LAMP App - How to enable mod_expires.c ?

nebulon

That might be a great idea if that works out. Just trying to get it up and running in the package. One question though is about the login redirect URI back to the app. Given that this package is very generic, I am not sure if we should define a route for callback on behalf of the app (which might make it hard to use depending on the actual app/code running in this lamp instance) OR the admin is required to manually add an OpenID client via the dashboard, instead of pre-provisioning that.

Any input here might help to decide on how to go about this.

nebulon

Using an example setup, this works fine. Now we just need to decide if we should auto-provision oidc credentials with a fixed redirect callback URI or not.

If we do not pre-provision it, the Cloudron access controls won't be applied

chmod777

@nebulon awesome, glad you like the idea! and thanks for working on it. I was surprised there was no "pre-built" solution for securing a website with a login - sounds like this could be it!

Please do not pre-provision the client data. My use case would be with keycloak, so users are able to login there and access a members only website, as well as further services.

I would like to have the possibility of users self registering - which is impossible with cloudron (atm).

is there no way to auto-provision it with the cloudron data, but allow admins to edit the config? That way it would work "out-of-the-box" but could still be used with other IAMs.

chmod777

@nebulon any (easy) way I could beta test this?

nebulon

Yeah the idea was to just setup an oidc client credentials set with a redirect URI for the app, but not actually configuring the lamp stack to also use this. Same as with LDAP credentials.

You can test the branch from https://git.cloudron.io/packages/lamp-app/-/tree/oidc-support?ref_type=heads if you know your way around building a custom app.

Once installed you have to create an OpenID client in your Cloudron dashboard with /secure/redirect_uri and put the following in /app/data/apache/app.conf:

   # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<your.lampapp.domain>/secure/redirect_uri
OIDCCryptoPassphrase somethingsecret

OIDCProviderMetadataURL https://<my.example.com>/.well-known/openid-configuration
OIDCClientID <clientId>
OIDCClientSecret <secret>

Then restart the app and then you may put those two lines in any .htaccess within your public/ folder which you want to protect from public access:

AuthType openid-connect
Require valid-user

chmod777

@nebulon, so I finally got around to testing this:

authentication works (nice!) but the redirect url appends port 80 (https://lampoidc.mydomain.com:80/) which results in an ssl error (SSL_ERROR_RX_RECORD_TOO_LONG)

manualy removing the port then loads the page.

ai suggested adding this to the app.conf virtual host:

UseCanonicalName Off
UseCanonicalPhysicalPort Off

which did not help...

any ideas?

girish

Can you try with the latest package 5.0.3? I think yourls needed a similar fix in apache.

chmod777

@girish, I am not sure how to merge the update from the master to the oidc-support branch.

would you be able to do that, so I can pull the branch again like I managed to do before?

james

Hello @chmod777
I have rebased the oidc-support branch against the master branch.
You should be able to run git pull in the oidc-support branch now.

chmod777

Unfortunately I get the same error with the updated package. Here is my current config:

OpenID Client on Cloudron:

https://lampoidc.mydomain.com/secure/redirect_uri
<clientId>
<secret>

/app/data/apache/app.conf:

ServerName localhost

<VirtualHost *:80>
    ServerName localhost
    UseCanonicalName Off
    DocumentRoot /app/data/public

    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    CustomLog "|/bin/cat" proxy
    ErrorLog "|/bin/cat"

    <Directory /app/data/public>
        Options +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Do not remove this include. It's required for your app to see the Real IP
    Include "/app/code/apache/rpaf.conf"
    # This line can be commented out, if you do no require PHPMyAdmin Access
    Include "/app/code/apache/phpmyadmin.conf"

</VirtualHost>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://lampoidc.mydomain.com/secure/redirect_uri
OIDCCryptoPassphrase somethingsecret

OIDCProviderMetadataURL https://my.mydomain.com/.well-known/openid-configuration
OIDCClientID <clientId>
OIDCClientSecret <secret>

/app/data/public/.htaccess:

AuthType openid-connect
Require valid-user

---

Any ideas?