EOX GitLab Instance

Skip to content
Snippets Groups Projects
Commit 934956e9 authored by Lubomir Dolezal's avatar Lubomir Dolezal
Browse files

enable basicAuth in apache using secret users file

parent c2d3e07e
No related branches found
No related tags found
2 merge requests!36Staging to master to prepare 1.0.0 release,!34Shib auth
Hide whitespace changes
Inline Side-by-side
docker-compose.dem.ops.yml
+ 5
35
View file @ 934956e9
......@@ -14,7 +14,7 @@ services:
labels:
# router for basic auth based access (https)
- "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
- "traefik.http.routers.dem-renderer.middlewares=shibAuth@file,compress@file,cors@file"
- "traefik.http.routers.dem-renderer.tls=true"
- "traefik.http.routers.dem-renderer.tls.certresolver=default"
- "traefik.http.routers.dem-renderer.entrypoints=https"
......@@ -32,16 +32,6 @@ services:
- "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
- "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.dem-renderer-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.dem-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.dem-renderer-shib.tls=true"
- "traefik.http.routers.dem-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.dem-renderer-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.dem-renderer-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.dem-renderer-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-renderer-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
- "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
......@@ -66,7 +56,7 @@ services:
- "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
# router for basic auth based access (https)
- "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.dem-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.dem-cache.tls=true"
- "traefik.http.routers.dem-cache.tls.certresolver=default"
- "traefik.http.routers.dem-cache.entrypoints=https"
......@@ -84,16 +74,6 @@ services:
- "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
- "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.dem-cache-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.dem-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.dem-cache-shib.tls=true"
- "traefik.http.routers.dem-cache-shib.tls.certresolver=default"
- "traefik.http.routers.dem-cache-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.dem-cache-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.dem-cache-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-cache-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.dem-cache.loadbalancer.sticky=false"
- "traefik.http.services.dem-cache.loadbalancer.server.port=80"
......@@ -134,16 +114,6 @@ services:
- "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
- "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-client-redirect.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.dem-client.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
- "traefik.http.routers.dem-client.middlewares=shibAuth@file,compress@file"
- "traefik.http.routers.dem-client.tls=true"
- "traefik.http.routers.dem-client.tls.certresolver=default"
- "traefik.http.routers.dem-client.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.dem-client-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
- "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-client-redirect.entrypoints=http"
# general
- "traefik.http.services.dem-client.loadbalancer.sticky=false"
- "traefik.http.services.dem-client.loadbalancer.server.port=80"
......@@ -168,7 +138,7 @@ services:
shibauth:
image: testing-shibboleth
environment:
APACHE_SERVERNAME: "https://dem-secure.pass.copernicus.eu:443"
APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
secrets:
- SHIB_CERT
- SHIB_KEY
......@@ -179,13 +149,13 @@ services:
constraints: [node.role == manager]
labels:
# router for basic auth based access (https)
- "traefik.http.routers.shibauth.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.shibauth.tls=true"
- "traefik.http.routers.shibauth.tls.certresolver=default"
- "traefik.http.routers.shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.shibauth-redirect.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.shibauth-redirect.entrypoints=http"
# general
......
docker-compose.emg.ops.yml
+ 5
25
View file @ 934956e9
......@@ -14,7 +14,7 @@ services:
labels:
# router for basic auth based access (https)
- "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
- "traefik.http.routers.emg-renderer.middlewares=shibAuth@file,compress@file,cors@file"
- "traefik.http.routers.emg-renderer.tls=true"
- "traefik.http.routers.emg-renderer.tls.certresolver=default"
- "traefik.http.routers.emg-renderer.entrypoints=https"
......@@ -32,16 +32,6 @@ services:
- "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.emg-renderer-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.emg-renderer-shib.tls=true"
- "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.emg-renderer-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
- "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
......@@ -66,7 +56,7 @@ services:
- "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
# router for basic auth based access (https)
- "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache.tls=true"
- "traefik.http.routers.emg-cache.tls.certresolver=default"
- "traefik.http.routers.emg-cache.entrypoints=https"
......@@ -84,16 +74,6 @@ services:
- "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.emg-cache-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.emg-cache-shib.tls=true"
- "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
- "traefik.http.routers.emg-cache-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.emg-cache-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-cache-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-cache.loadbalancer.sticky=false"
- "traefik.http.services.emg-cache.loadbalancer.server.port=80"
......@@ -158,7 +138,7 @@ services:
shibauth:
image: testing-shibboleth
environment:
APACHE_SERVERNAME: "https://emg-secure.pass.copernicus.eu:443"
APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
secrets:
- SHIB_CERT
- SHIB_KEY
......@@ -169,13 +149,13 @@ services:
constraints: [node.role == manager]
