Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Directory structure

Code Block
├── app
│   └── start.sh
├── build_opoidc-rp.sh
├── config
│   └── etccerts
│       ├── poundrp.inacademia.local.crt
│       │   └── pound.cfg
│       └── ssl
│           └── private
│               ├── oprp.inacademia.local.crtkey            ├── op.inacademia.local.key
│   └── rp.conf            └── server.pem
├── Dockerfile
└── run_opoidc-rp.sh


The Dockerfile is the basis for the docker to be build. The build_rp.sh and run_rp.sh scripts will build and run the docker image respectively. The run_rp.sh script will test if the image exists, and if not, try to build it before running it.

In the config directory 2 subdirectories exist.

...

contains the certs and the rp configuration (rp.conf)

  • config has only one subdirectory, etccert, which gets copied into the etc the /etc/apache2/ssl/ directly of the docker
  • the pound directory holds the pound config file
  • the ssl directory holds the https certificated and a server.pem file which concatenates both certificate and key (and if needed intermediate cert) as pound wants all certs in 1 file.. It also contains rp.conf which gets copied into etc/apache2/sites-enabled/. rp.conf contains the VirtualHost configuration parameters for OIDC communication between the RP and the OP.

Docker file

The docker file is completely self contained, so it will build the OP RP based on the condig config and by pulling relevant repositories if needed

FROM

debian

ubuntu:

stretch
MAINTAINER leifj@sunet.se

16.04

EXPOSE 443

RUN apt -

get

y update


RUN

&& apt -

get -

y

dist

full-upgrade


RUN

&& apt -

get

y autoremove && apt install -y

pound ssl-cert

--no-install-recommends sudo dnsutils git software-properties-common apache2 wget
RUN apt-get -y clean

ADD app/start.sh /start.sh
COPY config/etc/pound/pound.cfg /etc/pound/pound.cfg
RUN chmod a+rx /start.sh
VOLUME /etc/ssl
ENV HTTP_PORT 80
ENV REWRITE_LOCATION 1
EXPOSE 443
ENTRYPOINT ["/start.sh"]

Now run the run script to build and run our docker based OP

Image Removed

...


RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.7/libapache2-mod-auth-openidc_2.3.7-1.xenial.1_amd64.deb
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.xenial.1_amd64.deb

RUN apt -y install ./libcjose0_0.5.1-1.xenial.1_amd64.deb
RUN apt -y install ./libapache2-mod-auth-openidc_2.3.7-1.xenial.1_amd64.deb

RUN a2enmod ssl
RUN a2enmod auth_openidc
RUN mkdir /etc/apache2/ssl

COPY config/certs/ /etc/apache2/ssl/
COPY config/rp.conf /etc/apache2/sites-enabled/

ENTRYPOINT service apache2 start && /bin/bash

Now run the build script to build our docker based RP

Image Added

Using the RP

Assuming your deploy went without errors, you can now run the OPRP. It should now have available trough: https://oprp.inacademia.local/

Image Removed

By itself the OP cannot do much. If you did not start SVS yet, the OP will complain it cannot reach the back-end

Image Removed

As soon as you also start the SVS component however, the OP should now proxy https requests to the SVS component and back to the browser again.

Image Removed

Similar to the last step of the SVS setup this is now SaToSa complaining you did not send a valid request.

...

Image Added

To start the RP, launch your browser and go to https://rp.inacademia.local/

...

Image Added