Meechum Apache Module EZConfig Options¶

These properties should be included in your /etc/default/ezconfig file, as needed.

For simple use-cases when terminating TLS/https on an ELB¶

Property/Values	Required/Optional	Description
APACHE_MEECHUM = enabled	Required	Enables the module within ezconfig
APACHE_HTTPS_HOSTNAME = < FQDN_of_application >	Required	Fully qualified DNS name to your application
APACHE_MEECHUM_CLIENT = < meechum_client_id >	Required	Meechum client_id
APACHE_MEECHUM_SECRET = /run/metatron/decrypted/my_app_secret	Required	Metatron encrypted client secret
APACHE_TIMEOUT = 61	Required	More info
APACHE_KEEPALIVE = Off	Required	More info
APACHE_HTTPSLISTENPORT = 443	Optional	Default 443
CONFIG_SELECT = $NETFLIX_ENVIRONMENT	Optional	Allows you to have different configurations per environment. See: ezconfig environment driven configurations

For simple use-cases when terminating TLS/https on instance¶

Property/Values	Required/Optional	Description
APACHE_HTTPS = enabled	Required	Enables TLS termination within Apache
APACHE_HTTPS_HOSTNAME	Required	Fully qualified dns name to your application
APACHE_HTTPSLISTENPORT = 7002	Optional	Default 7002
APACHE_MEECHUM = enabled	Required	Enables the module within ezconfig
APACHE_MEECHUM_CLIENT	Required	Meechum client_id
APACHE_MEECHUM_SECRET	Required	Meechum client_secet OpenEncrypted
APACHE_TLS_CERT = /set/this/to/your/server.crt	Required
APACHE_TLS_KEY	Required

