New Installation
This chapter explains how to perform a new installation of Portal Server.
-
Start the docker container. Replace
<url>
with the public URL intended for the server,<server name>
with the server name used in the license and specify the actual path to the license file in the volume mount.Windows cmd:
docker run ^ --name=simian-portal-server ^ --env=SIMIAN_PORTAL_EXTERNAL_URL=https://<url> ^ --env=SIMIAN_NGINX_SERVER_NAME=<server name> ^ -p 443:443 ^ -p 80:80 ^ -v C:/path/to/your-license-file.txt:/var/simian_portal/license.txt ^ -d docker-registry.simiansuite.com/simian-portal:latest
Linux bash:
docker run \ --name=simian-portal-server \ --env=SIMIAN_PORTAL_EXTERNAL_URL=https://<url> \ --env=SIMIAN_NGINX_SERVER_NAME=<server name> \ -p 443:443 \ -p 80:80 \ -v /absolute/path/to/your-license-file.txt:/var/simian_portal/license.txt \ -d docker-registry.simiansuite.com/simian-portal:latest
-
Verify that the server is running by opening a browser and navigating to
https://<url>
.- You will probably get a security warning because the HTTPS certificate cannot be validated. Accept the risk and continue.
- The login page should now be shown. Log in with username
admin
and passwordadmin
.
Configuration
The Simian Portal server can be configured using environment variables that can be specified as arguments of the docker run
command using the --env
flag.
See https://docs.docker.com for more information on specifying environment variables in Docker.
Nginx
The default Nginx configuration, runs a HTTPS webserver with a generated openssl certificate.
To provide your own certificate, mount it at /etc/nginx/ssl/simian_suite_portal.crt
(see Volume Mappings).
Name | Description | Default |
---|---|---|
SIMIAN_NGINX_SERVER_NAME | Nginx server name | localhost |
SIMIAN_NGINX_CLIENT_MAX_BODY_SIZE | Maximum request body size | 256m |
SIMIAN_NGINX_HTTP | Enable HTTP | 0 |
SIMIAN_NGINX_HTTP_PORT | Port for the HTTP service | 80 |
SIMIAN_NGINX_HTTP_TO_HTTPS | Redirect HTTP to HTTPS | 1 |
SIMIAN_NGINX_HTTPS | Enable HTTPS | 1 |
SIMIAN_NGINX_HTTPS_PORT | Port for the HTTPS service | 443 |
SIMIAN_NGINX_CONNECT_TIMEOUT | Time-out for connecting [s] | 5 |
SIMIAN_NGINX_SEND_TIMEOUT | Time-out for sending request [s] | 60 |
SIMIAN_NGINX_READ_TIMEOUT | Time-out for response [s] | 3600 |
SIMIAN_NGINX_CSP_HEADER | Content-Security-Policy header | default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; trusted-types angular dompurify 'allow-duplicates'; |
PHP
Name | Description | Default |
---|---|---|
SIMIAN_PHP_MEMORY_LIMIT | Maximum memory usage of the PHP process | 512M |
SIMIAN_PHP_POST_MAX_SIZE | Maximum request body size | 256M |
SIMIAN_PHP_TIMEZONE | PHP server time zone | Europe/Amsterdam |
SIMIAN_PHP_UPLOAD_MAX_FILESIZE | Maximum file upload size | 128M |
Generic
Name | Description | Default |
---|---|---|
SIMIAN_PORTAL_EXTERNAL_URL | External URL (add the port when not using defaults 80 or 443) | https://localhost |
SIMIAN_PORTAL_LOGO | Logo to show on the login page etc. 1 | simian-logo-icon.svg |
SIMIAN_PORTAL_FAVICON | Logo to show on the tabs 1 | simian-logo-icon-circle.svg |
SIMIAN_PORTAL_NAVBAR_LOGO | Logo to show in the portal navigation bar 1 | simian-logo-icon-light.svg |
SIMIAN_PORTAL_TITLE | Title to show in the portal navigation bar | Simian Portal |
SIMIAN_PORTAL_SUBTITLE | Subtitle to show in the portal navigation bar | <undefined> |
SIMIAN_ENABLE_CHECK | Makes the check.php page public | 0 |
SIMIAN_LICENSE_FILE | Name of license file mounted in /var/simian_portal/licenses | license.txt |
Logo files reside in /var/simian_portal/src/logo
, mount a volume at this location to provide custom logo files (see Volume Mappings).
Authentication Modes
The portal currently supports four authentication modes that can be selected by setting SIMIAN_PORTAL_AUTH_TYPE
. The four modes are:
anonymous
: Anonymous mode allows users to use the portal and applications without authentication. When a session expires it cannot be restored and data may be lost.managed
: Basic user management included in the portal. See Managed.ldap
: Authentication against Microsoft Active Directory. See LDAP.azure_ad
: Authentication against Azure Active Directory. See Azure AD.
