Add SSL reverse proxy paths (#3179)

mod_ood_proxy/lib/ood/proxy.lua

@@ -4,9 +4,16 @@
   Modify a given request to utilize mod_proxy for reverse proxying.
 --]]
 function set_reverse_proxy(r, conn)
-  -- find protocol used by parsing the request headers
-  local protocol = (r.headers_in['Upgrade'] and "ws://" or "http://")
+  -- check if request was from a secure path
+  local use_ssl = r.subprocess_env['OOD_SECURE_UPSTREAM'] == '1'
 
+  -- find protocol used by parsing the request headers and SSL flag
+  local protocol = "http://"
+  if r.headers_in['Upgrade'] then
+    protocol = use_ssl and "wss://" or "ws://"
+  else
+    protocol = use_ssl and "https://" or "http://"
+  end
 
   -- define reverse proxy destination using connection object
   if conn.socket then

ood-portal-generator/lib/ood_portal_generator/view.rb

@@ -5,7 +5,7 @@
 module OodPortalGenerator
   # A view class that renders an OOD portal Apache configuration file
   class View
-    attr_reader :ssl, :protocol, :proxy_server, :port, :dex_uri
+    attr_reader :ssl, :protocol, :proxy_server, :ssl_proxy, :port, :dex_uri
     attr_accessor :user_map_match, :user_map_cmd, :logout_redirect, :dex_http_port, :dex_enabled
     attr_accessor :oidc_uri, :oidc_client_secret, :oidc_remote_user_claim, :oidc_client_id, :oidc_provider_metadata_url, :oidc_redirect_uri
 
@@ -25,6 +25,7 @@ def initialize(opts = {})
       @servername       = opts.fetch(:servername, nil)
       @server_aliases   = opts.fetch(:server_aliases, [])
       @proxy_server     = opts.fetch(:proxy_server, servername)
+      @ssl_proxy        = opts.fetch(:ssl_proxy, [])
       @allowed_hosts    = allowed_hosts
       @port             = opts.fetch(:port, @ssl ? "443" : "80")
       if OodPortalGenerator.debian?
@@ -84,6 +85,8 @@ def initialize(opts = {})
       @host_regex = opts.fetch(:host_regex, "[^/]+")
       @node_uri   = opts.fetch(:node_uri, nil)
       @rnode_uri  = opts.fetch(:rnode_uri, nil)
+      @secure_node_uri   = opts.fetch(:secure_node_uri, nil)
+      @secure_rnode_uri  = opts.fetch(:secure_rnode_uri, nil)
 
       # Per-user NGINX sub-uri
       @nginx_uri              = opts.fetch(:nginx_uri, "/nginx")

ood-portal-generator/share/ood_portal_example.yml

@@ -263,6 +263,35 @@
 # Default: null (disable this feature)
 #rnode_uri: null
 
+# This path will force the upstream connection to use HTTPS or WSS, used for
+# backend applications that are running their own SSL termination
+# Sub-uri used to reverse proxy to backend web server running on node that knows
+# the full URI path
+# Example:
+#     secure_node_uri: '/secure-node'
+# Default: null (disable this feature)
+#secure_node_uri: null
+
+# This path will force the upstream connection to use HTTPS or WSS, used for
+# backend applications that are running their own SSL termination
+# Sub-uri used to reverse proxy to backend web server running on node that
+# ONLY uses *relative* URI paths
+# Example:
+#     secure_rnode_uri: '/secure-rnode'
+# Default: null (disable this feature)
+#secure_rnode_uri: null
+
+# List of SSL Proxy Apache directives
+# These settings control SSL validation for the upstream connection and require
+# a secure_[r]node_uri to be defined
+# to.
+# Example:
+#     ssl_proxy:
+#       - 'SSLProxyCheckPeerCN Off'
+#       - 'SSLProxyCheckPeerName Off'
+# Default: [] (no additional SSL proxy settings)
+#ssl_proxy: []
+
 #
 # Per-user NGINX Passenger apps
 #

ood-portal-generator/spec/application_spec.rb

@@ -81,6 +81,15 @@ def test_generate(input, output)
       described_class.generate()
     end
 
