~fkooman/vpn-documentation

fefa8a67d1bb4afa2d24cda3dea66e940a5f9a95 — François Kooman 2 months ago fd46c66
remove EXPIRY_AT_NIGHT
1 files changed, 0 insertions(+), 94 deletions(-)

D EXPIRE_AT_NIGHT.md
D EXPIRE_AT_NIGHT.md => EXPIRE_AT_NIGHT.md +0 -94
@@ 1,94 0,0 @@
# Expire At Night

**NOTE**: there is currently a bug in "expiry at night"! Do **NOT** use!

**NOTE**: only enable this on NEW installations, and NEVER on existing ones!

Starting from vpn-user-portal >= 2.3.10 it is possible to expire VPN sessions 
at night instead of exactly after the duration specified in `sessionExpiry`. 
The goal is to prevent that the user will be disconnected from the VPN during
working hours.

By VPN session expiry we mean the moment at which the VPN session won't work 
anymore without the user authenticating/authorizing again. The default after 
which a session expires is 90 days (`P90D`), but this can be modified by the 
administrator.

The `sessionExpiry` becomes the _upper bound_ of when the session will expire. 
The new expiry is rolled back in time until the previous 04:00 is reached. This 
could be the same day, or the previous day if the time is currently between 
00:00 and 04:00. The timezone to which the server is set is used to determine
"when" 04:00 is. In the future we may allow the client to specify the local 
timezone and use that in the calcuation of when 04:00 is, locally for the user.

For example if it is currently Monday 10:00 and the `sessionExpiry` is set to 
`P7D`, i.e. 7 days, the session will expire at 04:00 on the Monday after and 
not at 10:00 as it might interfere with the VPN use during working hours.

**NOTE**: nightly expiry ONLY works when the `sessionExpiry` is `P1D` (1 day) 
or longer! 

**NOTE**: the new expiry will only work form the next time the user 
authenticates to the portal (or authorizes the app), not for current VPN 
sessions!

## Server Configuration

Please set your server's timezone to the timezone where (most of) your users 
are located. That way, the nightly expiry makes the most sense.

To check the timezone your server is set to:

```
$ timedatectl 
               Local time: Mi 2021-04-14 21:27:24 CEST
           Universal time: Mi 2021-04-14 19:27:24 UTC
                 RTC time: Mi 2021-04-14 19:27:23
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no
```

In the example above it is set to the `Europe/Berlin` timezone. It could be 
your local time zone, or `UTC` which is also fine.

Verify what PHP thinks of this:

```
$ php -r 'echo ini_get("date.timezone");'
$ php -r 'echo date_default_timezone_get();'
Europe/Berlin
```

All good! 

### CentOS / Fedora

The system timezone is _not_ picked up by PHP on Fedora/CentOS, you need to 
manually set it. The default is UTC otherwise, independent of what your 
system's timezone is. On CentOS it is even slightly worse, if you don't set 
the `date.timezone` field PHP will complain (because PHP is so old on CentOS). 
That's why the `deploy_centos.sh` script configures `UTC` for you by default in 
the file `/etc/php.d/70-timezone.ini`. You can modify this and set it to your 
local timezone. Use [these](https://www.php.net/manual/en/timezones.php) values.

On Fedora you can directly edit `/etc/php.ini` and set the `date.timezone` 
field there.

Don't forget to restart php-fpm after making changes:

```
$ sudo systemctl restart php-fpm
```

## Portal Configuration

In the portal you can enable the expiry at night by setting the 
`sessionExpireAtNight` option in `/etc/vpn-user-portal/config.php`, e.g.:

```
'sessionExpireAtNight' => true,
```

The default is `false`.