mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
36 lines
1.7 KiB
Plaintext
36 lines
1.7 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/identity_providers/configuring-request-header-identity-provider.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="identity-provider-apache-custom-proxy-configuration_{context}"]
|
|
= Custom proxy configuration
|
|
|
|
Using the `mod_auth_gssapi` module is a popular way to configure the Apache
|
|
authentication proxy using the request header identity provider; however, it is
|
|
not required. Other proxies can easily be used if the following requirements are
|
|
met:
|
|
|
|
* Block the `X-Remote-User` header from client requests to prevent spoofing.
|
|
* Enforce client certificate authentication in the `RequestHeaderIdentityProvider`
|
|
configuration.
|
|
* Require the `X-Csrf-Token` header be set for all authentication requests using
|
|
the challenge flow.
|
|
* Make sure only the `/oauth/authorize` endpoint and its subpaths are proxied;
|
|
redirects must be rewritten to allow the backend server to send the client to
|
|
the correct location.
|
|
* The URL that proxies to `\https://<namespace_route>/oauth/authorize` must end
|
|
with `/authorize` with no trailing slash. For example, `\https://proxy.example.com/login-proxy/authorize?...`
|
|
must proxy to `\https://<namespace_route>/oauth/authorize?...`.
|
|
+
|
|
* Subpaths of the URL that proxies to `\https://<namespace_route>/oauth/authorize`
|
|
must proxy to subpaths of `\https://<namespace_route>/oauth/authorize`. For
|
|
example, `\https://proxy.example.com/login-proxy/authorize/approve?...` must
|
|
proxy to `\https://<namespace_route>/oauth/authorize/approve?...`.
|
|
|
|
[NOTE]
|
|
====
|
|
The `\https://<namespace_route>` address is the route to the OAuth server and
|
|
can be obtained by running `oc get route -n openshift-authentication`.
|
|
====
|