labels:
# router for basic auth based access (https)
- "traefik.http.routers.shibauth.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.shibauth.tls=true"
- "traefik.http.routers.shibauth.tls.certresolver=default"
- "traefik.http.routers.shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.shibauth-redirect.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.shibauth-redirect.entrypoints=http"
# general
......
docker-compose.test.ops.yml deleted 100644 → 0
+ 0
31
View file @ c2d3e07e
version: "3.6"
services:
shibauth:
image: testing-shibboleth
deploy:
labels:
# router for basic auth based access (https)
- "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
- "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.shibauth.tls=true"
- "traefik.http.routers.shibauth.tls.certresolver=default"
- "traefik.http.routers.shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
- "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.shibauth-redirect.entrypoints=http"
# general
- "traefik.http.services.shibauth.loadbalancer.sticky=false"
- "traefik.http.services.shibauth.loadbalancer.server.port=80"
- "traefik.docker.network=shib-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
replicas: 1
placement:
constraints: [node.role == manager]
networks:
- extnet
networks:
extnet:
name: shib-extnet
external: true
docker-compose.vhr18.ops.yml
+ 5
35
View file @ 934956e9
......@@ -15,7 +15,7 @@ services:
labels:
# router for basic auth based access (https)
- "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file"
- "traefik.http.routers.vhr18-renderer.middlewares=shibAuth@file,compress@file,cors@file"
- "traefik.http.routers.vhr18-renderer.tls=true"
- "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
- "traefik.http.routers.vhr18-renderer.entrypoints=https"
......@@ -33,16 +33,6 @@ services:
- "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
- "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.vhr18-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.vhr18-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.vhr18-renderer-shib.tls=true"
- "traefik.http.routers.vhr18-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.vhr18-renderer-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.vhr18-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.vhr18-renderer-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-renderer-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
......@@ -66,7 +56,7 @@ services:
- "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
# router for basic auth based access (https)
- "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.vhr18-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.vhr18-cache.tls=true"
- "traefik.http.routers.vhr18-cache.tls.certresolver=default"
- "traefik.http.routers.vhr18-cache.entrypoints=https"
......@@ -84,16 +74,6 @@ services:
- "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
- "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
# router for shibboleth based auth based access (https)
- "traefik.http.routers.vhr18-cache-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.vhr18-cache-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
- "traefik.http.routers.vhr18-cache-renderer-shib.tls=true"
- "traefik.http.routers.vhr18-cache-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.vhr18-cache-renderer-shib.entrypoints=https"
# router for shibboleth shibboleth auth based access (http)
- "traefik.http.routers.vhr18-cache-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.vhr18-cache-renderer-shib-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-cache-renderer-shib-redirect.entrypoints=http"
# general
- "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
......@@ -134,16 +114,6 @@ services:
- "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
- "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.vhr18-client.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
- "traefik.http.routers.vhr18-client.middlewares=shibAuth@file,compress@file"
- "traefik.http.routers.vhr18-client.tls=true"
- "traefik.http.routers.vhr18-client.tls.certresolver=default"
- "traefik.http.routers.vhr18-client.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
- "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
# general
- "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
......@@ -168,7 +138,7 @@ services:
shibauth:
image: testing-shibboleth
environment:
APACHE_SERVERNAME: "https://vhr18-secure.pass.copernicus.eu:443"
APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
secrets:
- SHIB_CERT
- SHIB_KEY
......@@ -179,13 +149,13 @@ services:
constraints: [node.role == manager]
labels:
# router for basic auth based access (https)
- "traefik.http.routers.shibauth.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.shibauth.tls=true"
- "traefik.http.routers.shibauth.tls.certresolver=default"
- "traefik.http.routers.shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
- "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.shibauth-redirect.entrypoints=http"
# general
......
shibauth/etc-httpd/conf.d/shib.conf
+ 23
1
View file @ 934956e9
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
ShibCompatValidUser On
UseCanonicalName On
DocumentRoot "/var/www/html"
<Location />
SetHandler shib
</Location>
<VirtualHost *:80>
PassEnv APACHE_SERVERNAME
ServerName "${APACHE_SERVERNAME}"
<Location /secure>
<If "-n req('Authorization')">
Require valid-user
AuthType Basic
AuthBasicProvider file
AuthName "/secure"
AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
</If>
<Else>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-plugin /etc/shibboleth/pass-ac.xml
RequestHeader set Referer "%{X-Forwarded-Uri}e"
Header set Referer "%{X-Forwarded-Uri}e"
</Else>
</Location>
</VirtualHost>
\ No newline at end of file
shibauth/etc-httpd/conf.d/sp.conf deleted 100755 → 0
+ 0
11
View file @ c2d3e07e
<VirtualHost *:80>
PassEnv APACHE_SERVERNAME
ServerName "${APACHE_SERVERNAME}"
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-plugin /etc/shibboleth/pass-ac.xml
RequestHeader set Referer "%{X-Forwarded-Uri}e"
Header set Referer "%{X-Forwarded-Uri}e"
</Location>
</VirtualHost>
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment