sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-08 08:21:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Disable UDM REST API routing by default and always disable UMC local login.

Browse Source
This commit is contained in:
Thorsten Roßner
2024-06-03 16:10:50 +02:00
parent af711b0edb
commit e1e8a7f121
2 changed files with 35 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
View File

@@ -1317,6 +1317,21 @@ stack-gateway:
proxy_set_header X-Forwarded-Port $http_x_forwarded_port; proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
{{ if .Values.externalServices.nubus.udmRestApi.enabled }}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
{{ end }}
## portal-frontend ## portal-frontend
# The frontend does not own "/univention/portal" nor # The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits # "/univention/selfservice", only these two bits
@@ -1419,18 +1434,6 @@ stack-gateway:
} }
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway ## umc-gateway
location = /univention/languages.json { location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80; proxy_pass http://ums-umc-gateway:80;
@@ -1444,7 +1447,13 @@ stack-gateway:
location /univention/js/ { location /univention/js/ {
proxy_pass http://ums-umc-gateway:80; proxy_pass http://ums-umc-gateway:80;
} }
location /univention/login/ { location /univention/login/main.js {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/LoginDialog.js {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/i18n/ {
proxy_pass http://ums-umc-gateway:80; proxy_pass http://ums-umc-gateway:80;
} }
location /univention/management/ { location /univention/management/ {
@@ -1455,12 +1464,13 @@ stack-gateway:
} }
## umc-server ### umc-server
location = /univention/auth { ## Do not support local authentication
rewrite ^/univention(/.*)$ $1 break; #location = /univention/auth {
proxy_pass http://ums-umc-server:80; # rewrite ^/univention(/.*)$ $1 break;
proxy_set_header X-UMC-HTTPS 'on'; # proxy_pass http://ums-umc-server:80;
} # proxy_set_header X-UMC-HTTPS 'on';
#}
location /univention/logout { location /univention/logout {
rewrite ^/univention(/.*)$ $1 break; rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80; proxy_pass http://ums-umc-server:80;

6
helmfile/environments/default/functional.yaml
View File

@@ -7,4 +7,10 @@ authentication:
# Note: Removing a group from the list will not disable 2FA for the removed group. # Note: Removing a group from the list will not disable 2FA for the removed group.
groups: groups:
- "Domain Admins" - "Domain Admins"
externalServices:
nubus:
udmRestApi:
# Set to 'true' if you don't want to make the UDM REST API from the Nubus stack externally available
enabled: false
... ...