propagate changes to emg ops file

2db072b4 · Lubomir Dolezal · 10c664c5 · 2db072b4
Commit 2db072b4 authored 4 years ago by Lubomir Dolezal
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -16,7 +16,8 @@ services:
      labels:
        # router for shib auth based access (https)
        - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-renderer-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.routers.emg-renderer-shib.middlewares=emg-renderer-shib-fa,compress@file,cors@file"
        - "traefik.http.routers.emg-renderer-shib.tls=true"
        - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
        - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
@@ -25,20 +26,17 @@ services:
        - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
        - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
        # router for internal proxy based access (https)
-        - "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=<insert-proxy-url>"
-        - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=172.30.78.20"
+        - "traefik.http.middlewares.emg-renderer-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-renderer"
+        - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-renderer-proxy-wl,emg-renderer-proxy-fa,compress@file,cors@file"
        - "traefik.http.routers.emg-renderer-proxy.tls=true"
        - "traefik.http.routers.emg-renderer-proxy.tls.certresolver=default"
        - "traefik.http.routers.emg-renderer-proxy.entrypoints=https"
        # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-renderer-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect-proxy.middlewares=emg-renderer-proxy-wl,redirect@file"
        - "traefik.http.routers.emg-renderer-redirect-proxy.entrypoints=http"
-        # router for shib auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
        # router for basic auth based access (https)
        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
@@ -74,8 +72,9 @@ services:
        - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
        # router for shib auth based access (https)
        - "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.middlewares.emg-cache-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=emg-cache-shib-fa,cache-stripprefix,compress@file,cors@file"
        - "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-shib-chain"
-        - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
        - "traefik.http.routers.emg-cache-shib.tls=true"
        - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
        - "traefik.http.routers.emg-cache-shib.entrypoints=https"
@@ -84,15 +83,17 @@ services:
        - "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
        - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
        # router for internal proxy based access (https)
-        - "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=<insert-proxy-url>"
-        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist-cache,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-cache-proxy-wl.ipwhitelist.sourcerange=172.30.78.20"
+        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.middlewares.emg-cache-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-cache"
+        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-cache-proxy-chain"
+        - "traefik.http.middlewares.emg-cache-proxy-chain.chain.middlewares=emg-cache-proxy-wl,emg-cache-proxy-fa,cache-stripprefix,compress@file,cors@file"
        - "traefik.http.routers.emg-cache-proxy.tls=true"
        - "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
        - "traefik.http.routers.emg-cache-proxy.entrypoints=https"
        # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
+        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-cache-proxy-wl,redirect@file"
        - "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
        # router for basic auth based access (https)
        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
@@ -150,7 +151,8 @@ services:
      labels:
        # router for shib auth based access (https)
        - "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-shib.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.middlewares.emg-client-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.routers.emg-client-shib.middlewares=emg-client-shib-fa,compress@file"
        - "traefik.http.routers.emg-client-shib.tls=true"
        - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
        - "traefik.http.routers.emg-client-shib.entrypoints=https"
@@ -190,10 +192,14 @@ services:
      placement:
        constraints:
          - node.labels.type == internal
-  shibauth:
+  shibauth-emg:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth:release-1.1.1 # bumpversion
    environment:
      APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
+      PROXY_USER_CATEGORY_ALLOW_RENDERER: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)"
+      PROXY_USER_CATEGORY_ALLOW_CACHE: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)"
+      SPEntityID: "https://emg.pass.copernicus.eu/shibboleth"
+      IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
    secrets:
      - source: EMG_SHIB_CERT
        target: SHIB_CERT
@@ -229,7 +235,7 @@ services:
      - source: shib-access-control-conf-cache
        target: /etc/shibboleth/pass-ac-cache.xml
      - source: shib-shibboleth2
-        target: /etc/shibboleth/shibboleth2.xml
+        target: /shibboleth2_template.xml
      - source: shib-apache
        target: /etc/httpd/conf.d/shib.conf
      - source: shib-attribute-map
@@ -250,7 +256,7 @@ configs:
  shib-access-control-conf-cache:
    file: ./config/shibboleth/emg-ac-cache.xml
  shib-shibboleth2:
-    file: ./config/shibboleth/emg-shibboleth2.xml
+    file: ./config/shibboleth/shibboleth2_template.xml
  shib-apache:
    file: ./config/shibboleth/shib-apache.conf
  shib-attribute-map: