[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/fix-apache2-config] 4 commits: Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.

Daniel Teichmann (@dzatoah) gitlab at salsa.debian.org
Fri Mar 13 16:33:06 GMT 2026 


Daniel Teichmann pushed to branch mr/fix-apache2-config at Debian Edu / debian-edu-config


Commits:
e7f8fe8b by Daniel Teichmann at 2026-03-13T16:54:07+01:00
Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.

These are preconfigured empty proxy groups for the use in Debian Edu Router.
See Debian Edu Router Plugin: Content filter at https://salsa.debian.org/debian-edu/debian-edu-router/-/tree/master/docs.

- - - - -
1342f54b by Daniel Teichmann at 2026-03-13T16:54:10+01:00
ldap-bootstrap/debian-edu-router.ldif: Add 'server-hosts' nisNetgroup to 'proxy-trusted' nisNetgroup, via 'memberNisNetgroup' attribute.

- - - - -
ae91d71a by Daniel Teichmann at 2026-03-13T16:54:10+01:00
share/debian-edu-config/gosa.conf.template: Activate nisNetgroup tab for user accounts.

This makes it possible to add a user into a nisNetgroup while editing a user.
This is a fine addition to the already present 'NIS Netgroup' tab on the left.

- - - - -
2a7c191c by Daniel Teichmann at 2026-03-13T17:32:52+01:00
apache2 debian-edu-default.conf: Do not force HTTPS on *.crt (including Debian-Edu_rootCA.crt).

Closes: #1068388

- - - - -


5 changed files:

- Makefile
- etc/apache2/sites-available/debian-edu-default.conf
- + ldap-bootstrap/debian-edu-router.ldif
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/gosa.conf.template


Changes:

=====================================
Makefile
=====================================
@@ -195,6 +195,7 @@ LDIFS = \
 	ltsp.ldif \
 	gosa.ldif \
 	gosa-server.ldif \
+	debian-edu-router.ldif \
 	$(NULL)
 
 LDAPPROGRAMS = \


=====================================
etc/apache2/sites-available/debian-edu-default.conf
=====================================
@@ -7,7 +7,9 @@
 	<Directory /etc/debian-edu/www/ >
 		RewriteEngine On
 		RewriteCond %{SERVER_PORT} 80
+		# HTTP only: wpad.dat + Debian-Edu_rootCA.crt
 		RewriteCond %{REQUEST_URI} !\.dat$
+		RewriteCond %{REQUEST_URI} !\.crt$
 		RewriteRule ^(.*)$ https://%{SERVER_ADDRESS}/$1 [R=301,L]
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None


=====================================
ldap-bootstrap/debian-edu-router.ldif
=====================================
@@ -0,0 +1,37 @@
+dn: cn=proxy-trusted,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-trusted
+description: Completely unfiltered internet access (+ bypasses NAT/T-P-M) - ProxyTrusted{User,Client} - Debian Edu Router Plugin: Content filter
+# This should enable direct unNAT'ted (bypasses transparent-proxy-mode) internet access to all internal servers in the Debian Edu network.
+memberNisNetgroup: server-hosts
+
+dn: cn=proxy-allow,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-allow
+description: Generally unfiltered internet access - ProxyAllow{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-deny,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-deny
+description: Disables internet access completely - ProxyDeny{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-blacklist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-blacklist
+description: Allows all but specific blacklisted websites - ProxyBlacklist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-whitelist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-whitelist
+description: Allows nothing but specific whitelisted websites - ProxyWhitelist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-noauth-client,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-noauth-client
+description: Fully disable auth. for these clients (BYOD Clients) - ProxyNoauthClient - Debian Edu Router Plugin: Content filter


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -282,7 +282,8 @@ EOF
     /etc/ldap/gosa-server.ldif \
     /etc/ldap/ltsp.ldif \
     /etc/ldap/firstuser.ldif \
-    /etc/ldap/krb5.ldif
+    /etc/ldap/krb5.ldif \
+    /etc/ldap/debian-edu-router.ldif
   do
       if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
 	-e "s/\$MAC/$MAC/" \


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -117,6 +117,7 @@
      <tab class="gofaxAccount" name="Fax" />
      <tab class="phoneAccount" name="Phone" />
      <tab class="nagiosAccount" name="Nagios" />
+     <tab class="netgroupAccount" name="NIS Netgroup" />
    </usertabs>
 
   <!-- User dialog -->



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/64310e289e1793bb3450cda5e2626ffc5946c315...2a7c191cd407db60e0ce8bff977fdadd6f15a6a1

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/64310e289e1793bb3450cda5e2626ffc5946c315...2a7c191cd407db60e0ce8bff977fdadd6f15a6a1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20260313/cb9fcdc3/attachment-0001.htm>

More information about the debian-edu-commits mailing list