nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/data/etc/apache2/conf-available/freedombox-tls.conf
Sunil Mohan Adapa 64f1a1c918
apache: Implement protecting apps using OpenID Connect 
- Use the excellent Apache module auth_openidc.

- Implement macros that can be easily used to configure OpenID Connect.

Tests:

- Accessing /freedombox/apache/discover-idp/ shows

  - 'method' other than 'get' throw a 'bad request' error

  - oidc_callback should match host. Otherwise 'bad request' error is raised.

  - Mismatched host header is not allowed

  - Invalid domain setup is not allowed

  - target_link_uri is returned as is

  - method is returned as is and only 'get' is allowed.

  - x_csrf is returned as is

  - oidc_scopes is returned as 'email freedombox_groups'

  - HTTP request is answered and not redirected to https

- When logging in with OIDC, authorization is skipped. When authorization is
shown, it is shown as 'Web app protected by FreedomBox'.

- libapache2-mod-auth-openidc is added a dependency for freedombox package. It
is installable in stable, testing, and unstable distributions.

- On applying patches, Apache setup configuration is run and OpenIDC component
is created.

- When patches are applied and setup install is run, auth_openidc module,
10-freedombox, freedombox-openidc config is enabled in Apache.

- When setup is rerun, passphrase is not changed

- metadata directory and parent are created when apache setup is run. Mode is
0o700 and ownership is www-data.

- freedombox-openidc is created when apache setup is run and has 0o700
permissions.

- Metadata directory will contain the client id and client passphrase when
discovery happens for a particular domain.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-02 20:51:06 -05:00

19 lines
695 B
Plaintext
Raw Blame History

##
## Allow only TLS traffic onto FreedomBox service. This is done by redirecting
## non-secure traffic to secure traffic. The redirect is permanent as
## recommended in: http://tools.ietf.org/html/rfc6797#section-7
##
## Requires the following Apache modules to be enabled:
## mod_rewrite
## mod_ssl
##
<LocationMatch "^/(plinth|freedombox)">
RewriteEngine on
# Don't redirect for onion sites as it is not needed and leads to
# unnecessary warning.
RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
RewriteCond %{REQUEST_URI} !^/freedombox/apache/discover-idp/$ [NC]
ReWriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</LocationMatch>
Reference in New Issue View Git Blame Copy Permalink