96 lines
3.2 KiB
Plaintext
96 lines
3.2 KiB
Plaintext
LoadModule ssl_module modules/mod_ssl.so
|
|
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
|
LoadModule proxy_module modules/mod_proxy.so
|
|
LoadModule proxy_http_module modules/mod_proxy_http.so
|
|
LoadModule headers_module modules/mod_headers.so
|
|
|
|
LogLevel debug
|
|
|
|
Listen 443
|
|
# Redirect HTTP to HTTPS for auth.local
|
|
<VirtualHost *:80>
|
|
ServerName auth.local
|
|
Redirect permanent / https://auth.local/
|
|
</VirtualHost>
|
|
|
|
# Redirect HTTP to HTTPS for api.local
|
|
<VirtualHost *:80>
|
|
ServerName api.local
|
|
Redirect permanent / https://api.local/
|
|
</VirtualHost>
|
|
|
|
# Keycloak on auth.local
|
|
<VirtualHost *:443>
|
|
ServerName auth.local
|
|
ErrorLog ${APACHE_LOG_DIR}/auth_error.log
|
|
CustomLog ${APACHE_LOG_DIR}/auth_access.log combined
|
|
SSLEngine on
|
|
SSLCertificateFile /usr/local/apache2/conf/server.crt
|
|
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
|
|
|
|
# Proxy all traffic to Keycloak
|
|
ProxyPass / http://keycloak:8080/
|
|
ProxyPassReverse / http://keycloak:8080/
|
|
ProxyPreserveHost On
|
|
|
|
|
|
<Proxy *>
|
|
Require all granted
|
|
</Proxy>
|
|
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
RequestHeader set X-Forwarded-Port "443"
|
|
RequestHeader set X-Forwarded-Host "auth.local"
|
|
|
|
|
|
</VirtualHost>
|
|
|
|
# APIs on api.local
|
|
<VirtualHost *:443>
|
|
ServerName api.local
|
|
ErrorLog ${APACHE_LOG_DIR}/api_error.log
|
|
CustomLog ${APACHE_LOG_DIR}/api_access.log combined
|
|
|
|
SSLEngine on
|
|
SSLCertificateFile /usr/local/apache2/conf/server.crt
|
|
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
|
|
|
|
# OIDC config - point to Keycloak via auth.local
|
|
# Global OIDC configuration
|
|
OIDCProviderMetadataURL https://auth.local/realms/master/.well-known/openid-configuration
|
|
OIDCClientID soa
|
|
OIDCRedirectURI https://api.local/api/private/redirect
|
|
OIDCClientSecret mysecret
|
|
OIDCCryptoPassphrase fdfd8280-13b5-11f0-a320-080027e6dc53
|
|
OIDCPassClaimsAs headers
|
|
OIDCClaimPrefix OIDC-
|
|
OIDCPassUserInfoAs claims
|
|
OIDCRemoteUserClaim email
|
|
OIDCScope "openid email profile"
|
|
OIDCSessionInactivityTimeout 86400
|
|
OIDCSSLValidateServer Off
|
|
|
|
# Configure OAuth2 Bearer token validation (commented out - not available in this version)
|
|
# OIDCOAuth2IntrospectionEndpoint https://auth.local/realms/master/protocol/openid-connect/token/introspect
|
|
# OIDCOAuth2IntrospectionEndpointAuth client_secret_basic
|
|
# OIDCOAuth2IntrospectionClientID soa
|
|
# OIDCOAuth2IntrospectionClientSecret mysecret
|
|
|
|
# Proxy public API (no auth)
|
|
ProxyPass /api/public http://public_api:5001/api/public
|
|
ProxyPassReverse /api/public http://public_api:5001/api/public
|
|
|
|
# Proxy private API (supports both OIDC and Bearer tokens)
|
|
ProxyPass /api/private http://private_api:5002/api/private
|
|
ProxyPassReverse /api/private http://private_api:5002/api/private
|
|
|
|
<Location /api/private>
|
|
# Let Flask handle all authentication - pass through all requests
|
|
# Apache will only inject OIDC headers if user is already authenticated via OIDC
|
|
AuthType auth-openidc
|
|
OIDCUnAuthAction pass
|
|
Require all granted
|
|
|
|
# Don't modify the Authorization header - let it pass through naturally
|
|
</Location>
|
|
</VirtualHost> |