1# -*- coding: ascii -*- 2""" 3web2ldapcnf - Configure the basic behaviour of web2ldap.py 4 5See documentation for details: 6https://www.web2ldap.de/web2ldapcnf.html 7 8(c) 1998-2021 by Michael Stroeder <michael@stroeder.com> 9""" 10 11import os 12 13from web2ldap.log import logger 14from web2ldap import TEMPLATES_DIR 15 16#--------------------------------------------------------------------------- 17# General options 18#--------------------------------------------------------------------------- 19 20# the base URL path accepted in requests for accessing the application 21url_path = '/web2ldap' 22 23# Trace output of the LDAP connection can be written to error 24# output (if not started with python -O). 25# Set to non-zero if you want debug your LDAP connection. 26# Warning! Passwords (credentials) are written to this trace log! 27# If unsure leave zero! Only set to non-zero if you have protected logs! 28ldap_trace_level = 0 29 30# Time (seconds) search results will be kept in a short-time cache 31ldap_cache_ttl = 6.0 32 33# If non-zero this turns on debug output of the OpenLDAP libs. 34# Warning! Confidential information might be disclosed to the log! 35# If unsure leave zero! Only set to non-zero if you have protected logs! 36ldap_opt_debug_level = 0 37 38# Maximum length of LDIF data in the <TEXTAREA> of addform/modifyform 39ldif_maxbytes = 200000 40 41# List of URL schemes to process in LDIF input. 42# !!! Beware, this can be a security nightmare! Think twice! 43# If unsure leave as empty list to ignore all URLs in LDIF. 44#ldif_url_schemes = ['http','ftp'] 45ldif_url_schemes = [] 46 47# Maximum count of input attribute fields in addform/modifyform 48input_maxattrs = 3000 49 50# Maximum length of attribute values in input fields in addform/modifyform 51input_maxfieldlen = 600000 52 53# maximum count of search parameters in a search form 54max_searchparams = 20 55 56# name of env var which contains browser's IP address 57# httpenv_remote_addr = 'HTTP_X_FORWARDED_FOR' 58httpenv_remote_addr = 'REMOTE_ADDR' 59 60# dictionary for setting/overriding environment variables 61httpenv_override = { 62 # explicitly set HTTPS=on to force "secure" cookie flag no matter what 63 #'HTTPS': 'on', 64} 65 66#--------------------------------------------------------------------------- 67# Global HTML options (templates etc.) 68#--------------------------------------------------------------------------- 69 70# Template for initial connect dialogue 71connect_template = os.path.join(TEMPLATES_DIR, 'connect.html') 72 73# Template for redirect page 74redirect_template = os.path.join(TEMPLATES_DIR, 'redirect.html') 75 76# Separator to be used between internal web2ldap links in the middle area 77command_link_separator = ' • ' 78 79#--------------------------------------------------------------------------- 80# Logging options 81#--------------------------------------------------------------------------- 82 83# Log exceptions with details of LDAP connection and HTTP request 84log_error_details = __debug__ 85 86#--------------------------------------------------------------------------- 87# Global security options 88#--------------------------------------------------------------------------- 89 90# Maximum number of concurrent web sessions stored 91session_limit = 40 92 93# Maximum number of concurrent web sessions per remote IP 94session_per_ip_limit = 8 95 96# Amount of time in seconds after which inactive sessions will be expired 97# and the session data is removed silently without the possibility to relogin. 98session_remove = 1800 99 100# List of environment variables assumed to be constant throughout 101# web sessions with the same ID if existent. 102# These env vars are cross-checked each time when restoring an 103# web session to reduce the risk of session-hijacking. 104session_checkvars = ( 105 # REMOTE_ADDR and REMOTE_HOST might not be constant if the client 106 # access comes through a network of web proxy siblings. 107 'REMOTE_ADDR', 'REMOTE_HOST', 108 'REMOTE_IDENT', 'REMOTE_USER', 109 # If the proxy sets them but can be easily spoofed 110 'FORWARDED_FOR', 'HTTP_X_FORWARDED_FOR', 'X-Real-IP', 111 # These few are not really secure but better than nothing 112 'HTTP_USER_AGENT', 'HTTP_ACCEPT_CHARSET', 113 'HTTP_ACCEPT_LANGUAGE', 114 'HTTP_HOST', 115 # SSL parameters negotiated within a SSL connection 116 'SSL_CIPHER_ALGKEYSIZE', 'HTTPS_KEYSIZE', 'SSL_KEYSIZE', 'SSL_SERVER_KEY_SIZE', 117 'SSL_CIPHER_EXPORT', 'HTTPS_EXPORT', 'SSL_EXPORT', 118 'SSL_CIPHER', 'HTTPS_CIPHER', 'SSL_PROTOCOL', 119 'SSL_CIPHER_USEKEYSIZE', 'HTTPS_SECRETKEYSIZE', 'SSL_SECKEYSIZE', 120 'SSL_TLS_SNI', 'SSL_SECURE_RENEG', 'SSL_CLIENT_VERIFY', 121 # env vars of client certs used for SSL strong authentication 122 'SSL_CLIENT_V_START', 'SSL_CLIENT_V_END', 123 'SSL_CLIENT_I_DN', 'SSL_CLIENT_IDN', 124 'SSL_CLIENT_S_DN', 'SSL_CLIENT_SDN', 125 'SSL_CLIENT_M_SERIAL', 'SSL_CLIENT_CERT_SERIAL', 126 # HTTP_ACCEPT_ENCODING disabled because of Google Chrome 127 #'HTTP_ACCEPT_ENCODING', 128) 129 130# Static dict of HTTP headers to be always sent to the browser 131http_headers = { 132 'Pragma': 'no-cache', 133 'Cache-Control': 'no-store,no-cache,max-age=0,must-revalidate', 134 'X-XSS-Protection': '1; mode=block', 135 # Disable DNS prefetching 136 'X-DNS-Prefetch-Control': 'off', 137 # disable MIME sniffing in MS IE 138 'X-Content-Type-Options': 'nosniff', 139 # frames not used at all (see also draft-ietf-websec-x-frame-options) 140 'X-Frame-Options': 'deny', 141 'Frame-Options': 'DENY', 142 # break out of frames 143 'Window-Target': '_top', 144 # Referer sending policy (see also https://www.w3.org/TR/referrer-policy/) 145 'Referrer-Policy': 'no-referrer', 146 # see also https://scotthelme.co.uk/coop-and-coep/ 147 # COEP: Cross Origin Embedder Policy 148 'Cross-Origin-Embedder-Policy': 'require-corp', 149 # COOP: Cross Origin Opener Policy 150 'Cross-Origin-Opener-Policy': 'same-origin', 151 # CORP: Cross Origin Resource Policy 152 'Cross-Origin-Resource-Policy': 'same-site', 153 # Content Security Policy 154 'Content-Security-Policy': ( 155 "base-uri 'none'; " 156 "child-src 'none'; " 157 "connect-src 'none'; " 158 "default-src 'none'; " 159 "font-src 'self'; " 160 "form-action 'self'; " 161 "frame-ancestors 'none'; " 162 "frame-src 'none'; " 163 "img-src 'self' data:; " 164 "media-src 'none'; " 165 "object-src 'none'; " 166 "script-src 'none'; " 167 "style-src 'self'; " 168 "require-trusted-types-for 'script';" 169# "report-uri https://logger.example.com/csp-error-handler" 170 ), 171 'Feature-Policy': ( 172 "ambient-light-sensor 'none'; " 173 "autoplay 'none'; " 174 "accelerometer 'none'; " 175 "camera 'none'; " 176 "display-capture 'none'; " 177 "document-domain 'none'; " 178 "encrypted-media 'none'; " 179 "fullscreen 'none'; " 180 "geolocation 'none'; " 181 "gyroscope 'none'; " 