cod*_*ent 5 apache apache-modules openid-connect keycloak
我正在尝试将mod_auth_openidc 模块添加到在 Docker 上运行的 Apache 服务器。添加后LoadModule auth_openidc_module modules/mod_auth_openidc.so,我创建图像并运行它,收到此错误:
httpd: Syntax error on line 69 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/mod_auth_openidc.so into server: libcjose.so.0: cannot open shared object file: No such file or directory
所以我下载了该依赖项并添加了必要的 LoadModule 语句:
LoadModule libcjose_module modules/libcjose.so.0
现在错误是关于 libjansson.so.4 的:
httpd: Syntax error on line 68 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/libcjose.so.0 into server: libjansson.so.4: cannot open shared object file: No such file or directory
我重复了前面的步骤,从https://packages.debian.org/wheezy/libjansson4下载 libjansson.so.4 ,将其添加到 Dockerfile、Apache 配置LoadModule libjansson_module modules/libjansson.so.4和:
httpd: Syntax error on line 67 of /usr/local/apache2/conf/httpd.conf: Can't locate API module structure `libjansson_module' in file /usr/local/apache2/modules/libjansson.so.4: /usr/local/apache2/modules/libjansson.so.4: undefined symbol: libjansson_module
那么我怎样才能加载jansson模块呢???
这是我的Dockerfile:
FROM httpd:2.4
RUN apt-get update && apt-get install -y \
curl
COPY ./libjansson.so.4 /usr/local/apache2/modules/libjansson.so.4
COPY ./libcjose.so.0 /usr/local/apache2/modules/libcjose.so.0
COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so
COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
和httpd.conf:
LoadModule libjansson_module modules/libjansson.so.4
LoadModule libcjose_module modules/libcjose.so.0
LoadModule auth_openidc_module modules/mod_auth_openidc.so
2021 年,zmartzone 模块将作为 Debian 软件包提供。所以我能够使用简单的 Dockerfile 构建图像,但我只需要 https(而不是 php 等)。我选择使用httpd buster基础镜像,buster中的zmartzone包版本是2.3.10.2-1,今天最新最好的是2.4.9.4。这是我的 Dockerfile,只需要两个命令:
# Build image with Apache HTTPD and OpenID connect module
FROM httpd:2.4-buster
RUN apt-get update && \
apt-get install --no-install-recommends -y \
ca-certificates libapache2-mod-auth-openidc
# leave entrypoint etc. unchanged from base image
我完全不明白的一件事是,apache httpd 基本映像中包含模块,/usr/local/apache2/modules但该软件包将 auth_openidc_module 安装在/usr/lib/apache2/modules. 也许有人可以向我解释一下?
无论如何,尝试使这个答案完整,使用此图像需要更改基本图像文件/usr/local/apache2/httpd.conf和/usr/local/apache2/extra/httpd-ssl.conf. 这是第一组差异:
% diff httpd.conf.orig httpd.conf
94c98
< #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
---
> LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
142c146
< #LoadModule proxy_module modules/mod_proxy.so
---
> LoadModule proxy_module modules/mod_proxy.so
161c165
< #LoadModule ssl_module modules/mod_ssl.so
---
> LoadModule ssl_module modules/mod_ssl.so
199a204
> LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
241c246
< #ServerName www.example.com:80
---
> ServerName server.my.company.com:80
541c546
< #Include conf/extra/httpd-ssl.conf
---
> Include conf/extra/httpd-ssl.conf
还有额外的/httpd-ssl.conf:
% diff httpd-ssl.conf.orig httpd-ssl.conf
125c129
< ServerName www.example.com:443
---
> ServerName server.my.company.com:443
290c294,319
< </VirtualHost>
---
> OIDCProviderMetadataURL https://oidserver.my.company.com/.well-known/openid-configuration
> OIDCClientID my-company-client-id
> OIDCClientSecret my-company-client-scret
> OIDCRedirectURI https://server.my.company.com/secure/redirect_uri
> OIDCCryptoPassphrase my-company-crypto-passphrase
>
> <Location /secure>
> AuthType openid-connect
> Require valid-user
> </Location>
>
> </VirtualHost>
如果您的容器不信任 OIDC 服务器使用的证书,尽管安装了软件包 ca-certificates,您可能必须将此条目添加到您的httpd-ssl.conf文件中,但这是一个丑陋的黑客:
# https://github.com/zmartzone/mod_auth_openidc/issues/56
OIDCSSLValidateServer Off
在我的部署中,我选择将这些 httpd 配置文件安装到容器中,这样可以避免将 OID 客户端机密构建到 docker 映像中。这是一个示例 docker-compose.yml,在线image使用您应用于从上面显示的 Dockerfile 构建的图像的标签:
version: "3"
services:
# httpd starts as root, binds ports then switches to daemon (UID 1)
httpd:
image: httpd-openidc:local
ports:
- 80:80
- 443:443
volumes:
- /Users/me/apache-httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf
- /Users/me/apache-httpd/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf
- /Users/me/apache-httpd/my-dev.key:/usr/local/apache2/conf/server.key
- /Users/me/apache-httpd/my-dev.crt:/usr/local/apache2/conf/server.crt
到目前为止效果很好,HTH
(2022 年 1 月更新以安装 ca 证书,感谢 @uupascal!)
我没有手动下载必要的库,而是将该进程移至 Dockerfile,现在图像已正确创建:
FROM httpd:2.4
COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
COPY ./server.crt /usr/local/apache2/conf/
COPY ./server.key /usr/local/apache2/conf/
COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so
RUN apt-get update && apt-get install -y curl && apt-get install -y libjansson4 && apt-get install -y wget && apt-get install -y libhiredis0.10 && apt-get install -y apache2-bin
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.jessie.1_amd64.deb && dpkg -i libcjose0_0.5.1-1.jessie.1_amd64.deb
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.3/libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb && \
dpkg -i libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb