-
Notifications
You must be signed in to change notification settings - Fork 18
Using Nginx
Nginx doesn't support loading modules the way the Apache does - it doesn't support dynamic loading at all. So it's necessary to compile all modules to the core.
We have two crucial modules:
-
ajpSupport for tomcat https://github.com/yaoweibin/nginx_ajp_module -
shibShibboleth support https://github.com/nginx-shib/nginx-http-shibboleth -
headers-moreFor clearing Shibboleth headers (see below) https://github.com/openresty/headers-more-nginx-module
The good documentation is on Shibboleth module (including installation)
See this gist as an example for compilation script (requires zlib-dev and libpcre3-dev installed e.g., by apt install zlib1g zlib1g-dev libpcre3 libpcre3-dev).
sudo make install
The nginx is installed in /opt/nginx. On Lindat server the nginx executable is symlinked to /usr/sbin/nginx and should be available globally in the $PATH.
The init script from Ubuntu distribution is slightly modified to take Nginx from /opt/nginx. See the gist.
You can use the init script as expected to start|stop|restart the Nginx.
/etc/init.d/nginx start|stop|restart
Part of sites-enabled/default-ssl
server {
listen 443;
server_name lindat.mff.cuni.cz localhost;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/...nginx.pem;
ssl_certificate_key /etc/...decrypted.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header 'Access-Control-Allow-Origin' "*";
add_header 'Access-Control-Allow-Credentials' 'true';
# redirect different legacy forms to repository/xmlui
rewrite ^/xmlui(.*)$ /repository/xmlui$1 redirect;
rewrite ^/repository.?$ /repository/xmlui/ redirect;
rewrite ^/solr(.*)$ /repository/solr$1 redirect;
rewrite ^/handle/(.*)$ /repository/xmlui/handle/$1 redirect;
set $oai_index /repository/oai/request?verb=Identify;
rewrite ^/oai$ $oai_index redirect;
location /oai {
return 301 https://$http_host/repository$request_uri;
}
rewrite ^/repository/oai$ $oai_index redirect;
if ($http_accept ~ "(.*xml.cmdi.*)"){
rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=cmdi&handle=$2? redirect;
}
if ($query_string ~* "format=cmdi"){
rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=cmdi&handle=$2? redirect;
}
if ($query_string ~* "format=cite_(cmdi|bibtex|html)"){
rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=%1&handle=$2? redirect;
}
location = / {
return 301 /en;
}
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include process_php;
}
}
location /repository {
client_body_buffer_size 32K;
client_max_body_size 4G;
sendfile on;
send_timeout 300s;
ajp_keep_conn on;
ajp_pass tomcats;
location /repository/solr {
satisfy any;
auth_basic "Restricted App";
auth_basic_user_file /etc/apache2/passwd/passwords;
allow 127.0.0.1;
deny all;
ajp_keep_conn on;
ajp_pass tomcats;
}
location /repository/JSON/solr/ {
rewrite /repository/JSON/solr/(.*) /repository/solr/search/select/?q=*:*&rows=0&facet=on&wt=json&indent=true&facet.field=$1 break;
proxy_pass http://localhost:8080;
}
}
# add path your repository path that will be protected by shibboleth
location /repository/xmlui/shibboleth-login { include repository_auth; }
location /xmlui/shibboleth-login { include repository_auth; }
# remove the robots and favicon from the logs
location ~ /robots.txt$ { access_log off; log_not_found off; }
location ~ ^/favicon.ico$ { access_log off; log_not_found off; }
# this prevents hidden files (beginning with a period) from being served
location ~ /\. { access_log off; log_not_found off; deny all; }
# FastCGI authorizer for Auth Request module
location = /shibauthorizer {
internal;
include fastcgi_params;
fastcgi_pass unix:/opt/shibboleth-sp-fastcgi/shibauthorizer.sock;
}
# FastCGI responder
location /Shibboleth.sso {
include fastcgi_params;
fastcgi_pass unix:/opt/shibboleth-sp-fastcgi/shibresponder.sock;
}
# Resources for the Shibboleth error pages
location /shibboleth-sp {
alias /opt/shibboleth-sp-fastcgi/share/shibboleth/;
}
include /opt/nginx/conf/proxies-enabled/*;
}
Supervisor is a tool for managing multiple application and ensuring they are running. Similar to OpenRC or systemd from Unix world.
We need to run:
- Shibboleth SP daemon
shibd - and Shibboleth FastCGI
authorizerandresponder
Config file from Lindat server:
/etc/supervisor/conf.d/shib_fastcgi.conf
[program:shibboleth]
command=/opt/shibboleth-sp-fastcgi/sbin/shibd -F -f
stdout_logfile=/var/log/supervisor/shibd.log
stderr_logfile=/var/log/supervisor/shibd.error.log
[fcgi-program:shibauthorizer]
command=/opt/shibboleth-sp-fastcgi/lib/shibboleth/shibauthorizer
socket=unix:///opt/shibboleth-sp-fastcgi/shibauthorizer.sock
socket_owner=www-data:www-data
socket_mode=0660
user=www-data
stdout_logfile=/var/log/supervisor/shibauthorizer.log
stderr_logfile=/var/log/supervisor/shibauthorizer.error.log
[fcgi-program:shibresponder]
command=/opt/shibboleth-sp-fastcgi/lib/shibboleth/shibresponder
socket=unix:///opt/shibboleth-sp-fastcgi/shibresponder.sock
socket_owner=www-data:www-data
socket_mode=0660
user=www-data
stdout_logfile=/var/log/supervisor/shibresponder.log
stderr_logfile=/var/log/supervisor/shibresponder.error.logto "enable" shibboleth you add a shib_request /shibauthorizer and depending on requestMapper in shibboleth2.xml session or particular user is enforced. EXCEPT this is prone the header spoofing. Instead prepare a file that first clears headers and only after that does a shib_request; include this file eg. include shibboleth_auth. There are some headers that need to be cleared in every case and others depending on your attribute-map.xml. If it is in your map you need to clear it.
2016-12-14: For any of this to work with recent versions of the https://github.com/nginx-shib/nginx-http-shibboleth module, add shib_request_use_headers on (see line 27 below).
shibboleth_auth:
1 #wildcards (Shib-*) not working
2 more_clear_input_headers
3 Auth-Type
4 Shib-Application-Id
5 Shib-Assertion-01
6 Shib-Assertion-Count
7 Shib-Authentication-Instant
8 Shib-Authentication-Method
9 Shib-Authncontext-Class
10 Shib-Identity-Provider
11 Shib-Session-Id
12 Shib-Session-Index
13 Remote-User;
14
15 # Add your attributes here. They get introduced as headers
16 # by the FastCGI authorizer so we must prevent spoofing.
17 # get these from shibboleth attributes-map.xml
18 # xmllint --xpath '//@id' /opt/shibboleth-sp/etc/shibboleth/attribute-map.xml | sed -e 's/ /\n/g' -e's/id=//g' -e "s/\"/'/g" | sort -u | paste -d" " -s
19 more_clear_input_headers 'affiliation' 'assurance' 'cn' 'eduPersonOrgUnitDN' 'eduPersonStudyiProgramme' 'eduPersonStudySubject' 'entitlement' 'eppn' 'givenName' 'mail' 'o' 'ou' 'persistent-id' 'sn' 'telephoneNumber' 'unscoped-affiliation';
20
21 # Require https and will redirect
22 if ($https != "on") {
23 return 301 https://$http_host$request_uri;
24 }
25
26 shib_request /shibauthorizer;
27 shib_request_use_headers on;
28