diff --git a/config/shibboleth/shib-apache.conf b/config/shibboleth/shib-apache.conf
index 3d00b744882347cf061ade33b152d95d89a20026..b0f744fce842588d133bcd62618a41e93c429747 100755
--- a/config/shibboleth/shib-apache.conf
+++ b/config/shibboleth/shib-apache.conf
@@ -7,11 +7,33 @@
PassEnv APACHE_SERVERNAME
ServerName "${APACHE_SERVERNAME}"
+ PassEnv PROXY_USER_CATEGORY_ALLOW_RENDERER
+ PassEnv PROXY_USER_CATEGORY_ALLOW_CACHE
<Location "/Shibboleth.sso">
SetHandler shib
</Location>
+ # Internally redirected to here in case of Panda proxy access to renderer
+ <Location /proxy-renderer>
+ <If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_RENDERER}/">
+ Require all denied
+ </If>
+ <Else>
+ Require all granted
+ </Else>
+ </Location>
+
+ # Internally redirected to here in case of Panda proxy access to cache
+ <Location /proxy-cache>
+ <If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_CACHE}/">
+ Require all denied
+ </If>
+ <Else>
+ Require all granted
+ </Else>
+ </Location>
+
# Internally redirected to here. Rewrite for proper relaystate in shib
<Location /secure>
<If "-n req('Authorization')">
@@ -38,7 +60,7 @@
</LocationMatch>
# Match everything not above like /cache or the client
- <LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch))">
+ <LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch|proxy-renderer|proxy-cache))">
RewriteEngine On
AuthType shibboleth
ShibRequestSetting requireSession 1
diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 6f198777585a3e17c56eb5189876e8e70df3e299..8c585e0b1d929b10aa704e3870619cda5b8c0065 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -2,7 +2,7 @@ version: "3.6"
x-vs-version: :release-1.1.1 # bumpversion
services:
reverse-proxy:
- image: traefik:2.1
+ image: traefik:2.4
ports:
- target: 80
published: 80
@@ -20,7 +20,7 @@ services:
environment:
HTTP_PROXY: "http://172.30.252.68:3128"
HTTPS_PROXY: "http://172.30.252.68:3128"
- NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth"
+ NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth-emg,shibauth-dem,shibauth-vhr18"
deploy:
placement:
constraints: [node.role == manager]
diff --git a/docker-compose.emg.staging.yml b/docker-compose.emg.staging.yml
index c63a245d2fb04882f15b8d5e168cbfb60f858ee5..622e074dfbb5e438186cfc22753341df8d3cbb75 100644
--- a/docker-compose.emg.staging.yml
+++ b/docker-compose.emg.staging.yml
@@ -15,7 +15,8 @@ services:
labels:
# router for shib auth based access (https)
- "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+ - "traefik.http.middlewares.emg-renderer-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+ - "traefik.http.routers.emg-renderer-shib.middlewares=emg-renderer-shib-fa,compress@file,cors@file"
- "traefik.http.routers.emg-renderer-shib.tls=true"
- "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-shib.entrypoints=https"
@@ -25,19 +26,16 @@ services:
- "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
# router for internal proxy based access (https)
- "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=178.248.89.10"
- - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
- - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
+ - "traefik.http.middlewares.emg-renderer-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-renderer"
+ - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+ - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,emg-renderer-proxy-fa,compress@file,cors@file"
- "traefik.http.routers.emg-renderer-proxy.tls=true"
- "traefik.http.routers.emg-renderer-proxy.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-proxy.entrypoints=https"
# router for internal proxy based access (http)
- - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+ - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
- "traefik.http.routers.emg-renderer-redirect-proxy.entrypoints=http"
- # router for shib auth based access (http)
- - "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
- - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
@@ -71,7 +69,8 @@ services:
# router for shib auth based access (https)
- "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-shib-chain"
- - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
+ - "traefik.http.middlewares.emg-cache-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+ - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=emg-cache-shib-fa,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache-shib.tls=true"
- "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
- "traefik.http.routers.emg-cache-shib.entrypoints=https"
@@ -81,13 +80,15 @@ services:
- "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
# router for internal proxy based access (https)
- "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=178.248.89.10"
- - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
- - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist-cache,compress@file,cors@file"
+ - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+ - "traefik.http.middlewares.emg-cache-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-cache"
+ - "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-proxy-chain"
+ - "traefik.http.middlewares.emg-cache-proxy-chain.chain.middlewares=emg-pass-whitelist-cache,emg-cache-proxy-fa,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache-proxy.tls=true"
- "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
- "traefik.http.routers.emg-cache-proxy.entrypoints=https"
# router for internal proxy based access (http)
- - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+ - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
- "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
# router for basic auth based access (https)
@@ -135,7 +136,8 @@ services:
labels:
# router for shib auth based access (https)
- "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
- - "traefik.http.routers.emg-client-shib.middlewares=shibAuth@file,compress@file"
+ - "traefik.http.middlewares.emg-client-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+ - "traefik.http.routers.emg-client-shib.middlewares=emg-client-shib-fa,compress@file"
- "traefik.http.routers.emg-client-shib.tls=true"
- "traefik.http.routers.emg-client-shib.tls.certresolver=default"
- "traefik.http.routers.emg-client-shib.entrypoints=https"
@@ -171,10 +173,12 @@ services:
replicas: 1
environment:
UPLOAD_CONTAINER: "emg-data-staging"
- shibauth:
+ shibauth-emg:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth:staging
environment:
APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
+ PROXY_USER_CATEGORY_ALLOW_RENDERER: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
+ PROXY_USER_CATEGORY_ALLOW_CACHE: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
secrets:
- source: EMG_SHIB_CERT
target: SHIB_CERT
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 8b7369b78f64805c9d7ec0eb6bad2fdde1759ace..2569b05f1cbbf6dd57c92c198088672a88a0cce9 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -18,10 +18,6 @@ http:
basicAuth:
realm: "PRISM View Server (PVS)"
usersFile: "/run/secrets/BASIC_AUTH_USERS_AUTH"
- shibAuth:
- forwardAuth:
- address: http://shibauth/secure/
- trustForwardHeader: true
compress:
compress: {}
redirect:
@@ -33,6 +29,7 @@ http:
- GET
- OPTIONS
- POST
- accessControlAllowOrigin: "origin-list-or-null"
+ accessControlAllowOriginList:
+ - "*"
accessControlMaxAge: 7200
addVaryHeader: false