7.5.6. Example Apache authentication configuration using request header
This example configures an Apache authentication proxy for the OpenShift Container Platform using the request header identity provider.
7.5.6.1. Custom proxy configuration 复制链接链接已复制到粘贴板!
复制链接链接已复制到粘贴板!
Using the mod_auth_gssapi module is a popular way to configure the Apache authentication proxy using the request header identity provider; however, it is not required. Other proxies can easily be used if the following requirements are met:
-
Block the
X-Remote-Userheader from client requests to prevent spoofing. -
Enforce client certificate authentication in the
RequestHeaderIdentityProviderconfiguration. -
Require the
X-Csrf-Tokenheader be set for all authentication requests using the challenge flow. -
Make sure only the
/oauth/authorizeendpoint and its subpaths are proxied; redirects must be rewritten to allow the backend server to send the client to the correct location. -
The URL that proxies to
https://<namespace_route>/oauth/authorizemust end with/authorizewith no trailing slash. For example,https://proxy.example.com/login-proxy/authorize?…must proxy tohttps://<namespace_route>/oauth/authorize?…. -
Subpaths of the URL that proxies to
https://<namespace_route>/oauth/authorizemust proxy to subpaths ofhttps://<namespace_route>/oauth/authorize. For example,https://proxy.example.com/login-proxy/authorize/approve?…must proxy tohttps://<namespace_route>/oauth/authorize/approve?….
注意
The https://<namespace_route> address is the route to the OAuth server and can be obtained by running oc get route -n openshift-authentication.