utilise la directive LocationMatch pour permettre les expressions rég…

…ulières dans les proxypass + ajoute la variable RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE + ajoute deux hook pour httpd-vhosts.inc.conf + maj apache en version 2.4.58 + refactoring
abes-esr · Feb 20, 2024 · dc4e006 · dc4e006
1 parent 138f75b
commit dc4e006
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 93 deletions.
diff --git a/.env-dist b/.env-dist
diff --git a/README.md b/README.md
@@ -20,14 +20,12 @@ Technologies : cette image docker utilise un serveur apache (basée sur son imag
 
 ### Configuration
 
-Pour configurer le conteneur, vous devez lui passer des variables d'environnement, pour cela vous pouvez créer un fichier ``.env`` à coté de votre ``docker-compose.yml`` en prenant exemple sur [``.env-dist``](./.env-dist) qui propose des exemples de valeurs en expliquant leur signification.
-
-Votre ``docker-compose.yml`` doit alors transmettre ces variables au conteneur en les précisant dans la section [``environment`` comme dans cet exemple](https://github.com/abes-esr/docker-shibboleth-renater-sp/blob/0fdb9619c4e4b8bb2f50dfda1f93c4a1d65df4bb/docker-compose.yml#L13-L23).
+Pour configurer le conteneur, vous devez lui passer des variables d'environnement, pour cela vous pouvez créer un fichier ``.env`` à coté de votre ``docker-compose.yml`` en prenant exemple sur les variables d'environnement du [``docker-compose.yml``](./docker-compose.yml) qui propose des exemples de valeurs en expliquant leur signification.
 
 Si vous souhaitez injecter des configurations apache spécifiques dans la configuration du serveur apache, vous pouvez ajouter des fichiers de configuration via des volumes aux endroits suivants dans le conteneur :
-- ``/usr/local/apache2/conf/extra/httpd-vhosts.inc.conf`` : pour injecter de la configuration au niveau global du virtualhost ([ici exactement](./image/httpd-vhosts.conf#L38-L39))
-- ``/usr/local/apache2/conf/extra/httpd-vhosts.public_proxy.inc.conf`` : pour injecter de la configuration au niveau du ProxyPass des URL publiques ([ici exactement](./image/httpd-vhosts.conf#L44))
-- ``/usr/local/apache2/conf/extra/httpd-vhosts.protected_proxy.inc.conf`` : pour injecter de la configuration au niveau du ProxyPass des URL protégées ([ici exactement](./image/httpd-vhosts.conf#L71))
+- ``/usr/local/apache2/conf/extra/httpd-vhosts-begin.inc.conf`` et ``/usr/local/apache2/conf/extra/httpd-vhosts-end.inc.conf`` : pour injecter de la configuration au niveau global du virtualhost ([ici](./image/httpd-vhosts.conf#L53-L53)) et ([ici](./image/httpd-vhosts.conf#L109-L110)) 
+- ``/usr/local/apache2/conf/extra/httpd-vhosts.public_proxy.inc.conf`` : pour injecter de la configuration au niveau du ProxyPass des URL publiques ([ici exactement](./image/httpd-vhosts.conf#L59))
+- ``/usr/local/apache2/conf/extra/httpd-vhosts.protected_proxy.inc.conf`` : pour injecter de la configuration au niveau du ProxyPass des URL protégées ([ici exactement](./image/httpd-vhosts.conf#L91))
 
