LAMP App - How to enable mod_expires.c ?

M-arcus

I am trying to enable the expires module for apache2.

But if I try to do it via /app/data/run.sh or via the repair-mode, it tells me that the Apache2 mod folder is read-only.

How do I enable this module?

girish

@M-arcus I have pushed a new release which enables the apache module.

Currently, there is no way to enable modules on the fly. It has to be part of the package. Since expires is fairly standard, I added it to the package itself. Otherwise, we have to investigate what's the best approach for this.

M-arcus

@girish Thanks for the quick update.

Maybe you can symlink the apache2 folder to a writable folder inside /app

girish

Have to think about that because I think modules require not just configuration but also code to be installed via apt.

M-arcus

A bunch of mods are already installed, but not activated.

I would separate this into:

• Activating already installed mods
• Installing and activating new monds

chmod777

@girish, any updates on installing apache modules in the cloudron LAMP stack?

I would like to try https://github.com/OpenIDC/mod_auth_openidc in it

nebulon

That might be a great idea if that works out. Just trying to get it up and running in the package. One question though is about the login redirect URI back to the app. Given that this package is very generic, I am not sure if we should define a route for callback on behalf of the app (which might make it hard to use depending on the actual app/code running in this lamp instance) OR the admin is required to manually add an OpenID client via the dashboard, instead of pre-provisioning that.

Any input here might help to decide on how to go about this.

nebulon

Using an example setup, this works fine. Now we just need to decide if we should auto-provision oidc credentials with a fixed redirect callback URI or not.

If we do not pre-provision it, the Cloudron access controls won't be applied

chmod777

@nebulon awesome, glad you like the idea! and thanks for working on it. I was surprised there was no "pre-built" solution for securing a website with a login - sounds like this could be it!

Please do not pre-provision the client data. My use case would be with keycloak, so users are able to login there and access a members only website, as well as further services.

I would like to have the possibility of users self registering - which is impossible with cloudron (atm).

is there no way to auto-provision it with the cloudron data, but allow admins to edit the config? That way it would work "out-of-the-box" but could still be used with other IAMs.

chmod777

@nebulon any (easy) way I could beta test this?

nebulon

Yeah the idea was to just setup an oidc client credentials set with a redirect URI for the app, but not actually configuring the lamp stack to also use this. Same as with LDAP credentials.

You can test the branch from https://git.cloudron.io/packages/lamp-app/-/tree/oidc-support?ref_type=heads if you know your way around building a custom app.

Once installed you have to create an OpenID client in your Cloudron dashboard with /secure/redirect_uri and put the following in /app/data/apache/app.conf:

   # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<your.lampapp.domain>/secure/redirect_uri
OIDCCryptoPassphrase somethingsecret

OIDCProviderMetadataURL https://<my.example.com>/.well-known/openid-configuration
OIDCClientID <clientId>
OIDCClientSecret <secret>

Then restart the app and then you may put those two lines in any .htaccess within your public/ folder which you want to protect from public access:

AuthType openid-connect
Require valid-user