Nginx configuration
Prev Appendix B. Security Next

Nginx configuration

There is no fully automatic setup of Nginx but LAM provides a ready-to-use configuration file.

Security headers

LAM already sets several security headers by default. For production machines it is recommended to run LAM with "https://" enabled. In this case the HSTS header should be set.

This will enforce browsers to connect via "https://". Please note that you need to make sure that your installation has a valid certificate now and in the future.

The example configurations below already include a commented example for "Strict-Transport-Security" (HSTS). You can activate it if needed.

RPM based installations

The RPM package has dependencies on Apache. Therefore, Nginx is not officially supported with this installation mode. Use tar.bz2 if you are unsure.

However, the package also includes an Nginx configuration file. Please include it in your server directive like this:

server {
        ...

        include /etc/ldap-account-manager/lam.nginx.conf;

        ...
}

The included config file uses "127.0.0.1:9000" for PHP. In case you run PHP with a socket please update the parameter "fastcgi_pass" to e.g. "/var/run/php8-fpm.sock".

DEB based installations

The LAM installation package ships with an Nginx configuration file. Please include it in your server directive like this:

server {
        ...

        include /etc/ldap-account-manager/nginx.conf;

        ...
}

The included config file uses PHP 8.2. In case you run with a different PHP version please update the parameter "fastcgi_pass" to e.g. "/var/run/php/php8.3-fpm.sock".

tar.bz2 based installations

Please add the following configuration snippet to your server directive.

You will need to change the alias location ("/usr/share/ldap-account-manager") and fastcgi_pass (e.g. "/var/run/php/php-fpm.sock" or "/var/run/php8-fpm.sock") to match your installation.

location /lam {
  index index.html;
  alias /usr/share/ldap-account-manager;
  autoindex off;
  # HSTS header to enforce https:// connections
  # add_header Strict-Transport-Security "max-age=31536000";

  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php8-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    include fastcgi_params;
  }

  location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
    deny all;
    return 403;
  }

}
Prev Up Next
Apache configuration Home WebAuthn/FIDO2