diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml
index 852c08a07..8d73505ac 100644
--- a/roles/attribute-aggregation/tasks/main.yml
+++ b/roles/attribute-aggregation/tasks/main.yml
@@ -18,6 +18,7 @@
- serverapplication.yml
- logback.xml
- attributeAuthorities.yml
+ - apachelink.conf
notify: restart attribute-aggregationserver
- name: Create and start the server container
@@ -50,7 +51,7 @@
"-no-verbose",
"--tries=1",
"--spider",
- "http://localhost:8080/internal/health",
+ "http://localhost:8080/aa/api/internal/health",
]
interval: 10s
timeout: 10s
@@ -87,3 +88,37 @@
SHIB_ENTITYID: "https://aa.{{ base_domain }}/shibboleth"
SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
+
+- name: Create the gui link container
+ community.docker.docker_container:
+ name: aalink
+ image: ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+ pull: true
+ restart_policy: "always"
+ state: started
+ networks:
+ - name: "loadbalancer"
+ labels:
+ traefik.http.routers.attribute-aggregationlink.rule: "Host(`link.{{ base_domain }}`)"
+ traefik.http.routers.attribute-aggregationlink.tls: "true"
+ traefik.enable: "true"
+ healthcheck:
+ test: ["CMD", "curl", "--fail", "http://localhost/internal/health"]
+ interval: 10s
+ timeout: 10s
+ retries: 3
+ start_period: 10s
+ mounts:
+ - source: /opt/openconext/attribute-aggregation/apachelink.conf
+ target: /etc/apache2/sites-enabled/000-default.conf
+ type: bind
+ hostname: attribute-link
+ env:
+ HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
+ HTTPD_SERVERNAME: "link.{{ base_domain }}"
+ OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
+ OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
+ OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
+ SHIB_ENTITYID: "https://link.{{ base_domain }}/shibboleth"
+ SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
+ SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
diff --git a/roles/attribute-aggregation/templates/apachelink.conf.j2 b/roles/attribute-aggregation/templates/apachelink.conf.j2
new file mode 100644
index 000000000..b698831d7
--- /dev/null
+++ b/roles/attribute-aggregation/templates/apachelink.conf.j2
@@ -0,0 +1,41 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !^/aa/
+RewriteCond %{REQUEST_URI} !^/internal/
+RewriteCond %{REQUEST_URI} !^/redirect
+RewriteCond %{REQUEST_URI} !^/fonts/
+RewriteCond %{REQUEST_URI} !^/orcid/
+RewriteRule (.*) /index.html [L]
+
+Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html
+ProxyPass /Shibboleth.sso !
+
+ProxyPass /redirect http://aaserver:8080/aa/api/redirect
+ProxyPass /internal/health http://aaserver:8080/aa/api/internal/health
+ProxyPass /internal/info http://aaserver:8080/aa/api/internal/info
+
+ProxyPass /aa/api http://aaserver:8080/aa/api
+ProxyPassReverse /aa/api http://aaserver:8080/aa/api
+ProxyPassReverse /aa/api/client http://aaserver:8080/aa/api/client
+
+
+
+ AuthType shibboleth
+ ShibUseHeaders On
+ ShibRequireSession On
+ Require valid-user
+
+
+
+Require all granted
+
+
+# The EB endpoints are secured with basic auth
+
+ Require all granted
+
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+Header always set X-Content-Type-Options "nosniff"