Name | Description | Default |
---|---|---|
SIMIAN_PORTAL_AUTH_TYPE | The used authentication method | managed |
Anonymous
Anonymous mode allows access to every user without authentication. Set SIMIAN_PORTAL_AUTH_TYPE
to anonymous
to enable anonymous mode.
Note: Anonymous mode is for testing purposes only. It should not be used in production.
Name | Description | Default |
---|---|---|
SIMIAN_PORTAL_ANONYMOUS_ADMIN_PORTAL | Allow all users access to the admin portal | true |
Managed
The managed mode provides basic stand-alone user management in the admin portal. Users can be created, added to groups in the admin portal and can be invited via email.
Set SIMIAN_PORTAL_AUTH_TYPE
to managed
to enable managed mode.
To store the groups and users configurations in a permanent location (outside the docker container),
mount a folder at /var/simian_portal/config/users
(see Volume Mappings).
In order to send the invitation emails, PHPMailer must be configured using the settings SIMIAN_MAIL_*
,
or by providing a custom PHPMailer configuration file (see Advanced).
Users in the admin
group have access to the Admin Portal.
To aid initial configuration a user admin
with password admin
is available in the default configuration.
It is recommended to invite yourself as member of the admin group and after successful login remove the default admin
user.
Name | Description | Default |
---|---|---|
SIMIAN_MAIL_FROM_ADDRESS | The from address for sending the invite | <undefined> |
SIMIAN_MAIL_FROM_NAME | The from name for sending the invite | Simian Portal |
SIMIAN_MAIL_SMTP_HOST | SMTP server address | <undefined> |
SIMIAN_MAIL_SMTP_PORT | SMTP server port | 25 |
SIMIAN_RESET_ADMIN_PASSWORD | Makes reset_admin_password.php public | 0 |
Note:
reset_admin_password.php
allows all users to reset the admin password. Do not forget to disable after use.
LDAP
The Portal Server can be configured to authenticate against Microsoft Active Directory.
LDAP integration is enabled by setting the SIMIAN_PORTAL_AUTH_TYPE
to ldap
.
The connection with the LDAP server is set up using the standard PHP LDAP plugin and can be configured using the settings in the table below.
The default configuration has TLS enabled for secure communications.
Mount the Certificate Authority file in /var/simian_portal/config/certs/ca-cert.crt
such that the certificate of the LDAP server can be validated (see Volume Mappings).
In case a more advanced LDAP options are required, a custom config.php
is needed to provide them (see Advanced).
More information about configuring the PHP LDAP plugin can be found here https://www.php.net/manual/en/ldap.constants.php.
Name | Description | Default |
---|---|---|
SIMIAN_PORTAL_LDAP_AUTH_TIMEOUT | Authentication timeout | 1800 |
SIMIAN_PORTAL_LDAP_START_TLS | Start TLS connection | true |
SIMIAN_PORTAL_LDAP_LDAPS | Use the LDAPS protocol | false |
SIMIAN_PORTAL_LDAP_HOST | Hostname of the LDAP server | <undefined> |
SIMIAN_PORTAL_LDAP_PORT | Port of the LDAP server | 389 |
SIMIAN_PORTAL_LDAP_USER_DOMAIN | Your microsoft domain name. | <undefined> |
SIMIAN_PORTAL_LDAP_BASE_DN | Top level from where searches are being done in the LDAP server | <undefined> |
SIMIAN_PORTAL_LDAP_USERS_DN | Distinguished name where searches will be exected for user | <undefined> |
SIMIAN_PORTAL_LDAP_USER_NAME_ATTRIBUTE | User attribute containing the name used for authentication | sAMAccountName |
SIMIAN_PORTAL_LDAP_USER_PHOTO_ATTRIBUTE | Attribute containing the user photo | thumbnailphoto |
SIMIAN_PORTAL_LDAP_USER_DISPLAYNAME_ATTRIBUTE | Attribute containing the user display name | displayname |
SIMIAN_PORTAL_LDAP_GROUP_NAME_ATTRIBUTE | Attribute being searched for to identify user membership | sAMAccountName |
SIMIAN_PORTAL_LDAP_READONLY_USER | Read-only user 2 | <undefined> |
SIMIAN_PORTAL_LDAP_READONLY_PASSWORD | Read-only user password 2 | <undefined> |
SIMIAN_PORTAL_LDAP_PORTAL_PARENT_GROUPS | Direct subgroups are selectable in application configurations 3 | [] |
SIMIAN_PORTAL_LDAP_PORTAL_ADMIN_GROUPS | List of groups with admin portal access 3 | [] |
SIMIAN_PORTAL_LDAP_PORTAL_USER_GROUPS | List of groups with user portal access 3 | [] |
The LDAP integration only uses user credentials for authentication.
