Attribute aggregation: Add container for link, used for ORCID linking

OpenConext · Apr 17, 2024 · dd2d46a · dd2d46a
1 parent 946d3cd
commit dd2d46a
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 1 deletion.
diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml
@@ -18,6 +18,7 @@
     - serverapplication.yml
     - logback.xml
     - attributeAuthorities.yml
+    - apachelink.conf
   notify: restart attribute-aggregationserver
 
 - name: Create and start the server container
@@ -50,7 +51,7 @@
           "-no-verbose",
           "--tries=1",
           "--spider",
-          "http://localhost:8080/internal/health",
+          "http://localhost:8080/aa/api/internal/health",
         ]
       interval: 10s
       timeout: 10s
@@ -87,3 +88,37 @@
       SHIB_ENTITYID: "https://aa.{{ base_domain }}/shibboleth"
       SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
       SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
+
+- name: Create the gui link container
+  community.docker.docker_container:
+    name: aalink
+    image: ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+    pull: true
+    restart_policy: "always"
+    state: started
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.attribute-aggregationlink.rule: "Host(`link.{{ base_domain }}`)"
+      traefik.http.routers.attribute-aggregationlink.tls: "true"
+      traefik.enable: "true"
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost/internal/health"]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    mounts:
+      - source: /opt/openconext/attribute-aggregation/apachelink.conf
+        target: /etc/apache2/sites-enabled/000-default.conf
+        type: bind
+    hostname: attribute-link
+    env:
+      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
+      HTTPD_SERVERNAME: "link.{{ base_domain }}"
+      OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
+      OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
+      OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
+      SHIB_ENTITYID: "https://link.{{ base_domain }}/shibboleth"
+      SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
+      SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
diff --git a/roles/attribute-aggregation/templates/apachelink.conf.j2 b/roles/attribute-aggregation/templates/apachelink.conf.j2
@@ -0,0 +1,41 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !^/aa/
+RewriteCond %{REQUEST_URI} !^/internal/
+RewriteCond %{REQUEST_URI} !^/redirect
+RewriteCond %{REQUEST_URI} !^/fonts/
+RewriteCond %{REQUEST_URI} !^/orcid/
+RewriteRule (.*) /index.html [L]
+
+Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html
+ProxyPass /Shibboleth.sso !
+
+ProxyPass /redirect http://aaserver:8080/aa/api/redirect
+ProxyPass /internal/health http://aaserver:8080/aa/api/internal/health
+ProxyPass /internal/info http://aaserver:8080/aa/api/internal/info 
+
+ProxyPass /aa/api http://aaserver:8080/aa/api 
+ProxyPassReverse /aa/api http://aaserver:8080/aa/api
+ProxyPassReverse /aa/api/client http://aaserver:8080/aa/api/client
+
+
+<Location />
+  AuthType shibboleth
+  ShibUseHeaders On
+  ShibRequireSession On
+  Require valid-user
+</Location>
+
+<Location ~ "/internal/(health|info)">
+Require all granted
+</Location>
+
+# The EB endpoints are secured with basic auth
+<Location ~ "/aa/api/internal/">
+  Require all granted
+</Location>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+Header always set X-Content-Type-Options "nosniff"