Additional Optional Properties¶

Property/Values	Defaults - Required/Optional	Description
APACHE_LOCATIONS_FILE = < path to vhost configuration >	N/A	Ex. /apps/myapp/myappvhost.conf
APACHE_MEECHUM_ADDITIONAL_HOOKS = [iat`\|`access_token`\|`access_token_expires`\|`id_token`\|`userinfo`\|`refresh_token`\|`session]	profile	The 'profile' data point is provided by the 'additional hooks' parameter. The rest: access_token refresh_token session userinfo - are provided by default. Use this parameter to define additional data points.
APACHE_MEECHUM_ADDITIONAL_SCOPES = "< scopes-separated-by-spaces >"	Optional	Define additional OpenID Connect scopes that are requested from the Module By default, applications get the 'default' and '< app_name >' scopes.
APACHE_MEECHUM_AUTH_REQUEST_PARAMS = "auth_strategy=< auth strategy endpoint definition >"	Optional	Different authentication backends can be specified to allow Partner or Prodicle authentication: Partner Prod Directory and Netflix Google: "auth_strategy=NetflixPartnerLogin" Partner Test Directory and Netflix Google auth: "auth_strategy=NetflixPartnerTestLogin" Prodicle: "auth_strategy=Prodicle"
APACHE_MEECHUM_BLACKLISTEDCLAIMS = < space separated list of claims - e.g: [email`\|`org.supervisor`\|`name] >		This allows for blacklisting claims.
APACHE_MEECHUM_CACHE_TYPE = [shm`\|`memcache`\|`redis]	redis	By default, Meechum will use Amazon's 'Elasticache-backed' managed Redis for session cache, using a shared Redis cluster (which exists in our common regions and accounts). A different Redis cluster/endpoint can be provided to use a private session cache. Browser Cookie (shm) or memcache can also be used (see below).
APACHE_MEECHUM_CALLBACK_UNAUTHACTION = [auth`\|`pass`\|`401`\|`410]	401	Similar to APACHE_MEECHUM_UNAUTHACTION, except specifically for the /meechum callback link. This is mainly used to handle the session timeout behavior whilst using the infohook feature off of the callback URI.
APACHE_MEECHUM_CLAIM_DELIMITER = < char >	","	Ex. APACHE_MEECHUM_CLAIM_DELIMITER = ":"
APACHE_MEECHUM_COOKIE_DOMAIN = < cookie-domain >	$APACHE_HTTPS_HOSTNAME	Specify the domain for which the "state" and "session" cookies will be set. This must match the APACHE_HTTPS_HOSTNAME and the URL on which you host your protected application. When not defined the default is the server hostname.
APACHE_MEECHUM_COOKIE_PATH = < cookie-path >	"/" server-wide	Define the cookie path for the "state" and "session" cookies. When not defined the default is a server-wide "/".
APACHE_MEECHUM_DEFAULTURL = < url >	https://${HTTP_HOST}	Allows for a user-defined URL. Previously, this was hardcoded to: https://%{HTTP_HOST}/%{REQUEST_URI}
APACHE_MEECHUM_ERROR_TEMPLATE = < filename >	N/A	Template used to display error messages. The template must be prepared to take two strings, an error title and a more details error description, both HTML encoded values, in that order and referenced by (C-style) "%s", e.g. Message:%s Description:%s . When not defined a bare-bones internal template is used. Ex. APACHE_MEECHUM_ERROR_TEMPLATE = /apps/myapp/error.html
APACHE_MEECHUM_LOCATIONS = < sso protected paths >	^/	Paths requiring authentication. By default, authenticate everything not explicitly whitelisted in APACHE_PLAINLOCATIONS. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_LOCATIONS has no effect. Ex. APACHE_MEECHUM_LOCATIONS = ^/
APACHE_MEECHUM_LOGOUT_URL = < url >	N/A	Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. When not defined and no URL was passed explicitly, a default internal page will be shown.
APACHE_MEECHUM_MEMCACHE_SERVER = < hostname >[:]	evcache_sso. ${region}.dyn$ {env}.netflix.net:11211
APACHE_MEECHUM_OAUTH_ACCEPT_TOKENS_AS = [header`\|`post`\|`query`\|`cookie[:]+	"header"	Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. Must be one or several of: "header" : an "Authorization: bearer" header "post" : an HTTP Post parameter called "access_token" "query" : as an HTTP query parameter called "access_token" "cookie" : as a cookie header called whatever is specified after ":"
APACHE_MEECHUM_OAUTH_JWKS_URL = < url >	default	< url > generated by default: https://meechum.netflix.com/ext/oauth/nflxJwTDefault/jwks
APACHE_MEECHUM_OAUTH_LOCATIONS = < oauth20 protected paths >	N/A	Paths requiring OAuth authentication. By default, authenticate nothing. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_OAUTH_LOCATIONS has no effect. Note also that these locations will require the scope matching the OIDCClientID (EZConfig Option APACHE_MEECHUM_CLIENT) Ex. APACHE_MEECHUM_OAUTH_LOCATIONS = ^/REST
APACHE_MEECHUM_PASS_CLAIMS_AS = [none`\|`headers`\|`environment`\|`both]	"headers"	Define the way in which the claims and tokens are passed to the application environment: "none": no claims/tokens are passed "environment": claims/tokens are passed as environment variables "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) "both": claims/tokens are passed as both headers as well as environment variables (default) When not defined the default is "both". The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: APACHE_MEECHUM_PASS_REFRESH_TOKEN) List of attributes/claims
APACHE_MEECHUM_PASS_REFRESH_TOKEN = [On`\|`Off]	Off	Indicates whether the refresh token will be passed to the application in a header/environment variable Ex. APACHE_MEECHUM_PASS_REFRESH_TOKEN = On
APACHE_MEECHUM_PASSCOOKIES = [ < cookie-name > ]+	N/A	Specify the names of cookies to pickup from the browser and send along on backchannel calls to the OP and AS endpoints. This can be used for load-balancing purposes. When not defined, no such cookies are sent.
APACHE_MEECHUM_REDIS_SERVER = < hostname >[:]	sso-cache. ${region}.meechum.$ {env}.netflix.net:6379
APACHE_MEECHUM_SCRUB_REQUEST_HEADERS = [On`\|`Off]	"On"	Scrub user name and claim headers (as configured above) from the user's request. The default is "On"; use "Off" only for testing and debugging because it renders your system insecure.
APACHE_MEECHUM_SESSION_INACTIVITY_TIMEOUT = < seconds >	3600 (seconds)	Interval in seconds after which the session will be invalidated when no interaction has occurred.
APACHE_MEECHUM_SESSION_MAX_DURATION = < seconds >	7100 (seconds)	Maximum duration of the application session
APACHE_MEECHUM_UNAUTHACTION = [auth`\|`pass`\|`401`\|`410]	auth	Defines the action to be taken when an unauthenticated request is made. "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. "401" means that HTTP 401 Unauthorized is returned. "410" means that HTTP 410 Gone is returned "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
APACHE_MEECHUM_USERINFOREFRESHINTERVAL = < seconds >	900 (seconds)	Automatic return of claims every 900 seconds(15 minutes).
APACHE_MEECHUM_WHITELISTEDCLAIMS = < space separated list of claims - e.g: [email`\|`org.supervisor`\|`name] >		This allows for whitelisting of claims - Mainly to help reduce header sizes by giving the developer some control over what is passed. Please note that when a claim is whitelisted, it blacklists ALL OTHER CLAIMS. Also note that the access token is whitelisted regardless.
APACHE_PLAIN_LOCATIONS = < unprotected paths >	^/(healthcheck`\|`Admin(Proxy(Status`\|`Info)`\|`Logs`\|`GCViz))	Paths that are allowed over HTTP (and without Meechum auth if enabled). Note that the Admin URLs are IP whitelisted. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_PLAIN_LOCATIONS has no effect. Ex. APACHE_PLAIN_LOCATIONS = ^/(healthcheck`\|`Admin(Proxy(Status`\|`Info)`\|`Logs`\|`GCViz))
APACHE_PROXY = [ajp`\|`http]	ajp	Defines the protocol for use to proxy connections to a Tomcat application. AJP is the default protocol. When using EZConfig, any existing Tomcat 'server.xml' configuration will get overwritten to support the protocol and the port defined in TOMCAT_HTTPPORT.
TOMCAT_HTTPPORT= < tomcat listen port >	8009	The application listener port. It can be changed to suit your application port, regardless if it's Tomcat.

More options: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf