Apache HTTP Server

image0

Presentation

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0.

It can be used to protect applications and transmit user identity information to them through HTTP headers.

Apache is highly customizable and can protect applications in many different ways.

Handler

LemonLDAP::NG can be directly integrated into Apache to protect applications using Perl rules.

The LemonLDAP::NG Handler uses mod_perl.

See the Virtual Hosts documentation for details.

mod_auth_mellon

You can use mod_auth_mellon as an alternative to the LemonLDAP::NG handler if you do not want to use mod_perl.

You first need to enable the SAML Issuer.

First, download the metadata file from LemonLDAP::NG

wget -O /etc/apache2/idp-metadata.xml https://auth.example.com/saml/metadata/idp

Location parameters

<Location /secured>
    Require valid-user
    AuthType "Mellon"

    MellonEnable "auth"
    MellonEndpointPath "/secured/saml"
    MellonIDPMetadataFile /etc/apache2/idp-metadata.xml

    # Certificate for signing SAML requests
    MellonSPPrivateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    MellonSPCertFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    </Location>

You can then obtain the SAML SP metadata at https://apache.example.com/secured/saml/metadata, you need to input it in LemonLDAP::NG when creating the SAML service provider configuration.

mod_auth_openidc

You can use mod_auth_openidc as an alternative to the LemonLDAP::NG handler if you do not want to use mod_perl.

You first need to enable the OpenID Connect Issuer.

VirtualHosts parameters

# Apache-specific configuration
OIDCCryptoPassphrase changeme
OIDCRedirectURI https://apache.example.com/secret/oauth2callback

# URL of LemonLDAP::NG OIDC metadata
OIDCProviderMetadataURL https://auth.example.com/.well-known/openid-configuration
# Client ID and client secret from LemonLDAP::NG configuration
OIDCClientID testrp
OIDCClientSecret testrp

Location parameters

<Location /secured>
      AuthType openid-connect
      Require valid-user
</Location>

mod_auth_cas

You can use mod_auth_cas as an alternative to the LemonLDAP::NG handler if you do not want to use mod_perl.

You first need to enable the CAS Issuer.

Global parameters

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://auth.example.com/cas/login
CASValidateURL https://auth.example.com/cas/serviceValidate

VirtualHosts parameters

<Location /secured>
            Authtype CAS
            Require valid-user
</Location>