-
Notifications
You must be signed in to change notification settings - Fork 29
/
proxy.conf
236 lines (184 loc) · 7.18 KB
/
proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
ServerName proxy.example.com
SSLProxyEngine On
# TODO: allow setting a proxy client cert
# SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem
# TODO: allow setting a CA and enabling backend cert validation
# SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
# In order to use the basic-auth proxy, an X-Csrf-Token must be present
# Fail anything matching /mod_auth_basic that doesn't have that header
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/mod_auth_basic/?
RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
RewriteRule ^.* - [F,L]
<Location />
# Add mod_auth_mellon info to all contexts
MellonEnable "info"
# Auth redirects will be located under /mellon
MellonEndpointPath /mellon
# service provider metadata, cert, and key
MellonSPPrivateKeyFile /etc/httpd/conf.d/saml_sp.key
MellonSPCertFile /etc/httpd/conf.d/saml_sp.cert
MellonSPMetadataFile /etc/httpd/conf.d/saml_sp.xml
# idp metadata
MellonIdPMetadataFile /etc/httpd/conf.d/saml_idp.xml
</Location>
<Location /mod_auth_mellon/>
# Protect with auth
MellonEnable "auth"
# Proxy to backend once authenticated
ProxyPass https://backend.example.com/
<If "-z env('REMOTE_USER_SAML_ATTRIBUTE')">
# Set the Remote-User header to the value of the authenticated username
RequestHeader set Remote-User %{MELLON_NAME_ID}e env=MELLON_NAME_ID
</If>
<Else>
# Use a custom attribute as the remote username by setting $REMOTE_USER_SAML_ATTRIBUTE to a custom attribute name
# Require a value in the attribute we're going to use:
MellonCond ${REMOTE_USER_SAML_ATTRIBUTE} .+ [REG]
# Map the long attribute name to a nice short one
MellonSetEnv user ${REMOTE_USER_SAML_ATTRIBUTE}
# Set the Remote-User header to the value of the mapped envvar:
RequestHeader set Remote-User %{MELLON_user}e env=MELLON_user
</Else>
<If "-n env('REMOTE_USER_NAME_SAML_ATTRIBUTE')">
MellonSetEnv name ${REMOTE_USER_NAME_SAML_ATTRIBUTE}
RequestHeader set Remote-User-Name %{MELLON_name}e env=MELLON_name
</If>
<If "-n env('REMOTE_USER_EMAIL_SAML_ATTRIBUTE')">
MellonSetEnv email ${REMOTE_USER_EMAIL_SAML_ATTRIBUTE}
RequestHeader set Remote-User-Email %{MELLON_email}e env=MELLON_email
</If>
<If "-n env('REMOTE_USER_PREFERRED_USERNAME_SAML_ATTRIBUTE')">
MellonSetEnv preferred_username ${REMOTE_USER_PREFERRED_USERNAME_SAML_ATTRIBUTE}
RequestHeader set Remote-User-Preferred-Username %{MELLON_preferred_username}e env=MELLON_preferred_username
</If>
</Location>
# Kerberos auth-protected
<Location /mod_auth_gssapi/>
ProxyPass https://backend.example.com/
AuthType GSSAPI
AuthName "GSSAPI Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
GssapiCredStore keytab:/etc/httpd.keytab
</Location>
# Kerberos auth-protected with basic fallback
<Location /mod_auth_gssapi_basic/>
ProxyPass https://backend.example.com/
AuthType GSSAPI
AuthName "GSSAPI Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
GssapiCredStore keytab:/etc/httpd.keytab
GssapiBasicAuth on
</Location>
# Kerberos auth-protected
<Location /mod_auth_kerb/>
ProxyPass https://backend.example.com/
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms AUTH.EXAMPLE.COM
KrbVerifyKDC on
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
</Location>
# Kerberos auth-protected with basic fallback
<Location /mod_auth_kerb_basic/>
ProxyPass https://backend.example.com/
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms AUTH.EXAMPLE.COM
KrbVerifyKDC on
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
</Location>
# Basic auth-protected
<Location /mod_auth_basic/>
ProxyPass https://backend.example.com/
AuthType Basic
AuthName "Basic Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
AuthBasicProvider PAM
AuthPamService httpd-pam
</Location>
# Form auth-protected
<Location /mod_auth_form/>
ProxyPass https://backend.example.com/
AuthType form
AuthName "Form Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
AuthFormProvider file
AuthUserFile /etc/httpd.htpasswd
ErrorDocument 401 /login.html
</Location>
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule session_crypto_module modules/mod_session_crypto.so
# Enable sessions
Session On
SessionMaxAge 300
# Specify a passphrase to encrypt the session with
SessionCryptoPassphrase replace-me-with-a-unique-secret
# Enable cookie sessions
SessionCookieName httpd_session path=/;httponly;secure;
# Prevent cookies from reaching the backend
SessionCookieRemove On
<Location /logout>
# Allow the backend to adjust the session by setting headers
SessionHeader HTTPDSession
</Location>
<Location /login>
# Allow the backend to adjust the session by setting headers
SessionHeader HTTPDSession
# Defined in /etc/pam.d/httpd-pam
InterceptFormPAMService httpd-pam
# Use the httpd_username/httpd_password fields from the login POST
InterceptFormLogin httpd_username
InterceptFormPassword httpd_password
# Automatically append the correct realm
InterceptFormLoginRealms AUTH.EXAMPLE.COM
</Location>
<Location /mod_intercept_form_submit/>
# Surface the session as an apache envvar
SessionEnv On
# extract the encoded username (via a URL-based lookahead, since HTTP_SESSION is populated later in the request handling)
RewriteCond %{LA-U:ENV:HTTP_SESSION} ^(.*&)?httpd_user=([^&]+)(&.*)?$
# and store it an an envvar
RewriteRule .* - [E=ENCODED_SESSION_USER:%2]
# if we don't have a session user
RewriteCond %{ENV:ENCODED_SESSION_USER} ^$
# capture the raw request URL path and query
RewriteCond %{THE_REQUEST} ^[^\s]+\ ([^\s]+)
# and redirect to the login path with a back link to our current URL
# NE = don't double-encode
# B = encode the backreference
# R = redirect with 302 code
# L = stop processing
RewriteRule .* /login/?then=%1 [NE,B,R=302,L]
# Set the session user into a request header and proxy
RequestHeader set Remote-User "expr=%{unescape:%{env:ENCODED_SESSION_USER}}" env=ENCODED_SESSION_USER
ProxyPass https://backend.example.com/
</Location>
RequestHeader unset Remote-User
RequestHeader unset X-Remote-User