Support only https connection

README.md

@@ -15,10 +15,9 @@ Another LDAP provides Authentication and Authorization for your applications run
 
 ## Features
 - Authentication and Authorization for applications.
-- Authorization via LDAP groups.
-- Supports regex in groups.
-- Supports `ldap` and `ldaps` servers.
-- Supports TLS via self-signed certificate.
+- Authorization via LDAP groups, supports regex in groups list.
+- Supports protocols `ldap://` and `ldaps://`.
+- Enabled by design TLS via self-signed certificate.
 - Supports configuration via headers or via environment variables.
 - HTTP response headers with username and matched groups for the backend.
 - Brute force protection.
@@ -130,15 +129,15 @@ spec:
 ```
 
 ## Available parameters
-All parameters are defined in the config-map and secret from the Kubernetes manifests.
+All parameters are defined in the config-map and secret manifests.
 
 All values type are `string`.
 
 The parameter `LDAP_SEARCH_FILTER` supports variable expansion with the username, you can do something like this `(sAMAccountName={username})` and `{username}` is going to be replaced by the username typed in the login form.
 
 The parameter `LDAP_BIND_DN` supports variable expansion with the username, you can do something like this `{username}@TESTMYLDAP.com` or `UID={username},OU=PEOPLE,DC=TESTMYLDAP,DC=COM` and `{username}` is going to be replaced by the username typed in the login form.
 
-The parameter `COOKIE_DOMAIN` define the scope of the cookie, for example if you need to authentication/authorizate the domain `testmyldap.com` you should set `.testmyldap.com` in this parameter.
+The parameter `COOKIE_DOMAIN` define the scope of the cookie, for example if you need to authentication/authorizate the domain `testmyldap.com` you should set the wildcard `.testmyldap.com` (notice the dot at the beginning).
 ## Supported HTTP request headers
 The variables send via HTTP headers take precedence over environment variables.
 - `Ldap-Allowed-Users`

files/main.py

@@ -33,7 +33,7 @@
 SESSION_COOKIE_NAME = 'another-ldap'
 SESSION_COOKIE_DOMAIN = param.get('COOKIE_DOMAIN', None)
 SESSION_COOKIE_HTTPONLY = True
-SESSION_COOKIE_SECURE = param.get('ENABLE_HTTPS', False, bool)
+SESSION_COOKIE_SECURE = True
 PERMANENT_SESSION_LIFETIME = timedelta(days=7)
 SESSION_COOKIE_SAMESITE = 'Lax'
 app.config.from_object(__name__)
@@ -169,6 +169,7 @@ def afterAll(response):
         session.clear() # Remove Session file and cookie
     response.headers['Server'] = '' # Remove Server header
     response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
     return response
 
 @app.errorhandler(HTTPException)
@@ -177,7 +178,4 @@ def handle_exception(e):
     return 'Not Found', 404
 
 if __name__ == '__main__':
-    if param.get('ENABLE_HTTPS', False, bool):
-        app.run(host='0.0.0.0', port=9000, ssl_context='adhoc', debug=False, use_reloader=False)
-    else:
-        app.run(host='0.0.0.0', port=9000, debug=False, use_reloader=False)
+    app.run(host='0.0.0.0', port=9000, ssl_context='adhoc', debug=False, use_reloader=False)

kubernetes/config-map.yaml

@@ -5,7 +5,6 @@ metadata:
   name: another-ldap
   namespace: another
 data:
-  ENABLE_HTTPS: "True"
   LDAP_ENDPOINT: "ldaps://testmyldap.com:636"
   LDAP_MANAGER_DN_USERNAME: "CN=john,OU=Administrators,DC=TESTMYLDAP,DC=COM"
   LDAP_BIND_DN: "{username}@TESTMYLDAP.com"