update config forwardauth url, remove not necessary files, add shibauth to base compose

26454276 · Lubomir Dolezal · c87648a0 · 26454276 · c87648a0 · c87648a0
Commit 26454276 authored 4 years ago by Lubomir Dolezal
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,6 +28,32 @@ services:
      - emg-extnet
      - dem-extnet
      - logging-extnet
+      - shibauth-extnet
+  shibauth:
+    image: testing-shibboleth
+    deploy:
+      # labels:
+      #   # router for basic auth based access (https)
+      #   - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+      #   - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+      #   - "traefik.http.routers.shibauth.tls=true"
+      #   - "traefik.http.routers.shibauth.tls.certresolver=default"
+      #   - "traefik.http.routers.shibauth.entrypoints=https"
+      #   # router for basic auth based access (http)
+      #   - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+      #   - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+      #   - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+      #   # general
+      #   - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+      #   - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+      #   - "traefik.docker.network=shib-extnet"
+      #   - "traefik.docker.lbswarm=true"
+      #   - "traefik.enable=true"
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+    networks:
+      - shibauth-extnet      
 volumes:
  traefik-data:
 networks:
@@ -39,3 +65,5 @@ networks:
    name: dem-extnet
  logging-extnet:
    name: logging-extnet
+  shibauth-extnet:
+    name: shibauth-extnet
--- a/shibauth/shibboleth-conf/shibd.logger
+++ b/shibauth/shibboleth-conf/shibd.logger
-# set overall behavior
-log4j.rootCategory=INFO, shibd_log, warn_log
-
-# fairly verbose for DEBUG, so generally leave at INFO
-log4j.category.XMLTooling.XMLObject=INFO
-log4j.category.XMLTooling.KeyInfoResolver=INFO
-log4j.category.Shibboleth.IPRange=INFO
-log4j.category.Shibboleth.PropertySet=INFO
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=INFO
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-#log4j.category.XMLTooling.SOAPClient=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# logs XML being signed or verified if set to DEBUG
-log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
-log4j.additivity.XMLTooling.Signature.Debugger=false
-log4j.ownAppenders.XMLTooling.Signature.Debugger=true
-
-# the tran log blocks the "default" appender(s) at runtime
-# Level should be left at INFO for this category
-log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
-log4j.additivity.Shibboleth-TRANSACTION=false
-log4j.ownAppenders.Shibboleth-TRANSACTION=true
-
-# uncomment to suppress particular event types
-#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
-#log4j.category.Shibboleth-TRANSACTION.Login=WARN
-#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
-
-# define the appenders
-
-log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
-log4j.appender.shibd_log.fileName=/dev/stdout
-log4j.appender.shibd_log.maxFileSize=0
-log4j.appender.shibd_log.maxBackupIndex=0
-log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
-#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
-#log4j.appender.warn_log.maxFileSize=0
-#log4j.appender.warn_log.maxBackupIndex=0
-#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-#log4j.appender.warn_log.threshold=WARN
-
-log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
-log4j.appender.tran_log.fileName=/dev/stdout
-log4j.appender.tran_log.maxFileSize=0
-log4j.appender.tran_log.maxBackupIndex=0
-log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.sig_log=org.apache.log4j.FileAppender
-log4j.appender.sig_log.fileName=/dev/stdout
-log4j.appender.sig_log.maxFileSize=0
-log4j.appender.sig_log.maxBackupIndex=0
-log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
-
-
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
-<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
-                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-
-        <KeyDescriptor>
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
-U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
-Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
-MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
-BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
-c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
-GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
-9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
-/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
-lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
-b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
-x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
-rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
-EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
-O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
-rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
-Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
-HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
-gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
-MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
-L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
-MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
-bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
-eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
-YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
-d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
-NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
-aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
-XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
-4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
-ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
-BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
-rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
-QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
-mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
-oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
-MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
-8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
-2Wfpr7x/2VCKeO7Mfpo=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-
-        <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
-        <!--
-            This tells IdPs where and how to push assertions through the browser. Mostly
-            the SP will tell the IdP what location to use in its request, but this
-            is how the IdP validates the location and also figures out which
-            SAML version/binding to use.
-            -->
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
-        <!-- This tells IdPs that you only need transient identifiers. -->
-        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
-    </SPSSODescriptor>
-
-    <Organization>
-        <OrganizationName xml:lang="en">eox</OrganizationName>
-        <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
-        <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
-    </Organization>
-</EntityDescriptor>
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
          - "***REMOVED***"
    shibAuth:
      forwardAuth:
-        address: http://auth/auth
+        address: http://shibauth/secure
        trustForwardHeader: true
    compress:
      compress: {}