Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
N
Nginx Http Shibboleth
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Anna-Maria Tipotsch
Nginx Http Shibboleth
Commits
2c3a5d0c
Commit
2c3a5d0c
authored
8 years ago
by
David Beitey
Browse files
Options
Downloads
Patches
Plain Diff
Replace non-working clear_input_headers, fixes #13
parent
22fcefa3
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
CONFIG.rst
+2
-3
2 additions, 3 deletions
CONFIG.rst
README.rst
+19
-6
19 additions, 6 deletions
README.rst
with
21 additions
and
9 deletions
CONFIG.rst
+
2
−
3
View file @
2c3a5d0c
...
...
@@ -157,8 +157,7 @@ variables are passed around as headers.
#A secured location. Here all incoming requests query the
#FastCGI authorizer. Watch out for performance issues and spoofing.
location /secure {
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
include shib_clear_headers;
#Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
...
...
@@ -173,7 +172,7 @@ variables are passed around as headers.
proxy_pass http://localhost:8080;
location = /secure2/shibboleth {
more
_clear_
input_
headers
'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE'
;
include shib
_clear_headers;
#Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
...
...
This diff is collapsed.
Click to expand it.
README.rst
+
19
−
6
View file @
2c3a5d0c
...
...
@@ -158,13 +158,19 @@ An example consists of the following::
# A secured location. All incoming requests query the Shibboleth FastCGI authorizer.
# Watch out for performance issues and spoofing!
location /secure {
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
shib_request /shibauthorizer;
shib_request_use_headers on;
# Attributes from Shibboleth are introduced as headers by the FastCGI
# authorizer so we must prevent spoofing. The
# ``shib_clear_headers`` is a set of default header directives,
# available in the `includes/` directory in this repository.
include shib_clear_headers;
# Add
your
attributes
here. They get introduced as headers
#
by the FastCGI authorizer so we must prevent spoofing
.
# Add
*all*
attributes
that your application uses, including all
#
variations
.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
shib_request /shibauthorizer;
# Backend application that will receive Shibboleth variables as request
# headers from the FastCGI authorizer
proxy_pass http://localhost:8080;
...
...
@@ -176,7 +182,7 @@ An example consists of the following::
# supports parameters (by using the appropriate *_param option)
#
# The ``shib_fastcgi_params`` is an optional set of default parameters,
# available in this repository.
# available in
the `includes/` directory in
this repository.
location /secure-environment-vars {
shib_request /shibauthorizer;
include shib_fastcgi_params;
...
...
@@ -192,11 +198,18 @@ Note that we use the `headers-more-nginx-module
potentially dangerous input headers and avoid the potential for spoofing. The
latter example with environment variables isn't susceptible to header
spoofing, as long as the backend reads data from the environment parameters
**only**. Bear in mind that some applications will try to read a
**only**.
A `default configuration
<https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/config/shib_clear_headers>`_
is available to clear the basic headers from the Shibboleth authorizer, but
you must ensure you write your own clear directives for all attributes your
application uses. Bear in mind that some applications will try to read a
Shibboleth attribute from the environment and then fall back to headers, so
review your application's code even if you are not using
``shib_request_use_headers``.
With use of ``shib_request_set``, a `default params
<https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/config/shib_fastcgi_params>`_
file is available which you can use as an nginx ``include`` to ensure all core
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment