103 lines
3.3 KiB
Plaintext
103 lines
3.3 KiB
Plaintext
LoadModule ssl_module modules/mod_ssl.so
|
|
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
|
|
LoadModule proxy_module modules/mod_proxy.so
|
|
LoadModule proxy_http_module modules/mod_proxy_http.so
|
|
LoadModule headers_module modules/mod_headers.so
|
|
|
|
LogLevel debug
|
|
|
|
Listen 443
|
|
# Redirect HTTP to HTTPS for auth.local
|
|
<VirtualHost *:80>
|
|
ServerName auth.local
|
|
Redirect permanent / https://auth.local/
|
|
</VirtualHost>
|
|
|
|
# Redirect HTTP to HTTPS for api.local
|
|
<VirtualHost *:80>
|
|
ServerName api.local
|
|
Redirect permanent / https://api.local/
|
|
</VirtualHost>
|
|
|
|
# Keycloak on auth.local
|
|
<VirtualHost *:443>
|
|
ServerName auth.local
|
|
ErrorLog ${APACHE_LOG_DIR}/auth_error.log
|
|
CustomLog ${APACHE_LOG_DIR}/auth_access.log combined
|
|
SSLEngine on
|
|
SSLCertificateFile /usr/local/apache2/conf/server.crt
|
|
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
|
|
|
|
# Proxy all traffic to Keycloak
|
|
ProxyPass / http://keycloak:8080/
|
|
ProxyPassReverse / http://keycloak:8080/
|
|
ProxyPreserveHost On
|
|
|
|
|
|
<Proxy *>
|
|
Require all granted
|
|
</Proxy>
|
|
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
RequestHeader set X-Forwarded-Port "443"
|
|
RequestHeader set X-Forwarded-Host "auth.local"
|
|
|
|
|
|
</VirtualHost>
|
|
|
|
# APIs on api.local
|
|
<VirtualHost *:443>
|
|
ServerName api.local
|
|
ErrorLog ${APACHE_LOG_DIR}/api_error.log
|
|
CustomLog ${APACHE_LOG_DIR}/api_access.log combined
|
|
|
|
SSLEngine on
|
|
SSLCertificateFile /usr/local/apache2/conf/server.crt
|
|
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
|
|
|
|
# OIDC config - point to Keycloak via auth.local
|
|
OIDCProviderMetadataURL https://auth.local/realms/master/.well-known/openid-configuration
|
|
OIDCClientID soa
|
|
OIDCRedirectURI https://api.local/api/private/redirect
|
|
OIDCClientSecret mysecret
|
|
OIDCCryptoPassphrase fdfd8280-13b5-11f0-a320-080027e6dc53
|
|
OIDCPassClaimsAs headers
|
|
OIDCClaimPrefix OIDC-
|
|
OIDCPassUserInfoAs claims
|
|
OIDCRemoteUserClaim email
|
|
OIDCScope "openid email profile"
|
|
OIDCSessionInactivityTimeout 86400
|
|
OIDCSSLValidateServer Off
|
|
|
|
# Configure OAuth2 Bearer token validation
|
|
OIDCOAuth2IntrospectionEndpoint https://auth.local/realms/master/protocol/openid-connect/token/introspect
|
|
OIDCOAuth2IntrospectionEndpointAuth client_secret_basic
|
|
OIDCOAuth2IntrospectionClientID soa
|
|
OIDCOAuth2IntrospectionClientSecret mysecret
|
|
|
|
# Proxy public API (no auth)
|
|
ProxyPass /api/public http://public_api:5001/
|
|
ProxyPassReverse /api/public http://public_api:5001/
|
|
|
|
# Proxy private API (supports both OIDC and Bearer tokens)
|
|
ProxyPass /api/private http://private_api:5002/api/private
|
|
ProxyPassReverse /api/private http://private_api:5002/api/private
|
|
|
|
<Location /api/private>
|
|
# Accept both OIDC sessions and OAuth2 Bearer tokens
|
|
AuthType auth-openidc
|
|
Require valid-user
|
|
|
|
# Allow both authentication methods
|
|
OIDCUnAuthAction auth
|
|
OIDCUnAutzAction 401
|
|
|
|
# Pass user info as headers for both auth types
|
|
RequestHeader set X-User-Email "%{HTTP_OIDC_EMAIL}i"
|
|
RequestHeader set X-User-Name "%{HTTP_OIDC_PREFERRED_USERNAME}i"
|
|
|
|
# Also pass OAuth2 token info
|
|
RequestHeader set X-OAuth2-Email "%{HTTP_OAUTH2_EMAIL}i"
|
|
RequestHeader set X-OAuth2-Username "%{HTTP_OAUTH2_PREFERRED_USERNAME}i"
|
|
</Location>
|
|
</VirtualHost> |