forked from liggitt/auth-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
proxy.conf
191 lines (142 loc) · 5.1 KB
/
proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
ServerName proxy.example.com
SSLProxyEngine On
# TODO: allow setting a proxy client cert
# SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem
# TODO: allow setting a CA and enabling backend cert validation
# SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
# In order to use the basic-auth proxy, an X-Csrf-Token must be present
# Fail anything matching /mod_auth_basic that doesn't have that header
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/mod_auth_basic/?
RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
RewriteRule ^.* - [F,L]
<Location />
# Add mod_auth_mellon info to all contexts
MellonEnable "info"
# Auth redirects will be located under /mellon
MellonEndpointPath /mellon
# service provider metadata, cert, and key
MellonSPPrivateKeyFile /etc/httpd/conf.d/saml_sp.key
MellonSPCertFile /etc/httpd/conf.d/saml_sp.cert
MellonSPMetadataFile /etc/httpd/conf.d/saml_sp.xml
# idp metadata
MellonIdPMetadataFile /etc/httpd/conf.d/saml_idp.xml
</Location>
<Location /mod_auth_mellon/>
# Protect with auth
MellonEnable "auth"
# Proxy to backend once authenticated
ProxyPass https://backend.example.com/
# Set the Remote-User header to the value of the authenticated username
RequestHeader set Remote-User %{MELLON_NAME_ID}e env=MELLON_NAME_ID
# Alternately, we can use an attribute other than the NameID attribute as the remote user.
# Here's an example using a user principal name (UPN) from a
# http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn attribute
#
# Require a value in the attribute we're going to use:
# MellonCond http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn .+ [REG]
#
# Map the long attribute name to a nice short one
# MellonSetEnv upn http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
#
# Set the Remote-User header to the value of the mapped envvar:
# RequestHeader set Remote-User %{MELLON_upn}e env=MELLON_upn
</Location>
# Kerberos auth-protected
<Location /mod_auth_gssapi/>
ProxyPass https://backend.example.com/
AuthType GSSAPI
AuthName "GSSAPI Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
GssapiCredStore keytab:/etc/httpd.keytab
</Location>
# Kerberos auth-protected with basic fallback
<Location /mod_auth_gssapi_basic/>
ProxyPass https://backend.example.com/
AuthType GSSAPI
AuthName "GSSAPI Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
GssapiCredStore keytab:/etc/httpd.keytab
GssapiBasicAuth on
</Location>
# Kerberos auth-protected
<Location /mod_auth_kerb/>
ProxyPass https://backend.example.com/
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms MYDOMAIN.COM
KrbVerifyKDC on
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
</Location>
# Kerberos auth-protected with basic fallback
<Location /mod_auth_kerb_basic/>
ProxyPass https://backend.example.com/
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms MYDOMAIN.COM
KrbVerifyKDC on
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
</Location>
# Basic auth-protected
<Location /mod_auth_basic/>
ProxyPass https://backend.example.com/
AuthType Basic
AuthName "Basic Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
AuthBasicProvider PAM
AuthPamService httpd-pam
</Location>
# Form auth-protected
<Location /mod_auth_form/>
ProxyPass https://backend.example.com/
AuthType form
AuthName "Form Login"
Require valid-user
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
AuthFormProvider file
AuthUserFile /etc/httpd.htpasswd
ErrorDocument 401 /login.html
</Location>
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
<Location /mod_intercept_form_submit/>
ProxyPass https://backend.example.com/
# Defined in /etc/pam.d/httpd-pam
InterceptFormPAMService httpd-pam
# Use the httpd_username/httpd_password fields from the login POST
InterceptFormLogin httpd_username
InterceptFormPassword httpd_password
# Automatically append the correct realm
InterceptFormLoginRealms EXAMPLE.COM
# Show the login page for GET requests
RewriteCond %{REQUEST_METHOD} GET
RewriteRule ^.*$ /login.html [L]
# Set the request header from the envvar if it exists
RequestHeader set Remote-User %{REMOTE_USER}s env=REMOTE_USER
</Location>
RequestHeader unset Remote-User
RequestHeader unset X-Remote-User