182 "magnetometer 'none'; " 183 "microphone 'none'; " 184 "midi 'none'; " 185 "payment 'none'; " 186 "picture-in-picture 'none'; " 187 "speaker 'none'; " 188 "sync-xhr 'none'; " 189 "usb 'none'; " 190 "wake-lock 'none'; " 191 "vr 'none'; " 192 "xr 'none'" 193 ), 194 'Permissions-Policy': ( 195 "geolocation=(none), " 196 "notifications=(none), " 197 "push=(none), " 198 "midi=(none), " 199 "camera=(none), " 200 "microphone=(none), " 201 "speaker-selection=(none), " 202 "ambient-light-sensor=(none), " 203 "accelerometer=(none), " 204 "gyroscope=(none), " 205 "magnetometer=(none), " 206 "clipboard-read=(none), " 207 "clipboard-write=(none), " 208 "display-capture=(none)" 209 ) 210} 211http_headers['X-Webkit-CSP'] = http_headers['Content-Security-Policy'] 212http_headers['X-Content-Security-Policy'] = http_headers['Content-Security-Policy'] 213 214# Number of chars to use for cookie 215# 0 or None disables using cookies 216cookie_length = 2 * 42 217 218# Cookie lifetime in seconds 219cookie_max_age = 86400 220 221# Cookie domain to send with Set-Cookie (DNS name) 222# None lets web2ldap send the hostname 223cookie_domain = None 224 225# If non-zero this is the time-span in seconds after which a 226# new session ID is generated. 227# Disadvantage: The browser's back button does not work anymore after 228# a new session ID was generated. 229session_paranoid = 0 230 231# unsuspicious target URLs accepted by redirector even without a session 232good_redirect_targets = { 233 'https://web2ldap.de/', 234 'https://www.web2ldap.de/', 235} 236 237# Dictionary specifying accepted address/net mask strings of 238# accepted client addresses for certain URL commands. 239# Use ['0.0.0.0/0.0.0.0', '::0/0'] to allow access to every client but think twice! 240# IPv6 network addresses without brackets! 241access_allowed = { 242 # default for all sub URLs 243 '_': [ 244 # public access 245 #'0.0.0.0/0.0.0.0', '::0/0', 246 # Private IPv4 addresses (see RFC 1918) 247 #'10.0.0.0/255.0.0.0', 248 #'172.16.0.0/12', 249 #'192.168.0.0/16', 250 # local host-only access 251 '127.0.0.0/255.0.0.0', 252 '::1', 253 'fe00::0', 254 ], 255 # access to <base-URL>/monitor 256 'monitor': [ 257 # local host-only access 258 '127.0.0.0/255.0.0.0', 259 '::1', 260 'fe00::0', 261 ], 262 # access to <base-URL>/metrics 263 'metrics': [ 264 # local host-only access 265 '127.0.0.0/255.0.0.0', 266 '::1', 267 'fe00::0', 268 ], 269 # access to <base-URL>/locate 270 'locate': [ 271 # public access 272 #'0.0.0.0/0.0.0.0', '::0/0', 273 # Private IPv4 addresses (see RFC 1918) 274 #'10.0.0.0/255.0.0.0', 275 #'172.16.0.0/12', 276 #'192.168.0.0/16', 277 # local host-only access 278 '127.0.0.0/255.0.0.0', 279 '::1', 280 'fe00::0', 281 ], 282} 283 284#--------------------------------------------------------------------------- 285# Import plugins in sub-config 286#--------------------------------------------------------------------------- 287 288logger.debug('Importing web2ldapcnf.plugins') 289import web2ldapcnf.plugins 290 291#--------------------------------------------------------------------------- 292# Optionally import a local sub-config file 293#--------------------------------------------------------------------------- 294 295logger.debug('Importing web2ldapcnf.local') 296try: 297 import web2ldapcnf.local 298except ImportError as import_error: 299 logger.info('Importing web2ldapcnf.local failed: %s', import_error) 300