-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
first commit of mod_auth_openidc image details
- Loading branch information
Showing
4 changed files
with
471 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # COmanage Registry Apache HTTP Server configuration | ||
| # | ||
| # Portions licensed to the University Corporation for Advanced Internet | ||
| # Development, Inc. ("UCAID") under one or more contributor license agreements. | ||
| # See the NOTICE file distributed with this work for additional information | ||
| # regarding copyright ownership. | ||
| # | ||
| # UCAID licenses this file to you under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with the | ||
| # License. You may obtain a copy of the License at: | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| <VirtualHost *:80> | ||
| RewriteEngine On | ||
| RewriteCond %{HTTPS} off | ||
| RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] | ||
| </VirtualHost> | ||
|
|
||
| <VirtualHost *:443> | ||
|
|
||
| DocumentRoot /var/www/html | ||
|
|
||
| RedirectMatch ^/$ /registry/ | ||
|
|
||
| ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
|
|
||
| LogLevel warn | ||
|
|
||
| Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" | ||
|
|
||
| SSLEngine on | ||
| SSLProtocol all -SSLv2 -SSLv3 | ||
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | ||
| SSLHonorCipherOrder on | ||
|
|
||
| SSLCertificateFile /etc/apache2/cert.pem | ||
| SSLCertificateKeyFile /etc/apache2/privkey.pem | ||
| SSLCertificateChainFile /etc/apache2/chain.pem | ||
|
|
||
| IncludeOptional /etc/apache2/conf-enabled/mod-auth-openidc.conf | ||
|
|
||
| <Directory /var/www/html/registry> | ||
| Options Indexes FollowSymLinks | ||
| DirectoryIndex index.php | ||
| AllowOverride All | ||
| AuthType openid-connect | ||
| OIDCUnAuthAction pass | ||
| Require valid-user | ||
| </Directory> | ||
|
|
||
| <Directory /var/www/html/registry/auth/login> | ||
| AuthType openid-connect | ||
| OIDCUnAuthAction auth | ||
| Require valid-user | ||
| </Directory> | ||
|
|
||
| </VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| # COmanage Registry Dockerfile template | ||
| # | ||
| # Portions licensed to the University Corporation for Advanced Internet | ||
| # Development, Inc. ("UCAID") under one or more contributor license agreements. | ||
| # See the NOTICE file distributed with this work for additional information | ||
| # regarding copyright ownership. | ||
| # | ||
| # UCAID licenses this file to you under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with the | ||
| # License. You may obtain a copy of the License at: | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| FROM php:7.0-apache | ||
|
|
||
| ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%% | ||
| ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz | ||
|
|
||
| LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION | ||
| LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL | ||
|
|
||
| ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry | ||
|
|
||
| RUN apt-get update && apt-get install -y \ | ||
| libldap-2.4-2 \ | ||
| libldap2-dev \ | ||
| libmysqlclient18 \ | ||
| libmysqlclient-dev \ | ||
| libpq-dev \ | ||
| libxml2 \ | ||
| libxslt1-dev \ | ||
| libxslt1.1 \ | ||
| ssl-cert \ | ||
| wget \ | ||
| zlib1g \ | ||
| && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \ | ||
| && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ | ||
| && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \ | ||
| && docker-php-ext-install xsl pdo pdo_mysql pdo_pgsql mysqli pgsql ldap \ | ||
| && docker-php-source delete \ | ||
| && apt-get purge -y \ | ||
| libldap2-dev \ | ||
| libmysqlclient-dev \ | ||
| libpq-dev \ | ||
| && apt-get clean | ||
|
|
||
| ENV MOD_AUTH_OPENIDC_SRC_URL https://github.com/pingidentity/mod_auth_openidc/archive/v2.1.6.tar.gz | ||
| ENV MOD_AUTH_OPENIDC_SRC /opt/OIDC_SRC | ||
|
|
||
| RUN awk '$1 ~ "^deb" { $3 = $3 "-backports"; print; exit }' /etc/apt/sources.list > /etc/apt/sources.list.d/backports.list \ | ||
| && apt-get update \ | ||
| && apt-get install -y --no-install-recommends \ | ||
| apache2-dev \ | ||
| libcjose0 \ | ||
| libcjose-dev \ | ||
| libssl-dev \ | ||
| libcurl4-openssl-dev \ | ||
| libjansson-dev \ | ||
| libpcre3-dev \ | ||
| pkg-config \ | ||
| automake \ | ||
| && mkdir -p "$MOD_AUTH_OPENIDC_SRC" \ | ||
| && wget -O mod_auth_openidc.tar.gz "$MOD_AUTH_OPENIDC_SRC_URL" \ | ||
| && tar -zxf mod_auth_openidc.tar.gz -C "$MOD_AUTH_OPENIDC_SRC" --strip-components=1 \ | ||
| && cd "$MOD_AUTH_OPENIDC_SRC" \ | ||
| && ./autogen.sh \ | ||
| && ./configure --with-apxs2=`which apxs2` \ | ||
| && make \ | ||
| && make install \ | ||
| && rm -f mod_auth_openidc.tar.gz \ | ||
| && cd \ | ||
| && rm -rf "$MOD_AUTH_OPENIDC_SRC" \ | ||
| && echo "LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so" > /etc/apache2/mods-available/auth_openidc.load \ | ||
| && a2enmod auth_openidc \ | ||
| && apt-get purge -y \ | ||
| apache2-dev \ | ||
| libcjose-dev \ | ||
| libssl-dev \ | ||
| libcurl4-openssl-dev \ | ||
| libjansson-dev \ | ||
| libpcre3-dev \ | ||
| pkg-config \ | ||
| automake \ | ||
| && apt-get clean | ||
|
|
||
| WORKDIR "$COMANAGE_REGISTRY_DIR" | ||
|
|
||
| COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf | ||
|
|
||
| RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ | ||
| && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \ | ||
| && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \ | ||
| && rm -f comanage.tar.gz \ | ||
| && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \ | ||
| && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \ | ||
| && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \ | ||
| && cd /var/www/html \ | ||
| && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \ | ||
| && cd "$COMANAGE_REGISTRY_DIR" \ | ||
| && rm -rf local \ | ||
| && mkdir -p /local \ | ||
| && ln -s /local local \ | ||
| && a2enmod headers \ | ||
| && a2enmod ssl \ | ||
| && a2enmod rewrite \ | ||
| && a2dissite 000-default.conf \ | ||
| && a2ensite 000-comanage.conf \ | ||
| && a2disconf other-vhosts-access-log \ | ||
| && cd /etc/apache2 \ | ||
| && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ | ||
| && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ | ||
| && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ | ||
| && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" | ||
|
|
||
| COPY docker-comanage-entrypoint /usr/local/bin/ | ||
|
|
||
| # expose COmanage Registry local directory | ||
| VOLUME ["/local"] | ||
|
|
||
| WORKDIR /var/www/html | ||
|
|
||
| EXPOSE 80 443 | ||
|
|
||
| # Default values for first administrator bootstrapped | ||
| # into the platform, most likely overridden at build time | ||
| # using build arguments. | ||
| ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME | ||
| ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME | ||
| ARG COMANAGE_REGISTRY_ADMIN_USERNAME | ||
| ARG COMANAGE_REGISTRY_ENABLE_POOLING | ||
|
|
||
| ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry} | ||
| ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin} | ||
| ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} | ||
| ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} | ||
|
|
||
| ENTRYPOINT ["docker-comanage-entrypoint"] | ||
|
|
||
| CMD ["apache2-foreground"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,175 @@ | ||
| <!-- | ||
| COmanage Registry Docker documentation | ||
| Portions licensed to the University Corporation for Advanced Internet | ||
| Development, Inc. ("UCAID") under one or more contributor license agreements. | ||
| See the NOTICE file distributed with this work for additional information | ||
| regarding copyright ownership. | ||
| UCAID licenses this file to you under the Apache License, Version 2.0 | ||
| (the "License"); you may not use this file except in compliance with the | ||
| License. You may obtain a copy of the License at: | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| --> | ||
|
|
||
| # COmanage Registry mod\_auth\_openidc | ||
|
|
||
| Intended to build a COmanage Registry image | ||
| using the official PHP 7 with Apache image as the foundation | ||
| and providing mod\_auth\_openidc for Apache HTTP Server | ||
| as the authentication mechanism. | ||
|
|
||
| ## Build | ||
|
|
||
| ``` | ||
| export COMANAGE_REGISTRY_VERSION=develop | ||
| sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile | ||
| docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc . | ||
