federation: shibboleth protecting ezproxy and apache ... wearen - heanet... · ezproxy • ezproxy...
TRANSCRIPT
![Page 1: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/1.jpg)
Federation: Shibboleth Protecting EZProxy and Apache Reverse Proxy
Glenn Wearen Middleware Specialist, HEAnet
Sponsored by BT
![Page 2: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/2.jpg)
Ezproxy
• EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus users use the proxy so that correct IP is
presented – Authentication to EZproxy by LDAP or Shibboleth – Some libraries link to publishers via ezproxy
regardless of location E.g. Links in the library catalogue are hardcoded to
ezproxy www.publisher.com.ezproxy.mit.ie
![Page 3: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/3.jpg)
Ezproxy
![Page 4: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/4.jpg)
EZproxy
• EZproxy could be used for non-library uses
![Page 5: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/5.jpg)
EZproxy
• EZproxy works with Shibboleth – Typically EZProxy will be an SP that bilaterally
trusts a single IdP
![Page 6: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/6.jpg)
EZproxy
![Page 7: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/7.jpg)
EZproxy
• EZproxy works with Shibboleth – Seamlessly works with a federation Multiple IDP’s can be connected to EZProxy
![Page 8: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/8.jpg)
EZproxy
![Page 9: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/9.jpg)
![Page 10: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/10.jpg)
Apache Reverse Proxy
• Configured Apache in front of a web server to proxy content from the back-end
• Can perform authentication using – BASIC AUTH (proxying credentials) – REMOTE_USER (proxying user idenfifier)
• Useful to federate appliances where – No opportunity to add SAML plugin to appliance
![Page 11: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/11.jpg)
Apache Reverse Proxy
![Page 12: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/12.jpg)
![Page 13: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/13.jpg)
Front-end config
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /app>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e" env=RU
ProxyPass http://vmworkshop12.heanet.ie/
ProxyPassReverse http://vmworkshop12.heanet.ie/
</Location>
</IfModule>
![Page 14: Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus](https://reader030.vdocuments.us/reader030/viewer/2022020315/5aaa347e7f8b9a81188dabe1/html5/thumbnails/14.jpg)
Back-end config
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthName test
AuthType Basic
Require user [email protected]
</Directory>