forked from SUNET/soc-ops
Added custom 401 for SSO proxy, fixed inclusion of extra proxy config, added possibility to remove http header Authorization
This commit is contained in:
parent
264ec25329
commit
4bb3a317ff
GPG key ID:
5E8401339C7F5037
4 changed files with 63 additions and 16 deletions
31
global/overlay/etc/puppet/modules/soc/files/sso/401.html
Normal file
31
global/overlay/etc/puppet/modules/soc/files/sso/401.html
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
|
<title>Centrumtext</title>
|
||||||
|
<style>
|
||||||
|
/* Styla body för att ta upp hela skärmen och centrera innehållet */
|
||||||
|
body, html {
|
||||||
|
height: 100%;
|
||||||
|
margin: 0;
|
||||||
|
display: flex;
|
||||||
|
justify-content: center; /* Horisontell centrering */
|
||||||
|
align-items: center; /* Vertikal centrering */
|
||||||
|
font-family: Arial, sans-serif;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Anpassa stilen för texten */
|
||||||
|
.centered-text {
|
||||||
|
text-align: center;
|
||||||
|
font-size: 24px;
|
||||||
|
color: #333;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div class="centered-text">
|
||||||
|
<h1>401 - Unauthorized</h1>
|
||||||
|
<p />The SSO proxy did not find your user in any required user groups defined in the SSO proxy config.
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
@ -31,20 +31,22 @@
|
||||||
# Default set to value of proxy.
|
# Default set to value of proxy.
|
||||||
|
|
||||||
class soc::sso(
|
class soc::sso(
|
||||||
String $ssotype = 'docker',
|
String $ssotype = 'docker',
|
||||||
String $hostname = $facts['networking']['fqdn'],
|
String $hostname = $facts['networking']['fqdn'],
|
||||||
String $email = 'cert@cert.sunet.se',
|
String $email = 'cert@cert.sunet.se',
|
||||||
Optional[String] $service_endpoint = undef,
|
Optional[String] $service_endpoint = undef,
|
||||||
Array $groups = ['PLACEHOLDER'],
|
Array $groups = ['PLACEHOLDER'],
|
||||||
Array $passthrough = [],
|
Array $passthrough = [],
|
||||||
Boolean $x_remote_user = false,
|
Boolean $x_remote_user = false,
|
||||||
Boolean $single_user = false,
|
Boolean $remote_user = false,
|
||||||
Boolean $satosa = true,
|
Boolean $unset_auth_header = false,
|
||||||
Boolean $satosa_certbot = false,
|
Boolean $single_user = false,
|
||||||
String $translog = 'INFO',
|
Boolean $satosa = true,
|
||||||
String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
|
Boolean $satosa_certbot = false,
|
||||||
String $entityID = $proxy,
|
String $translog = 'INFO',
|
||||||
Optional[String] $extra_proxy_conf = undef,
|
String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
|
||||||
|
String $entityID = $proxy,
|
||||||
|
Optional[String] $extra_proxy_conf = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
if $ssotype == "docker" {
|
if $ssotype == "docker" {
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,13 @@
|
||||||
# after it has been globally disabled with "a2disconf".
|
# after it has been globally disabled with "a2disconf".
|
||||||
#Include conf-available/serve-cgi-bin.conf
|
#Include conf-available/serve-cgi-bin.conf
|
||||||
|
|
||||||
|
Alias /error /var/www/error
|
||||||
|
<Directory /var/www/error>
|
||||||
|
AuthType None
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
ErrorDocument 401 /error/401.html
|
||||||
|
|
||||||
<Location />
|
<Location />
|
||||||
AuthType shibboleth
|
AuthType shibboleth
|
||||||
ShibRequestSetting requireSession On
|
ShibRequestSetting requireSession On
|
||||||
|
|
@ -38,7 +45,9 @@
|
||||||
<%- else -%>
|
<%- else -%>
|
||||||
ShibUseHeaders On
|
ShibUseHeaders On
|
||||||
<%- end -%>
|
<%- end -%>
|
||||||
|
<%- if @unset_auth_header -%>
|
||||||
|
RequestHeader unset Authorization
|
||||||
|
<%- end -%>
|
||||||
<%- if @extra_proxy_conf -%>
|
<%- if @extra_proxy_conf -%>
|
||||||
IncludeOptional <%= @extra_proxy_conf %>
|
IncludeOptional <%= @extra_proxy_conf %>
|
||||||
<%- end -%>
|
<%- end -%>
|
||||||
|
|
@ -46,14 +55,15 @@
|
||||||
AuthGroupFile /etc/apache2/groups.txt
|
AuthGroupFile /etc/apache2/groups.txt
|
||||||
Require group <% @groups.each.with_index do |group, i| %><%= group %><%= ' ' if i < (@groups.size - 1) %><% end %>
|
Require group <% @groups.each.with_index do |group, i| %><%= group %><%= ' ' if i < (@groups.size - 1) %><% end %>
|
||||||
</Location>
|
</Location>
|
||||||
<%- @passthrough.each do |path| -%>
|
|
||||||
|
|
||||||
|
<%- @passthrough.each do |path| -%>
|
||||||
<Location <%= path %>>
|
<Location <%= path %>>
|
||||||
AuthType None
|
AuthType None
|
||||||
Require all granted
|
Require all granted
|
||||||
</Location>
|
</Location>
|
||||||
<%- end -%>
|
<%- end -%>
|
||||||
|
|
||||||
|
ProxyPass "/error" !
|
||||||
ProxyPass "/" "<%= @service_endpoint %>/"
|
ProxyPass "/" "<%= @service_endpoint %>/"
|
||||||
ProxyPassReverse "/" "<%= @service_endpoint %>/"
|
ProxyPassReverse "/" "<%= @service_endpoint %>/"
|
||||||
UseCanonicalName On
|
UseCanonicalName On
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,10 @@ services:
|
||||||
<% end -%>
|
<% end -%>
|
||||||
- ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
|
- ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
|
||||||
- ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
|
- ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
|
||||||
|
- ./apache/401.html:/var/www/error/401.html:ro
|
||||||
|
<% if @extra_proxy_conf -%>
|
||||||
|
- @extra_proxy_conf:@extra_proxy_conf
|
||||||
|
<% end -%>
|
||||||
networks:
|
networks:
|
||||||
sso:
|
sso:
|
||||||
external: true
|
external: true
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue