Installazione in UBUNTU
Compile Nginx with Shibboleth module
guida presa da https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst
Step 1: Obtain the NGINX Open Source Release
Scaricare la lista aggiornata dei pacchetti e delle nuove versioni disponibili nei repository
>$ sudo apt-get update
>$ sudo apt-get install git
Determine the NGINX Open Source version that corresponds to your NGINX Plus installation. In this example, it's NGINX 1.11.5.
>$ nginx -v
nginx version: nginx/1.18.0 (Ubuntu)
Download the corresponding NGINX Open Source package at nginx.org/download:
>$ wget https://nginx.org/download/nginx-1.18.0.tar.gz
>$ tar -xzvf nginx-1.18.0.tar.gz
Step 2: Obtain the Module Sources
Obtain the source for the nginx-http-shibboleth NGINX module from GitHub:
>$ git clone https://github.com/nginx-shib/nginx-http-shibboleth.git
Step 3: Compile the Dynamic Module
Compile the module by first running the configure script with the --with-compat argument, which creates a standard build environment supported by both NGINX Open Source and NGINX Plus. Then run make modules to build the module:
$ cd nginx-1.18.0/
./configure --with-compat --add-dynamic-module=/root/operazioni/nginx-http-shibboleth
Se si verifica: Errore ubuntu ./configure: error: C compiler cc is not found
sudo apt-get install build-essential
Se si verifica ./configure: 13: /root/operazioni/nginx-http-shibboleth/config: Syntax error: end of file unexpected (expecting "then")
sudo apt-get install dos2unix dos2unix root/operazioni/nginx-http-shibboleth/config
Se si verifica ./configure: error: the HTTP rewrite module requires the PCRE library.
sudo apt-get install libpcre3-dev
Se si verifica ./configure: error: the HTTP gzip module requires the zlib library.
sudo apt-get install zlib1g-dev
installare headers-more-nginx-module-0.32.zip
>$ sudo wget https://github.com/openresty/headers-more-nginx-module/archive/v0.35.zip
>$ sudo unzip headers-more-nginx-module-0.35.zip
>$ sudo ./configure --with-compat --add-dynamic-module=/root/operazioni/headers-more-nginx-module-0.35 --add-dynamic-module=/root/operazioni/nginx-http-shibboleth
>$ sudo make modules
Copy the module library (.so file) to /etc/nginx/modules
>$ sudo cp objs/ngx_http_shibboleth_module.so /usr/share/nginx/modules
>$ sudo cp objs/ngx_http_headers_more_filter_module.so /usr/share/nginx/modules/
Step 4: Load and Use the Module
To load the module into NGINX Plus, add the load_module directive in the top‑level (main) context of your nginx.conf configuration file (not within the http or stream context):
vim /etc/nginx/modules-available/mod_ngx_http_shibboleth.conf
inserire il contenuto
load_module modules/ngx_http_shibboleth_module.so;
Attivare il modulo su nginx
cd /etc/nginx/modules-enabled/
ln -s /etc/nginx/modules-available/mod_ngx_http_shibboleth.conf 50-mod_ngx_http_shibboleth.conf
vim /etc/nginx/modules-available/ngx_http_headers_more_filter_module.conf
inserire il contenuto
load_module modules/ngx_http_headers_more_filter_module.so;
ln -s /etc/nginx/modules-available/ngx_http_headers_more_filter_module.conf 50-ngx_http_headers_more_filter_module.conf vim /etc/nginx/shib_clear_headers
