Reputation: 24442
How to install mod_auth_openidc module in an Apache server running on Docker
I am trying to add the mod_auth_openidc module to an Apache server running on Docker. After adding LoadModule auth_openidc_module modules/mod_auth_openidc.so, I create the image and run it, getting this error:
httpd: Syntax error on line 69 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/mod_auth_openidc.so into server: libcjose.so.0: cannot open shared object file: No such file or directory
So I downloaded that dependency and added the necessary LoadModule statement:
LoadModule libcjose_module modules/libcjose.so.0
Now the error is about libjansson.so.4:
httpd: Syntax error on line 68 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/libcjose.so.0 into server: libjansson.so.4: cannot open shared object file: No such file or directory
I repeated the previous steps, downloading libjansson.so.4 from https://packages.debian.org/wheezy/libjansson4, adding it to he Dockerfile, the Apache configuration LoadModule libjansson_module modules/libjansson.so.4 and:
httpd: Syntax error on line 67 of /usr/local/apache2/conf/httpd.conf: Can't locate API module structure `libjansson_module' in file /usr/local/apache2/modules/libjansson.so.4: /usr/local/apache2/modules/libjansson.so.4: undefined symbol: libjansson_module
So how can I load the jansson module???
This is my Dockerfile:
FROM httpd:2.4
RUN apt-get update && apt-get install -y \
curl
COPY ./libjansson.so.4 /usr/local/apache2/modules/libjansson.so.4
COPY ./libcjose.so.0 /usr/local/apache2/modules/libcjose.so.0
COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so
COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
And httpd.conf:
LoadModule libjansson_module modules/libjansson.so.4
LoadModule libcjose_module modules/libcjose.so.0
LoadModule auth_openidc_module modules/mod_auth_openidc.so
Upvotes: 5
Views: 17580
Answers (3)
Reputation: 4324
In 2021 the zmartzone module is available as a Debian package. So I was able to build an image using a simple Dockerfile, but I only need https (not php etc). I chose to use the httpd buster base image, in buster the zmartzone package version is 2.3.10.2-1, the latest and greatest today is 2.4.9.4. Here's my Dockerfile, only two commands required:
# Build image with Apache HTTPD and OpenID connect module
FROM httpd:2.4-buster
RUN apt-get update && \
apt-get install --no-install-recommends -y \
ca-certificates libapache2-mod-auth-openidc
# leave entrypoint etc. unchanged from base image
One thing I completely don't understand, that apache httpd base image
has modules in /usr/local/apache2/modules but the package installs auth_openidc_module in /usr/lib/apache2/modules. Maybe someone can explain that to me?
Anyhow, trying to make this answer complete, using this image requires changes to base image files /usr/local/apache2/httpd.conf and /usr/local/apache2/extra/httpd-ssl.conf. Here is the first set of diffs:
% diff httpd.conf.orig httpd.conf
94c98
< #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
---
> LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
142c146
< #LoadModule proxy_module modules/mod_proxy.so
---
> LoadModule proxy_module modules/mod_proxy.so
161c165
< #LoadModule ssl_module modules/mod_ssl.so
---
> LoadModule ssl_module modules/mod_ssl.so
199a204
> LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
241c246
< #ServerName www.example.com:80
---
> ServerName server.my.company.com:80
541c546
< #Include conf/extra/httpd-ssl.conf
---
> Include conf/extra/httpd-ssl.conf
Also extra/httpd-ssl.conf:
% diff httpd-ssl.conf.orig httpd-ssl.conf
125c129
< ServerName www.example.com:443
---
> ServerName server.my.company.com:443
290c294,319
< </VirtualHost>
---
> OIDCProviderMetadataURL https://oidserver.my.company.com/.well-known/openid-configuration
> OIDCClientID my-company-client-id
> OIDCClientSecret my-company-client-scret
> OIDCRedirectURI https://server.my.company.com/secure/redirect_uri
> OIDCCryptoPassphrase my-company-crypto-passphrase
>
> <Location /secure>
> AuthType openid-connect
> Require valid-user
> </Location>
>
> </VirtualHost>
If your container does not trust the certificate used by your OIDC server, despite installing package ca-certificates, you may have to add this entry to your httpd-ssl.conf file but it's an ugly hack:
# https://github.com/zmartzone/mod_auth_openidc/issues/56
OIDCSSLValidateServer Off
In my deployment I chose to mount those httpd config files to the container, that avoids building the OID client secrets into the docker image. Here's a sample docker-compose.yml, on the image line use the tag you applied to the image built from the Dockerfile shown above:
version: "3"
services:
# httpd starts as root, binds ports then switches to daemon (UID 1)
httpd:
image: httpd-openidc:local
ports:
- 80:80
- 443:443
volumes:
- /Users/me/apache-httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf
- /Users/me/apache-httpd/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf
- /Users/me/apache-httpd/my-dev.key:/usr/local/apache2/conf/server.key
- /Users/me/apache-httpd/my-dev.crt:/usr/local/apache2/conf/server.crt
So far this works fine, HTH
(Updated Jan 2022 to install ca-certificates, thanks @uupascal!)
