Saturday, February 18, 2012

Integrating Google Apps with Apache module

Recently, we've been using https://github.com/epotocko/apache-google-apps-sso to implement single-sign-on for a lot of our Apache-based resources for Google Apps/OpenID integration. The documentation are pretty clear and discuss how to go about protecting certain URL paths, but what if you want to require authentication to occur for the entire site?

The trick is to use a RewriteRule and mod_rewrite to basically stop Auth_memCookie from being needed for /auth/ logins, which is where the PHP code will be executed to perform the authentication. The 'L' flag in the RewriteRule will stop the rest of the rulesets from executing.

RewriteEngine on
RewriteRule ^/auth/(.*)$ /auth/$1 [L]


<IfModule mod_auth_memcookie.c>
<Location />
AuthType Cookie
.
.
.
ProxyPass http://127.0.0.1:9999/
ProxyPassReverse http://127.0.0.1:9999/

</Location>
</IfModule>
The ProxyPass is used to proxy traffic to an internal webserver host, and the ProxyPassReverse rewrites Location: headers. If you are using Django, an HttpResponseRedirect() function call will usually set the Location: header based on the X-Forwarded-Host but because if you are not using mod_wsgi(), the header may not be correctly set. The ProxyPassReverse provides a way to rewrite redirection requests for this reason.
The other thing is to make sure that your base URL is also set with this /auth/ path:
// Base url to protect
GApps_Session::$BASE_URL = 'https://myhost.com/auth/';

No comments:

Post a Comment