 
 ### Configuration en TEST

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,31 +14,55 @@ services:
     volumes:
       - type: bind
         source: ./volume/httpd-vhosts.inc.conf
-        target: /usr/local/apache2/conf/extra/httpd-vhosts.inc.conf
+        target: /usr/local/apache2/conf/extra/httpd-vhosts-begin.inc.conf
       - type: bind
         source: ./volume/access-rotated.log
         target: /var/log/apache2/access-rotated.log
     environment:
-      # container parameters, values comming from .env
-      # (see .env-dist example)
-      - RENATER_SP_TEST_OR_PROD
-      - RENATER_SP_ENTITY_ID
-      - RENATER_SP_ADMIN_MAIL
-      - RENATER_SP_CERTIFICATE_CRT
-      - RENATER_SP_CERTIFICATE_KEY
-      - RENATER_SP_HTTPD_SERVER_NAME
-      - RENATER_SP_HTTPD_LOG_LEVEL
-      - RENATER_SP_HTTPD_LOG_FORMAT
-      - RENATER_SP_HTTPD_PUBLIC_PATH_0
-      - RENATER_SP_HTTPD_PUBLIC_PROXY_TO_0
-      - RENATER_SP_HTTPD_PUBLIC_PATH_1
-      - RENATER_SP_HTTPD_PUBLIC_PROXY_TO_1
-      - RENATER_SP_HTTPD_PROTECTED_PATH_0
-      - RENATER_SP_HTTPD_PROTECTED_PROXY_TO_0
-      - RENATER_SP_HTTPD_PROTECTED_PATH_1
-      - RENATER_SP_HTTPD_PROTECTED_PROXY_TO_1
-      - RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_0
-      - RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_1
+      # ci dessous les paramètres du conteneurs avec des valeurs exemples
+      ###################################################################
+      # Pour basculer facilement le fournisseur de service 
+      # sur la fédération RENATER de TEST ou de PROD
+      RENATER_SP_TEST_OR_PROD: TEST
+      # L'identifiant technique de votre fournisseur de service
+      # (vous devrez forcément le modifer pour votre usage)
+      RENATER_SP_ENTITY_ID: "https://v2-local.theses.fr/sp"
+      # L'adresse mail de contact qui sera utilisé dans les pages
+      # d'erreur d'Apache et de Shibboleth
+      RENATER_SP_ADMIN_MAIL: "[email protected]"
+      # Les noms des fichiers des certificats utilisés par shibboleth
+      # (pour la prod, vous devrez modifier ces valeurs)
+      RENATER_SP_CERTIFICATE_CRT: "ssl/server-demo.crt"
+      RENATER_SP_CERTIFICATE_KEY: "ssl/server-demo.key"
+      # Le nom public du serveur web de votre fournisseur de service
+      RENATER_SP_HTTPD_SERVER_NAME: "https://v2-local.theses.fr"
+      # Le niveau et format de log du serveur apache
+      # avec un exemple de format permettant de logguer les attributs venant de la fédé
+      RENATER_SP_HTTPD_LOG_LEVEL: "info ssl:warn"
+      RENATER_SP_HTTPD_LOG_FORMAT: '%h \"%{Shib-Identity-Provider}i\" \"%{eppn}i\" \"%{primary-affiliation}i\" \"%{supannEtablissement}i\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"'
+      # permet de forcer apache à fermer les connexion pour pouvoir rafraîchir
+      # la resolution de nom des proxypass car dans un context docker, les ip des
+      # conteneurs peuvent changer
+      # voir aussi https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
+      RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE: 'on'
+      # Les correspondances entre les chemins dans l'URL
+      # et les URL des serveurs backend proxifiés.
+      # il est possible de créer 10 couples ..._PUBLIC_PATH_* / ..._PUBLIC_PROXY_TO_*
+      # et 10 couples ..._PROTECTED_PATH_* / ..._PROTECTED_PROXY_TO_*
+      # Il est obligatoire de positionner au moins un couple PUBLIC
+      # et un couple PROTECTED
+      RENATER_SP_HTTPD_PUBLIC_PATH_0: "/"
+      RENATER_SP_HTTPD_PUBLIC_PROXY_TO_0: "http://backend-example-home:8080/"
+      RENATER_SP_HTTPD_PUBLIC_PATH_1: "/api/"
+      RENATER_SP_HTTPD_PUBLIC_PROXY_TO_1: "http://backend-example-api:8080/api/v1/"
+      RENATER_SP_HTTPD_PUBLIC_PATH_2: '/([0-9]{8}[0-9X]{1})\.xml'
+      RENATER_SP_HTTPD_PUBLIC_PROXY_TO_2: "http://backend-example-api:8080/api/v1/export/$1/xml"
+      RENATER_SP_HTTPD_PROTECTED_PATH_0: "/my-protected-url/"
+      RENATER_SP_HTTPD_PROTECTED_PROXY_TO_0: "http://backend-example-protected:8080/my-protected-url/"
+      RENATER_SP_HTTPD_PROTECTED_PATH_1: "/my-protected-url2/"
+      RENATER_SP_HTTPD_PROTECTED_PROXY_TO_1: "http://backend-example-protected2:8080/my-protected-url2/"
+      RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_0: "Require shib-attr Shib-Identity-Provider https://test-idp.federation.renater.fr/idp/shibboleth"
+      RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_1: "Require shib-attr eppn [email protected]"
     restart: unless-stopped
     depends_on:
       - backend-example-home

diff --git a/image/Dockerfile b/image/Dockerfile
@@ -1,4 +1,4 @@
-FROM httpd:2.4.54
+FROM httpd:2.4.58
 
 # apache2: to have the apache web server able to authenticate and to reverse proxy the real application
 # libapache2-mod-shib: to have mod_shib for apache and the shibd daemon
@@ -28,7 +28,8 @@ RUN sed -i \
 # apache conf and shib config
 # (templates in order to be able to customize it fro external parameters)
 COPY ./httpd-vhosts.conf /usr/local/apache2/conf/extra/httpd-vhosts.conf.orig
-RUN touch /usr/local/apache2/conf/extra/httpd-vhosts.inc.conf
+RUN touch /usr/local/apache2/conf/extra/httpd-vhosts-begin.inc.conf
+RUN touch /usr/local/apache2/conf/extra/httpd-vhosts-end.inc.conf
 RUN touch /usr/local/apache2/conf/extra/httpd-vhosts.public_proxy.inc.conf
 RUN touch /usr/local/apache2/conf/extra/httpd-vhosts.protected_proxy.inc.conf
 COPY ./shibboleth/ /etc/shibboleth/