| ``` | ||
|
|
||
| You can (and should) use build arguments to bootstrap the first | ||
| platform administrator. The administrator username is the value | ||
| COmanage Registry expects to read from $REMOTE\_USER after | ||
| the administrator authenticates using whichever authentication | ||
| method is provided: | ||
|
|
||
| ``` | ||
| export COMANAGE_REGISTRY_VERSION=develop | ||
| export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel | ||
| export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak | ||
| export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org | ||
| sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile | ||
| docker build \ | ||
| --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \ | ||
| --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \ | ||
| --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \ | ||
| -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc . | ||
| ``` | ||
| ## Run | ||
|
|
||
| ### Database | ||
|
|
||
| COmanage Registry requires a relational database. See the | ||
| [PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md). | ||
|
|
||
| ### Network | ||
|
|
||
| Create a user-defined network bridge with | ||
|
|
||
| ``` | ||
| docker network create --driver=bridge \ | ||
| --subnet=192.168.0.0/16 \ | ||
| --gateway=192.168.0.100 \ | ||
| comanage-registry-internal-network | ||
| ``` | ||
|
|
||
| ### COmanage Registry Configuration | ||
|
|
||
| Create a directory to hold persistent COmanage Registry configuration and | ||
| other state such as local plugins and other customizations. In that directory | ||
| create a `Config` directory and in it place a `database.php` and `email.php` | ||
| configuration file: | ||
|
|
||
| ``` | ||
| mkdir -p /opt/comanage-registry/Config | ||
| cat >> /opt/comanage-registry/Config/database.php <<"EOF" | ||
| <?php | ||
| class DATABASE_CONFIG { | ||
| public $default = array( | ||
| 'datasource' => 'Database/Postgres', | ||
| 'persistent' => false, | ||
| 'host' => 'comanage-registry-database', | ||
| 'login' => 'registry_user', | ||
| 'password' => 'password', | ||
| 'database' => 'registry', | ||
| 'prefix' => 'cm_', | ||
| ); | ||
| } | ||
| EOF | ||
| cat >> /opt/comanage-registry/Config/database.php <<"EOF" | ||
| <?php | ||
| class EmailConfig { | ||
| public $default = array( | ||
| 'transport' => 'Smtp', | ||
| 'host' => 'tls://smtp.gmail.com', | ||
| 'port' => 465, | ||
| 'username' => 'account@gmail.com', | ||
| 'password' => 'password' | ||
| ); | ||
| } | ||
| EOF | ||
| ``` | ||
|
|
||
| ### mod\_auth\_openidc Configuration | ||
|
|
||
| Mount or COPY mod\_auth\_openidc configuration into the file | ||
| `/etc/apache2/conf-enabled/mod-auth-openidc.conf`. The configuration | ||
| will usually include | ||
|
|
||
| ``` | ||
| OIDCProviderMetadataURL | ||
| OIDCRemoteUserClaim | ||
| OIDCClientID | ||
| OIDCClientSecret | ||
| OIDCScope | ||
| OIDCCryptoPassphrase | ||
| OIDCRedirectURI | ||
| ``` | ||
|
|
||
| It should also include a `<Location>` directive to identify the | ||
| `OIDCRedirectURI`. | ||
|
|
||
| ``` | ||
| <Location /secure/redirect> | ||
| AuthType openid-connect | ||
| Require valid-user | ||
| </Location> | ||
| ``` | ||
|
|
||
| You may also want to enable logout. For example | ||
|
|
||
| ``` | ||
| Redirect /registry/users/logout https://<myserver>/secure/redirect?logout=https%3A%2F%2F<myserver>%2Fregistry%2F | ||
| ``` | ||
|
|
||
| ### Container | ||
|
|
||
| ``` | ||
| docker run -d --name comanage-registry \ | ||
| -v /opt/comanage-registry:/local \ | ||
| --network comanage-registry-internal-network \ | ||
| -p 80:80 -p 443:443 \ | ||
| comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc | ||
| ``` | ||
|
|
||
| ### Logging | ||
|
|
||
| Both Apache HTTP Server and COmanage Registry log to the stdout and | ||
| stderr of the container. | ||
|
|
||
| ### HTTPS Configuration | ||
|
|
||
| Mount or COPY in an X.509 certificate file, associated private key file, | ||
| and certificate signing chain file. | ||
|
|
||
| ``` | ||
| COPY cert.pem /etc/apache2/cert.pem | ||
| COPY privkey.pem /etc/apache2/privkey.pem | ||
| COPY chain.pem /etc/apache2/chain.pem | ||
| ``` |
Oops, something went wrong.