1. Configure Apache Authentication¶
1.1. Compile Authentication Module¶
Open OnDemand uses Apache HTTP Server 2.4 provided by Software Collections.
This means that any Apache authentication module (mod_auth_*
) used will
need to be compiled against the apxs
and apr
tools that reside under:
/opt/rh/httpd24/root/usr/bin
and not the versions that come with the default system version of Apache HTTP Server.
1.2. Configure Authentication Module¶
Any Apache authentication module specific configuration directives (e.g.,
OIDCCLientID
, CASLoginURL
, …) should reside outside of the
/opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
configuration
file. The Apache configuration files are loaded in lexical order, so placing
these module specific configuration directives in the file:
/opt/rh/httpd24/root/etc/httpd/conf.d/auth-config.conf
will cause your authentication configuration directives to be loaded before
/opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
. If there are any
secrets inside this file you can ensure privacy by adding restrictive file
permissions:
sudo chmod 640 /opt/rh/httpd/root/etc/httpd/conf.d/auth-config.conf
1.3. Add to OnDemand Portal¶
Danger
Never directly edit the
/opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
to include
this authentication module within your Open OnDemand portal. This could
cause future upgrades of OnDemand to break.
Edit the YAML configuration file for the ood-portal-generator located
under /etc/ood/config/ood_portal.yml
. For example, to add support for
an authentication module with AuthType
of my-auth
, you would modify the
/etc/ood/config/ood_portal.yml
file as such:
# /etc/ood/config/ood_portal.yml
---
# ...
# Your other custom configuration options...
# ...
auth:
- 'AuthType my-auth'
- 'Require valid-user'
You would then build and install the new Apache configuration file with:
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
Finally you will need to restart your Apache HTTP Server for the changes to take effect.
1.4. Sanitize Session Information¶
You will need to sanitize any session-specific request headers that may be
passed to the backend web servers that a user is proxied to. For most Apache
authentication modules there are module-specific directives that can be enabled
to wipe session information from being passed as headers (e.g.,
OIDCStripCookies ...
). In other cases you may have to use regular
expressions to search for the session cookies and remove them manually.
For example, Shibboleth does not have a directive to strip session information from the cookies, so we accomplish this with the following options in our ood-portal-generator configuration file:
# /etc/ood/config/ood_portal.yml
---
# ...
# Your other custom configuration options...
# ...
auth:
- 'AuthType shibboleth'
- 'ShibRequestSetting requireSession 1'
- 'RequestHeader edit* Cookie "(^_shibsession_[^;]*(;\s*)?|;\s*_shibsession_[^;]*)" ""'
- 'RequestHeader unset Cookie "expr=-z %{req:Cookie}"'
- 'Require valid-user'
where we use a regular expression to replace any shibsession
cookies with
empty strings and delete the cookie header if it becomes empty.