+    it 'generates a template SSL proxying configurations supplied' do
+      config = YAML.load(read_fixture('ood_portal.yaml.ssl-proxy'))
+      allow(described_class).to receive(:context).and_return(config)
+      expected_rendered = read_fixture('ood-portal.conf.ssl-proxy')
+
+      expect(described_class.output).to receive(:write).with(expected_rendered)
+      described_class.generate()
+    end
+
     it 'generates without maintenance' do
       config = { use_maintenance: false }.merge(oidc_auth)
       allow(described_class).to receive(:context).and_return(config)

ood-portal-generator/spec/fixtures/ood-portal.conf.all

@@ -89,6 +89,9 @@ Listen 8080
   SSLCertificateFile "/etc/pki/tls/certs/www.example.com.crt"
   SSLCertificateKeyFile "/etc/pki/tls/private/www.example.com.key"
 
+  # Enable SSL Proxying
+  SSLProxyEngine On
+
   # Lua configuration
   #
   LuaRoot "/some/other/mod_ood_proxy/lib"
@@ -222,6 +225,100 @@ Listen 8080
     LuaHookFixups node_proxy.lua node_proxy_handler
   </LocationMatch>
 
+  # Reverse proxy SSL traffic to backend webserver through IP sockets:
+  #
+  #     https://test.server.name:8080/configured-secure-node/HOST/PORT/index.html
+  #     #=> https://HOST:PORT/configured-secure-node/HOST/PORT/index.html
+  #
+  <LocationMatch "^/configured-secure-node/(?<host>[\w.-]+\.site\.edu)/(?<port>\d+)">
+    SetEnv OOD_SECURE_UPSTREAM 1
+
+    AuthType openid-connect
+    Require valid-user
+
+
+    RequestHeader edit* Cookie "mod_auth_openidc_session_\d+=[^;]+;" ""
+    RequestHeader edit* Cookie "mod_auth_openidc_session=[^;]+;" ""
+    RequestHeader unset Authorization
+    RequestHeader unset OIDC_CLAIM_sub
+    RequestHeader unset OIDC_CLAIM_preferred_username
+    RequestHeader unset OIDC_CLAIM_given_name
+    RequestHeader unset OIDC_CLAIM_zoneinfo
+    RequestHeader unset OIDC_CLAIM_locale
+    RequestHeader unset OIDC_CLAIM_email
+    RequestHeader unset OIDC_CLAIM_email_verified
+    RequestHeader unset OIDC_CLAIM_iss
+    RequestHeader unset OIDC_CLAIM_nonce
+    RequestHeader unset OIDC_CLAIM_aud
+    RequestHeader unset OIDC_CLAIM_acr
+    RequestHeader unset OIDC_CLAIM_azp
+    RequestHeader unset OIDC_CLAIM_auth_time
+    RequestHeader unset OIDC_CLAIM_exp
+    RequestHeader unset OIDC_CLAIM_iat
+    RequestHeader unset OIDC_CLAIM_jti
+    RequestHeader unset OIDC_access_token
+    RequestHeader unset OIDC_access_token_expires
+
+    # ProxyPassReverse implementation
+    Header edit Location "^[^/]+//[^/]+" ""
+
+    # ProxyPassReverseCookieDomain implementation
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation
+    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
+    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/configured-secure-node/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    LuaHookFixups node_proxy.lua node_proxy_handler
+  </LocationMatch>
+
+  #  Reverse "relative" proxy SSL traffic to backend webserver through IP sockets:
+  #
+  #     https://test.server.name:8080/configured-secure-rnode/HOST/PORT/index.html
+  #     #=> https://HOST:PORT/index.html
+  #
+  <LocationMatch "^/configured-secure-rnode/(?<host>[\w.-]+\.site\.edu)/(?<port>\d+)(?<uri>/.*|)">
+    SetEnv OOD_SECURE_UPSTREAM 1
+
+    AuthType openid-connect
+    Require valid-user
+
+
+    RequestHeader edit* Cookie "mod_auth_openidc_session_\d+=[^;]+;" ""
+    RequestHeader edit* Cookie "mod_auth_openidc_session=[^;]+;" ""
+    RequestHeader unset Authorization
+    RequestHeader unset OIDC_CLAIM_sub
+    RequestHeader unset OIDC_CLAIM_preferred_username
+    RequestHeader unset OIDC_CLAIM_given_name
+    RequestHeader unset OIDC_CLAIM_zoneinfo
+    RequestHeader unset OIDC_CLAIM_locale
+    RequestHeader unset OIDC_CLAIM_email
+    RequestHeader unset OIDC_CLAIM_email_verified
+    RequestHeader unset OIDC_CLAIM_iss
+    RequestHeader unset OIDC_CLAIM_nonce
+    RequestHeader unset OIDC_CLAIM_aud
+    RequestHeader unset OIDC_CLAIM_acr
+    RequestHeader unset OIDC_CLAIM_azp
+    RequestHeader unset OIDC_CLAIM_auth_time
+    RequestHeader unset OIDC_CLAIM_exp
+    RequestHeader unset OIDC_CLAIM_iat
+    RequestHeader unset OIDC_CLAIM_jti
+    RequestHeader unset OIDC_access_token
+    RequestHeader unset OIDC_access_token_expires
+
+    # ProxyPassReverse implementation
+    Header edit Location "^([^/]+//[^/]+)|(?=/)|^([\./]{1,}(?<!/))" "/configured-secure-rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    # ProxyPassReverseCookieDomain implementation
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation
+    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
+    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/configured-secure-rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    LuaHookFixups node_proxy.lua node_proxy_handler
+  </LocationMatch>
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     https://test.server.name:8080/my_pun_apps/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.dex