inserire il contenuto
# Ensure that you add directives to clear input headers for *all* attributes
# that your backend application uses. This may also include variations on these
# headers, such as differing capitalisations and replacing hyphens with
# underscores etc -- it all depends on what your application is reading.
#
# Note that Nginx silently drops headers with underscores
# unless the non-default `underscores_in_headers` is enabled.
# Shib-* doesn't currently work because * isn't (yet) supported
more_clear_input_headers
Auth-Type
Shib-Application-Id
Shib-Authentication-Instant
Shib-Authentication-Method
Shib-Authncontext-Class
Shib-Identity-Provider
Shib-Session-Id
Shib-Session-Index
Remote-User;
# more_clear_input_headers
# EPPN
# Affiliation
# Unscoped-Affiliation
# Entitlement
# Targeted-Id
# Persistent-Id
# Transient-Name
# Commonname
# DisplayName
# Email
# OrganizationName;
Installare Shibboleth SP
sudo apt-get install shibboleth-sp-utils sudo apt-get install supervisor sudo touch /etc/supervisor/conf.d/shib.conf
Inserire il contenuto
[fcgi-program:shibauthorizer]
command=/usr/lib/x86_64-linux-gnu/shibboleth/shibauthorizer
socket=unix:///var/run/shibboleth/shibauthorizer.sock
socket_owner=_shibd:_shibd
socket_mode=0666
user=_shibd
stdout_logfile=/var/log/supervisor/shibauthorizer.log
stderr_logfile=/var/log/supervisor/shibauthorizer.error.log
[fcgi-program:shibresponder]
command=/usr/lib/x86_64-linux-gnu/shibboleth/shibresponder
socket=unix:///var/run/shibboleth/shibresponder.sock
socket_owner=_shibd:_shibd
socket_mode=0666
user=_shibd
stdout_logfile=/var/log/supervisor/shibresponder.log
stderr_logfile=/var/log/supervisor/shibresponder.error.log
sudo service supervisor restart
configurazione Shibboleth
creazione dei certificati
openssl req -new -x509 -keyout rootCAkey.pem -out rootCAcert.pem -days 3650
- La passphrase dovrà essere inserita nel file shibboleth2.xml
Generating a RSA private key
...........................................................................+++++
.....+++++
writing new private key to 'rootCAkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:PERUGIA
Locality Name (eg, city) []:PERUGIA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RETELIT
Organizational Unit Name (eg, section) []:PAABS SVILUPPO PAL
Common Name (e.g. server FQDN or YOUR name) []:servizidigitali.fo.cittametropolitana.torino.it
Email Address []:vbgsupport.paevo@retelit.it
mkdir /etc/shibboleth/certs cp rootCA /etc/shibboleth/certs chmod 644 /etc/shibboleth/certs/rootCAkey.pem cp metadata_federazione_gasp_cmto.xml /etc/shibboleth/metadata/ mkdir /etc/shibboleth/conf/ mv attribute-*.xml /etc/shibboleth/conf/ mv shibboleth2.xml /etc/shibboleth/shibboleth2.xml
configurazione NGINX
Nella configurazione del site da proteggere inserire le righe per indicare i PATH protetti da shibauthorizer/responder
Il path è quello definito nell'attributo handlerURL del tag XML
<ApplicationOverride id="APPLICATION_SITE_DA_PROTEGGERE_443_LIV1_SPID"
entityID="SP_SITE_DA_PROTEGGERE_443_LIV1_SPID">
<Sessions lifetime="28800"
timeout="3600"
checkAddress="false"
handlerURL="https://mio.servizio.it/SITE_DA_PROTEGGERE_443_LIV1_SPID/Shibboleth.sso"
handlerSSL="true"
idpHistory="false" idpHistoryDays="7"
cookieName ="COLL-SITE_DA_PROTEGGERE_443_LIV1"
cookieProps="; path=/; secure; HttpOnly" consistentAddress="false">
In questo caso https://mio.servizio.it/SITE_DA_PROTEGGERE_443_LIV1_SPID
Esempio:
location /SITE_DA_PROTEGGERE_443_LIV1_SPID/shibauthorizer {
internal;
include fastcgi_params;
fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
}
location /SITE_DA_PROTEGGERE_443_LIV1_SPID/Shibboleth.sso {
include fastcgi_params;
fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
}
location /SITE_DA_PROTEGGERE_443_LIV1_SPID/shibboleth-sp {
alias /usr/share/shibboleth/;
}
location /ibcauthenticationgateway {
include shib_clear_headers;
#more_clear_input_headers 'displayName' 'mail' 'persistent-id';
shib_request /SITE_DA_PROTEGGERE_443_LIV1_SPID/shibauthorizer;
shib_request_use_headers on;
proxy_pass http://ibcauthenticationgateway;
}
RIAVVIO DEI SERVIZI
service shibd restart ; service shibauthorizer restart ;service shibresponder restart; service nginx restart
create metadata da mettere in COT
Per generare i Metati da mettere in COT usare la URL
https://mio.servizio.it/SITE_DA_PROTEGGERE_443_LIV1_SPID/Shibboleth.sso/Metadata
Il file va inviato ai gestori dell'identity provider