All other communication, e.g. for retrieval of user details and querying group membership,
happens with a read-only LDAP user with username SIMIAN_PORTAL_LDAP_READONLY_USER
and password SIMIAN_PORTAL_LDAP_READONLY_PASSWORD
.
The value must be a list of strings, e.g: ['admin', 'consulting']
. Leave unspecified to not restrict groups.
Azure AD
The Azure AD authorization mode allows users to authenticate using their Microsoft Azure AD account. When the user is already signed in, the authorization happens without user interaction. Otherwise, the user is redirected to the Microsoft login page.
Azure integration is enabled by setting the SIMIAN_PORTAL_AUTH_TYPE
to azure_ad
.
Name | Description | Default |
---|---|---|
SIMIAN_PORTAL_AZURE_AD_TENANT_ID | Azure Active Directory Tenant ID 4 | <undefined> |
SIMIAN_PORTAL_AZURE_AD_CLIENT_ID | Client application ID provided by Azure | <undefined> |
SIMIAN_PORTAL_AZURE_AD_CLIENT_SECRET | Client Secret provided by Azure 5 | <undefined> |
SIMIAN_PORTAL_AZURE_AD_CERT_THUMBPRINT | Thumbprint for certificate uploaded to Azure 6 | <undefined> |
SIMIAN_PORTAL_AZURE_AD_PORTAL_ADMIN_GROUPS | Direct subgroups are selectable in application configurations 7 | [] |
SIMIAN_PORTAL_AZURE_AD_PORTAL_PARENT_GROUPS | List of groups with user portal access 7 | [] |
With Multitenant apps you can use "common" as Tenant ID, but using specific endpoint is recommended when possible.
Remember that this expires someday unless you have set it not to do so. When using private key and certificate for authentication, the client secret must not be set.
The private key corresponding to the certificate must be volume mapped to /var/simian_portal/config/certs/portal.key
.
The value must be a list of strings, e.g: ['f2884a1c-62e8-425c-b32a-25881f375823', 'ea2d7058-a486-46c5-bc4b-7c7fc14db767']
.
Leave unspecified to not restrict groups.
Volume Mappings
Volume mappings can be used to (persistently) store files outside the Docker container. This has multiple advantages:
- Settings are available for back-up.
- Settings persist when upgrading the Simian Portal server to a newer version.
Volume mappings can be specified using the --volume
flag of the docker
command.
The -v
or --volume
option consists of three fields, separated by colon characters (:
).
The fields must be in the correct order, and the meaning of each field is not immediately obvious.
- In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes, the first field is omitted.
- The second field is the path where the file or directory are mounted in the container.
- The third field is optional, and is a comma-separated list of options, such as
ro
.
See https://docs.docker.com for more information on specifying volume mappings in Docker.
Recommended volume mappings are:
- Nginx logs:
$PORTAL_ROOT/logs/nginx:/var/log/nginx
- PHP logs:
$PORTAL_ROOT/logs/php:/var/simian_portal/log
: - Application configurations:
$PORTAL_ROOT/userconfig/persistent/config/configurations:/var/simian_portal/config/configurations
- Users and groups configurations (managed mode):
$PORTAL_ROOT/userconfig/persistent/config/users:/var/simian_portal/config/users
- Front-end versions:
$PORTAL_ROOT/userconfig/persistent/apps:/var/simian_portal/public/apps
- PHP sessions:
$PORTAL_ROOT/userconfig/persistent/userSessionsData:/var/simian_portal/userSessionsData
- License files:
$PORTAL_ROOT/licenses:/var/simian_portal/licenses
Volume mappings can also be used to provide certificates for SSL.
path/to/my/certs/certs.crt:/etc/nginx/ssl/simian_suite_portal.crt
path/to/my/certs/key.key:/etc/nginx/ssl/simian_suite_portal.key
path/to/my/certs/cacert.pem:/etc/ssl/certs/cacert.pem
Advanced
If the settings provided in this chapter are not sufficient, it is possible to provide custom configuration files. These files need to be mounted in the correct locations.
Name | Description | Default | Mount volume |
---|---|---|---|
SIMIAN_CUSTOM_NGINX_CONF | Use custom nginx.conf | 0 | /etc/nginx/nginx.conf |
SIMIAN_CUSTOM_PHP_INI | Use custom php.ini | 0 | /etc/php82/conf.d/custom.ini |
SIMIAN_CUSTOM_CONFIG_PHP | Use custom config.php | 0 | /var/simian_portal/config/config.php |
SIMIAN_CUSTOM_MAIL_CONFIG_PHP | Use custom mail_config.php | 0 | /var/simian_portal/config/mail_config.php |
SIMIAN_CUSTOM_CURLOPT_WHITELIST | Use custom curlopt_whitelist.json | 0 | /var/simian_portal/config/curlopt_whitelist.json |