How to install mod_auth_openidc module in an Apache server running on Docker

apache openid-connect keycloak apache-modules

Solution 1:

In 2021 the zmartzone module is available as a Debian package. So I was able to build an image using a simple Dockerfile, but I only need https (not php etc). I chose to use the httpd buster base image, in buster the zmartzone package version is 2.3.10.2-1, the latest and greatest today is 2.4.9.4. Here's my Dockerfile, only two commands required:

# Build image with Apache HTTPD and OpenID connect module
FROM httpd:2.4-buster

RUN apt-get update && \
    apt-get install --no-install-recommends -y \
    ca-certificates libapache2-mod-auth-openidc

# leave entrypoint etc. unchanged from base image

One thing I completely don't understand, that apache httpd base image has modules in /usr/local/apache2/modules but the package installs auth_openidc_module in /usr/lib/apache2/modules. Maybe someone can explain that to me?

Anyhow, trying to make this answer complete, using this image requires changes to base image files /usr/local/apache2/httpd.conf and /usr/local/apache2/extra/httpd-ssl.conf. Here is the first set of diffs:

% diff httpd.conf.orig httpd.conf 
94c98
< #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
---
> LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
142c146
< #LoadModule proxy_module modules/mod_proxy.so
---
> LoadModule proxy_module modules/mod_proxy.so
161c165
< #LoadModule ssl_module modules/mod_ssl.so
---
> LoadModule ssl_module modules/mod_ssl.so
199a204
> LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
241c246
< #ServerName www.example.com:80
---
> ServerName server.my.company.com:80
541c546
< #Include conf/extra/httpd-ssl.conf
---
> Include conf/extra/httpd-ssl.conf

Also extra/httpd-ssl.conf:

% diff httpd-ssl.conf.orig httpd-ssl.conf
125c129
< ServerName www.example.com:443
---
> ServerName server.my.company.com:443
290c294,319
< </VirtualHost>                                  
---
> OIDCProviderMetadataURL https://oidserver.my.company.com/.well-known/openid-configuration
> OIDCClientID my-company-client-id
> OIDCClientSecret my-company-client-scret
> OIDCRedirectURI https://server.my.company.com/secure/redirect_uri
> OIDCCryptoPassphrase my-company-crypto-passphrase
> 
> <Location /secure>
>    AuthType openid-connect
>    Require valid-user
> </Location>
> 
> </VirtualHost>

If your container does not trust the certificate used by your OIDC server, despite installing package ca-certificates, you may have to add this entry to your httpd-ssl.conf file but it's an ugly hack:

# https://github.com/zmartzone/mod_auth_openidc/issues/56
OIDCSSLValidateServer Off

In my deployment I chose to mount those httpd config files to the container, that avoids building the OID client secrets into the docker image. Here's a sample docker-compose.yml, on the image line use the tag you applied to the image built from the Dockerfile shown above:

version: "3"
services:
  # httpd starts as root, binds ports then switches to daemon (UID 1)
  httpd:
    image: httpd-openidc:local
    ports:
      - 80:80
      - 443:443
    volumes:
      - /Users/me/apache-httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf
      - /Users/me/apache-httpd/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf
      - /Users/me/apache-httpd/my-dev.key:/usr/local/apache2/conf/server.key
      - /Users/me/apache-httpd/my-dev.crt:/usr/local/apache2/conf/server.crt

So far this works fine, HTH

(Updated Jan 2022 to install ca-certificates, thanks @uupascal!)

Solution 2:

Instead of manually downloading the necessary libraries I moved that process to the Dockerfile, now the image is created correctly:

FROM httpd:2.4

COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
COPY ./server.crt /usr/local/apache2/conf/
COPY ./server.key /usr/local/apache2/conf/
COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so

RUN apt-get update && apt-get install -y curl && apt-get install -y libjansson4 && apt-get install -y wget && apt-get install -y libhiredis0.10 && apt-get install -y apache2-bin
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.jessie.1_amd64.deb && dpkg -i libcjose0_0.5.1-1.jessie.1_amd64.deb
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.3/libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb && \
dpkg -i libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb

Related

jQuery ajax upload with progress bar - no flash
When is it appropriate to use df.value_counts() vs df.groupby('...').count()?
How to make a function return observable in Flutter using GetX?
.Rlib and .d file instead of .wasm
Regex for Wordle
How does the 'Souls' mode work in Move or Die?
Putting Money Onto Your Xbox One
So Custom Weapon Bonuses automatically apply to currently made weapons?
How to setup AI only game, ala "Battle Royale"?
What file systems are used on the Xbox 360 and Xbox One? And is there any PC program that will let me see the drive on Windows?
Unable to buy any of the free cars on GTA Online Criminal Enterprise Pack
How to get Steam to recognize existing game files for Arma [duplicate]