diff --git a/image/httpd-foreground b/image/httpd-foreground
@@ -10,6 +10,8 @@ export RENATER_SP_CERTIFICATE_KEY=${RENATER_SP_CERTIFICATE_KEY:='ssl/server-demo
 export RENATER_SP_HTTPD_SERVER_NAME=${RENATER_SP_HTTPD_SERVER_NAME}
 export RENATER_SP_HTTPD_LOG_LEVEL=${RENATER_SP_HTTPD_LOG_LEVEL:='info ssl:warn'}
 export RENATER_SP_HTTPD_LOG_FORMAT=${RENATER_SP_HTTPD_LOG_FORMAT:='%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"'}
+export RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE=${RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE:='on'}
+
 for i in 0 1 2 3 4 5 6 7 8 9
 do
 	varname="RENATER_SP_HTTPD_PUBLIC_PATH_${i}" && export RENATER_SP_HTTPD_PUBLIC_PATH_${i}="${!varname}"

diff --git a/image/httpd-vhosts.conf b/image/httpd-vhosts.conf
@@ -50,33 +50,33 @@ RemoteIPHeader X-Forwarded-For
   </Location>
   Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 
-  # hook to be able to overload virtualhost config
-  Include /usr/local/apache2/conf/extra/httpd-vhosts.inc.conf
+  # hook end to be able to overload virtualhost config
+  Include /usr/local/apache2/conf/extra/httpd-vhosts-begin.inc.conf
 
   # Here goes your public routes
   <Macro MACRO_PUBLIC_PROXY_TO $public_location_path $public_proxy_to_url>
-    <Location $public_location_path>
+    <LocationMatch $public_location_path>
       Include /usr/local/apache2/conf/extra/httpd-vhosts.public_proxy.inc.conf
 
-      ProxyPass        $public_proxy_to_url status= retry=5
+      ProxyPass        $public_proxy_to_url retry=5 disablereuse=${RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE}
       ProxyPassReverse $public_proxy_to_url
-    </Location>
+    </LocationMatch>
   </Macro>
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_0} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_0}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_1} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_1}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_2} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_2}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_3} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_3}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_4} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_4}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_5} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_5}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_6} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_6}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_7} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_7}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_8} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_8}
-  Use MACRO_PUBLIC_PROXY_TO ${RENATER_SP_HTTPD_PUBLIC_PATH_9} ${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_9}
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_0}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_0}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_1}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_1}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_2}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_2}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_3}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_3}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_4}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_4}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_5}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_5}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_6}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_6}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_7}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_7}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_8}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_8}"
+  Use MACRO_PUBLIC_PROXY_TO "${RENATER_SP_HTTPD_PUBLIC_PATH_9}" "${RENATER_SP_HTTPD_PUBLIC_PROXY_TO_9}"
 
 
   # Here goes your protected routes
   <Macro MACRO_PROTECTED_PROXY_TO $protected_location_path $protected_proxy_to_url $protected_require_0 $protected_require_1 $protected_require_2>
-    <Location $protected_location_path>
+    <LocationMatch $protected_location_path>
       AuthType shibboleth
       ShibRequestSetting requireSession 1
       ShibRequestSetting exportDuplicateValues 0
@@ -90,9 +90,10 @@ RemoteIPHeader X-Forwarded-For
 
       Include /usr/local/apache2/conf/extra/httpd-vhosts.protected_proxy.inc.conf
 
-      ProxyPass        $protected_proxy_to_url retry=5
+      ProxyPass        $protected_proxy_to_url retry=5 disablereuse=${RENATER_SP_HTTPD_PROXYPASS_DISABLEREUSE}
       ProxyPassReverse $protected_proxy_to_url
-    </Location>
+    </LocationMatch>
+
   </Macro>
   Use MACRO_PROTECTED_PROXY_TO "${RENATER_SP_HTTPD_PROTECTED_PATH_0}" "${RENATER_SP_HTTPD_PROTECTED_PROXY_TO_0}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_0_0}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_0_1}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_0_2}"
   Use MACRO_PROTECTED_PROXY_TO "${RENATER_SP_HTTPD_PROTECTED_PATH_1}" "${RENATER_SP_HTTPD_PROTECTED_PROXY_TO_1}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_0}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_1}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_1_2}"
@@ -106,4 +107,7 @@ RemoteIPHeader X-Forwarded-For
   Use MACRO_PROTECTED_PROXY_TO "${RENATER_SP_HTTPD_PROTECTED_PATH_9}" "${RENATER_SP_HTTPD_PROTECTED_PROXY_TO_9}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_9_0}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_9_1}" "${RENATER_SP_HTTPD_PROTECTED_REQUIRE_9_2}"
 
 
+  # hook end to be able to overload virtualhost config
+  Include /usr/local/apache2/conf/extra/te
+
 </VirtualHost>