@@ -60,6 +60,7 @@
 
   Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL http://example.com/dex/.well-known/openid-configuration
@@ -118,6 +119,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     http://localhost:80/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full

@@ -80,6 +80,7 @@
   SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/example.com-interm.crt
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL https://example.com/dex/.well-known/openid-configuration
@@ -138,6 +139,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     https://example.com:443/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap

@@ -80,6 +80,7 @@
   SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/example.com-interm.crt
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL https://example.com/dex/.well-known/openid-configuration
@@ -138,6 +139,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     https://example.com:443/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.dex-no-proxy

@@ -79,6 +79,7 @@
   SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/example.com-interm.crt
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL https://example.com:5554/.well-known/openid-configuration
@@ -131,6 +132,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     https://example.com:443/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.maint_with_ips

@@ -61,6 +61,7 @@
 
   Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
+
   # Lua configuration
   #
   LuaRoot "/opt/ood/mod_ood_proxy/lib"
@@ -99,6 +100,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     http://localhost:80/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.nomaint

@@ -48,6 +48,7 @@
 
   Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
+
   # Lua configuration
   #
   LuaRoot "/opt/ood/mod_ood_proxy/lib"
@@ -86,6 +87,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     http://localhost:80/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.oidc

@@ -63,6 +63,7 @@
 
   Header always set Content-Security-Policy "frame-ancestors http://ondemand.example.com;"
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL https://idp.example.com/auth/realms/osc/.well-known/openid-configuration
@@ -119,6 +120,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     http://ondemand.example.com:80/pun/dev/app/simulations/1

ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl

@@ -79,6 +79,7 @@
   SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt
 
+
   # OIDC configuration
   #
   OIDCProviderMetadataURL https://idp.example.com/auth/realms/osc/.well-known/openid-configuration
@@ -135,6 +136,8 @@
 
 
 
+
+
   # Reverse proxy traffic to backend PUNs through Unix domain sockets:
   #
   #     https://ondemand.example.com:443/pun/dev/app/simulations/1