Upvotes: 6
Reputation: 41220
You can use the https://github.com/zmartzone/mod_auth_openidc/blob/master/Dockerfile-alpine to build the image and just do your post configurations specific for your site afterwards.
FROM alpine:3.10
ENV MOD_AUTH_OPENIDC_REPOSITORY https://github.com/zmartzone/mod_auth_openidc.git
ENV MOD_AUTH_OPENIDC_BRANCH master
ENV BUILD_DIR /tmp/mod_auth_openidc
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf
# add testing repository (for cjose library)
RUN echo "http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
# ADD source
RUN mkdir ${BUILD_DIR}
# add dependencies, build and install mod_auth_openidc, need atomic operation for image size
RUN apk update && apk add --no-cache \
apache2 \
apache2-proxy \
wget \
jansson \
hiredis \
cjose \
cjose-dev \
git \
autoconf \
build-base \
automake \
curl \
apache2-dev \
curl-dev \
pcre-dev \
libtool \
&& \
cd ${BUILD_DIR} && \
git clone -b ${MOD_AUTH_OPENIDC_BRANCH} ${MOD_AUTH_OPENIDC_REPOSITORY} && \
cd mod_auth_openidc && \
./autogen.sh && \
./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \
make test && \
make install && \
cd ../.. && \
rm -fr ${BUILD_DIR} && \
apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev pcre-dev libtool
# configure apache
RUN apk add --no-cache sed && \
echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so" >> ${APACHE_DEFAULT_CONF} && \
ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \
ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \
ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \
chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \
apk del sed
# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
# stop gracefully when docker stops, create issue with interactive mode because it's the signal use by the docker engine on windows.
STOPSIGNAL WINCH
# port to expose, referes to the Listen 80 in the embedded httpd.conf
EXPOSE 80
# launch apache
CMD exec /usr/sbin/httpd -D FOREGROUND -f ${APACHE_DEFAULT_CONF}
Upvotes: 0
Reputation: 24442
Instead of manually downloading the necessary libraries I moved that process to the Dockerfile, now the image is created correctly:
FROM httpd:2.4
COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
COPY ./server.crt /usr/local/apache2/conf/
COPY ./server.key /usr/local/apache2/conf/
COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so
RUN apt-get update && apt-get install -y curl && apt-get install -y libjansson4 && apt-get install -y wget && apt-get install -y libhiredis0.10 && apt-get install -y apache2-bin
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.jessie.1_amd64.deb && dpkg -i libcjose0_0.5.1-1.jessie.1_amd64.deb
RUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.3/libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb && \
dpkg -i libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb
Upvotes: 2
Related Questions
- Keycloak in docker-compose network
- Keycloak and Spring Boot web app in dockerized environment
- Keycloak: Invalid token issuer when running from internal docker container
- Install mod_auth_openidc CJOSE package not found
- OAuth - "No module named authlib"
- cURL authentication with mod_auth_openidc and keycloak
- mod_auth_openidc with Apache2.4 reverse proxy
- Running Portainer in a Docker Container with Apache 2.4 mod_proxy and basic auth
- Apache doesn't recognize mod_auth_openidc commands
- Apache restart failed after adding OpenID Connect module