diff --git a/README.md b/README.md index b780c29..77f0745 100644 --- a/README.md +++ b/README.md @@ -81,12 +81,22 @@ Configuration is via environmental variables. Please bear the following in mind ### Optional: -#### Organisation settings + +#### Web server settings * `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from. * `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy. + +* `SERVER_PORT` (default: *80 or 80+443*): The port the webserver inside the container will listen on. If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS. When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true). This is for use when the container's Docker network mode is set to `host`. + +* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates) +* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out. + + +#### Organisation settings + * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". @@ -173,13 +183,6 @@ To send emails you'll need to use an existing SMTP server. Email sending will b * `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to. -**Site security settings** - -#### Website security - -* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates) - -* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out. #### Debugging settings diff --git a/entrypoint b/entrypoint index 640424c..c7863ed 100644 --- a/entrypoint +++ b/entrypoint @@ -17,14 +17,15 @@ fi if [ "$LDAP_TLS_CACERT" ]; then echo "$LDAP_TLS_CACERT" >/opt/ca.crt - sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf + mkdir -p /etc/ldap + echo "TLS_CACERT /opt/ca.crt/" > /etc/ldap/ldap.conf fi if [ "${NO_HTTPS,,}" == "true" ]; then cat </etc/apache2/sites-enabled/lum.conf - + ServerName $SERVER_HOSTNAME DocumentRoot $php_dir @@ -39,6 +40,8 @@ if [ "${NO_HTTPS,,}" == "true" ]; then EoHTTPC + echo "Listen ${SERVER_PORT:-80}" > /etc/apache2/ports.conf + else ######################## @@ -112,7 +115,14 @@ EoCertConf if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi - cat </etc/apache2/sites-enabled/lum.conf + echo > /etc/apache2/sites-enabled/lum.conf + echo > /etc/apache2/ports.conf + + if [ ! "$SERVER_PORT" ]; then + + echo "Listen 80" > /etc/apache2/ports.conf + + cat </etc/apache2/sites-enabled/lum.conf @@ -121,7 +131,15 @@ EoCertConf - +EoHTTPrd + + fi + + echo "Listen ${SERVER_PORT:-443}" >> /etc/apache2/ports.conf + + cat <>/etc/apache2/sites-enabled/lum.conf + + ServerName $SERVER_HOSTNAME @@ -143,7 +161,6 @@ EoHTTPSC fi -cat /etc/apache2/sites-enabled/lum.conf ######################## #Run Apache diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php index e5c367c..566d692 100644 --- a/www/account_manager/show_group.php +++ b/www/account_manager/show_group.php @@ -55,6 +55,7 @@ elseif (isset($_POST['initialise_group'])) { } else { $new_group = FALSE; + $initialise_group = TRUE; $current_members = ldap_get_group_members($ldap_connection,$group_cn); $full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn); $has_been = "updated"; @@ -279,7 +280,7 @@ ldap_close($ldap_connection); -
+ /show_group.php" method="post"> diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php index 16f7f4d..e181c20 100644 --- a/www/account_manager/show_user.php +++ b/www/account_manager/show_user.php @@ -499,7 +499,7 @@ if ($ldap_search) { - + /show_user.php" method="post">
diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php index 46fcadb..7b4d442 100644 --- a/www/includes/web_functions.inc.php +++ b/www/includes/web_functions.inc.php @@ -7,7 +7,6 @@ $IS_ADMIN = FALSE; $IS_SETUP_ADMIN = FALSE; $ACCESS_LEVEL_NAME = array('account','admin'); unset($USER_ID); -$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']); $SENT_HEADERS = FALSE; $SESSION_TIMED_OUT = FALSE; @@ -36,13 +35,6 @@ include ("modules.inc.php"); # module definitions if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; } $THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}"; -$DEFAULT_COOKIE_OPTIONS = array( 'expires' => time()+(60 * $SESSION_TIMEOUT), - 'path' => $SERVER_PATH, - 'domain' => '', - 'secure' => TRUE, - 'samesite' => 'strict' - ); - validate_passkey_cookie(); ###################################################### @@ -63,7 +55,7 @@ function set_passkey_cookie($user_id,$is_admin) { # Create a random value, store it locally and set it in a cookie. - global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS; + global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG; $passkey = generate_passkey(); @@ -76,10 +68,10 @@ function set_passkey_cookie($user_id,$is_admin) { } $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id); @ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time"); - setcookie('orf_cookie', "$user_id:$passkey", $DEFAULT_COOKIE_OPTIONS); - $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS; - $sessto_cookie_opts['expires'] = $this_time+7200; - setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $sessto_cookie_opts); + + setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE); + setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $this_time+7200, '/', '', '', TRUE); + if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); } $VALIDATED = TRUE; @@ -146,16 +138,16 @@ function set_setup_cookie() { # Create a random value, store it locally and set it in a cookie. - global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS; + global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG; $passkey = generate_passkey(); $this_time=time(); $IS_SETUP_ADMIN = TRUE; - file_put_contents("/tmp/ldap_setup","$passkey:$this_time"); + @ file_put_contents("/tmp/ldap_setup","$passkey:$this_time"); - setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS); + setcookie('setup_cookie', "$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE); if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); } @@ -206,15 +198,10 @@ function log_out($method='normal') { global $USER_ID, $SERVER_PATH, $DEFAULT_COOKIE_OPTIONS; - $this_time=time(); + $expire_time=time()-20000; - $orf_cookie_opts = $DEFAULT_COOKIE_OPTIONS; - $orf_cookie_opts['expires'] = $this_time-20000; - $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS; - $sessto_cookie_opts['expires'] = $this_time-20000; - - setcookie('orf_cookie', "", $DEFAULT_COOKIE_OPTIONS); - setcookie('sessto_cookie', "", $DEFAULT_COOKIE_OPTIONS); + setcookie('orf_cookie', "", $expire_time, '/', '', '', TRUE); + setcookie('sessto_cookie', "", $expire_time, '/', '', '', TRUE); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID); @ unlink("/tmp/$filename");