traffic or not. Defaults to no - LDAP_REQUIRE_TLS: no # Deactivated so that it can be accessed on the server itself via phpldapadmin - LDAP_LDAPS_PORT_NUMBER: 636 # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). - LDAP_TLS_CERT_FILE: /certs/cert.pem # File containing the certificate file for the TLS traffic. No defaults. - LDAP_TLS_KEY_FILE: /certs/key.pem # File containing the key for certificate. No defaults. - LDAP_TLS_CA_FILE: /certs/chain.pem # File containing the CA of the certificate. No defaults. - #LDAP_TLS_DH_PARAMS_FILE: # File containing the DH parameters. No defaults. + LDAP_ENABLE_TLS: no # Using nginx proxy + LDAP_LDAPS_PORT_NUMBER: {{ldap_secure_localhost_port}} # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). volumes: - {{cert_mount_directory}}:/certs:ro - 'data:/bitnami/openldap' diff --git a/roles/docker-ldap/templates/nginx.stream.conf.j2 b/roles/docker-ldap/templates/nginx.stream.conf.j2 new file mode 100644 index 00000000..aae7147c --- /dev/null +++ b/roles/docker-ldap/templates/nginx.stream.conf.j2 @@ -0,0 +1,10 @@ +server { + listen {{ldap_secure_internet_port}} ssl; + proxy_pass 127.0.0.1:{{ldap_localhost_port}}; + + # SSL Configuration for LDAPS + ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; +} diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 78dfcbb3..12c0473f 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,4 +1,7 @@ docker_compose_project_name: "ldap" ldap_root: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" ldap_admin_dn: "cn={{ldap_administrator_username}},{{ldap_root}}" -cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" \ No newline at end of file +cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" +ldap_secure_localhost_port: 1636 +ldap_secure_internet_port: 636 +ldap_localhost_port: 389 \ No newline at end of file diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 8246a4e9..a91a122a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,7 +19,7 @@ loop: - "{{nginx_servers_directory}}" - "{{nginx_maps_directory}}" - - "{{nginx_upstreams_directory}}" + - "{{nginx_streams_directory}}" when: run_once_nginx is not defined - name: create nginx config file diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index d0531d54..9564df3e 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -33,8 +33,12 @@ http gzip_min_length 256; gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml; - types_hash_max_size 4096; - include {{nginx_upstreams_directory}}*.conf; + types_hash_max_size 4096; include {{nginx_maps_directory}}*.conf; include {{nginx_servers_directory}}*.conf; } + +# For port proxies +stream{ + include {{nginx_streams_directory}}*.conf; +}