Meechum Apache Module EZConfig Options¶
These properties should be included in your /etc/default/ezconfig file, as needed.
For simple use-cases when terminating TLS/https on an ELB¶
Property/Values | Required/Optional | Description |
---|---|---|
APACHE_MEECHUM = enabled | Required | Enables the module within ezconfig |
APACHE_HTTPS_HOSTNAME = < FQDN_of_application > | Required | Fully qualified DNS name to your application |
APACHE_MEECHUM_CLIENT = < meechum_client_id > | Required | Meechum client_id |
APACHE_MEECHUM_SECRET = /run/metatron/decrypted/my_app_secret | Required | Metatron encrypted client secret |
APACHE_TIMEOUT = 61 | Required | More info |
APACHE_KEEPALIVE = Off | Required | More info |
APACHE_HTTPSLISTENPORT = 443 | Optional | Default 443 |
CONFIG_SELECT = $NETFLIX_ENVIRONMENT | Optional | Allows you to have different configurations per environment. See: ezconfig environment driven configurations |
For simple use-cases when terminating TLS/https on instance¶
Property/Values | Required/Optional | Description |
---|---|---|
APACHE_HTTPS = enabled | Required | Enables TLS termination within Apache |
APACHE_HTTPS_HOSTNAME | Required | Fully qualified dns name to your application |
APACHE_HTTPSLISTENPORT = 7002 | Optional | Default 7002 |
APACHE_MEECHUM = enabled | Required | Enables the module within ezconfig |
APACHE_MEECHUM_CLIENT | Required | Meechum client_id |
APACHE_MEECHUM_SECRET | Required | Meechum client_secet OpenEncrypted |
APACHE_TLS_CERT = /set/this/to/your/server.crt | Required | |
APACHE_TLS_KEY | Required |
Additional Optional Properties¶
Property/Values | Defaults - Required/Optional | Description |
---|---|---|
APACHE_LOCATIONS_FILE = < path to vhost configuration > | N/A | Ex. /apps/myapp/myappvhost.conf |
APACHE_MEECHUM_ADDITIONAL_HOOKS = [iat| access_token| access_token_expires| id_token| userinfo| refresh_token| session] |
profile | The 'profile' data point is provided by the 'additional hooks' parameter. The rest: access_token refresh_token session userinfo - are provided by default. Use this parameter to define additional data points. |
APACHE_MEECHUM_ADDITIONAL_SCOPES = "< scopes-separated-by-spaces >" | Optional | Define additional OpenID Connect scopes that are requested from the Module By default, applications get the 'default' and '< app_name >' scopes. |
APACHE_MEECHUM_AUTH_REQUEST_PARAMS = "auth_strategy=< auth strategy endpoint definition >" | Optional | Different authentication backends can be specified to allow Partner or Prodicle authentication: Partner Prod Directory and Netflix Google: "auth_strategy=NetflixPartnerLogin" Partner Test Directory and Netflix Google auth: "auth_strategy=NetflixPartnerTestLogin" Prodicle: "auth_strategy=Prodicle" |
APACHE_MEECHUM_BLACKLISTEDCLAIMS = < space separated list of claims - e.g: [email| org.supervisor| name] > |
This allows for blacklisting claims. | |
APACHE_MEECHUM_CACHE_TYPE = [shm| memcache| redis] |
redis | By default, Meechum will use Amazon's 'Elasticache-backed' managed Redis for session cache, using a shared Redis cluster (which exists in our common regions and accounts). A different Redis cluster/endpoint can be provided to use a private session cache. Browser Cookie (shm) or memcache can also be used (see below). |
APACHE_MEECHUM_CALLBACK_UNAUTHACTION = [auth| pass| 401| 410] |
401 | Similar to APACHE_MEECHUM_UNAUTHACTION, except specifically for the /meechum callback link. This is mainly used to handle the session timeout behavior whilst using the infohook feature off of the callback URI. |
APACHE_MEECHUM_CLAIM_DELIMITER = < char > | "," | Ex. APACHE_MEECHUM_CLAIM_DELIMITER = ":" |
APACHE_MEECHUM_COOKIE_DOMAIN = < cookie-domain > | $APACHE_HTTPS_HOSTNAME | Specify the domain for which the "state" and "session" cookies will be set. This must match the APACHE_HTTPS_HOSTNAME and the URL on which you host your protected application. When not defined the default is the server hostname. |
APACHE_MEECHUM_COOKIE_PATH = < cookie-path > | "/" server-wide | Define the cookie path for the "state" and "session" cookies. When not defined the default is a server-wide "/". |
APACHE_MEECHUM_DEFAULTURL = < url > | https://${HTTP_HOST} | Allows for a user-defined URL. Previously, this was hardcoded to: https://%{HTTP_HOST}/%{REQUEST_URI} |
APACHE_MEECHUM_ERROR_TEMPLATE = < filename > | N/A | Template used to display error messages. The template must be prepared to take two strings, an error title and a more details error description, both HTML encoded values, in that order and referenced by (C-style) "%s", e.g. Message:%s Description:%s . When not defined a bare-bones internal template is used.Ex. APACHE_MEECHUM_ERROR_TEMPLATE = /apps/myapp/error.html |
APACHE_MEECHUM_LOCATIONS = < sso protected paths > | ^/ | Paths requiring authentication. By default, authenticate everything not explicitly whitelisted in APACHE_PLAINLOCATIONS. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_LOCATIONS has no effect. Ex. APACHE_MEECHUM_LOCATIONS = ^/ |
APACHE_MEECHUM_LOGOUT_URL = < url > | N/A | Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. When not defined and no URL was passed explicitly, a default internal page will be shown. |
APACHE_MEECHUM_MEMCACHE_SERVER = < hostname >[: |
evcache_sso.{region}.dyn{env}.netflix.net:11211 | |
APACHE_MEECHUM_OAUTH_ACCEPT_TOKENS_AS = [header| post| query| cookie[: |
"header" | Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. Must be one or several of: "header" : an "Authorization: bearer" header "post" : an HTTP Post parameter called "access_token" "query" : as an HTTP query parameter called "access_token" "cookie" : as a cookie header called whatever is specified after ":" |
APACHE_MEECHUM_OAUTH_JWKS_URL = < url > | default | < url > generated by default: https://meechum.netflix.com/ext/oauth/nflxJwTDefault/jwks |
APACHE_MEECHUM_OAUTH_LOCATIONS = < oauth20 protected paths > | N/A | Paths requiring OAuth authentication. By default, authenticate nothing. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_OAUTH_LOCATIONS has no effect. Note also that these locations will require the scope matching the OIDCClientID (EZConfig Option APACHE_MEECHUM_CLIENT) Ex. APACHE_MEECHUM_OAUTH_LOCATIONS = ^/REST |
APACHE_MEECHUM_PASS_CLAIMS_AS = [none| headers| environment| both] |
"headers" | Define the way in which the claims and tokens are passed to the application environment: "none": no claims/tokens are passed "environment": claims/tokens are passed as environment variables "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) "both": claims/tokens are passed as both headers as well as environment variables (default) When not defined the default is "both". The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: APACHE_MEECHUM_PASS_REFRESH_TOKEN) List of attributes/claims |
APACHE_MEECHUM_PASS_REFRESH_TOKEN = [On| Off] |
Off | Indicates whether the refresh token will be passed to the application in a header/environment variable Ex. APACHE_MEECHUM_PASS_REFRESH_TOKEN = On |
APACHE_MEECHUM_PASSCOOKIES = [ < cookie-name > ]+ | N/A | Specify the names of cookies to pickup from the browser and send along on backchannel calls to the OP and AS endpoints. This can be used for load-balancing purposes. When not defined, no such cookies are sent. |
APACHE_MEECHUM_REDIS_SERVER = < hostname >[: |
sso-cache.{region}.meechum.{env}.netflix.net:6379 | |
APACHE_MEECHUM_SCRUB_REQUEST_HEADERS = [On| Off] |
"On" | Scrub user name and claim headers (as configured above) from the user's request. The default is "On"; use "Off" only for testing and debugging because it renders your system insecure. |
APACHE_MEECHUM_SESSION_INACTIVITY_TIMEOUT = < seconds > | 3600 (seconds) | Interval in seconds after which the session will be invalidated when no interaction has occurred. |
APACHE_MEECHUM_SESSION_MAX_DURATION = < seconds > | 7100 (seconds) | Maximum duration of the application session |
APACHE_MEECHUM_UNAUTHACTION = [auth| pass| 401| 410] |
auth | Defines the action to be taken when an unauthenticated request is made. "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. "401" means that HTTP 401 Unauthorized is returned. "410" means that HTTP 410 Gone is returned "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" |
APACHE_MEECHUM_USERINFOREFRESHINTERVAL = < seconds > | 900 (seconds) | Automatic return of claims every 900 seconds(15 minutes). |
APACHE_MEECHUM_WHITELISTEDCLAIMS = < space separated list of claims - e.g: [email| org.supervisor| name] > |
This allows for whitelisting of claims - Mainly to help reduce header sizes by giving the developer some control over what is passed. Please note that when a claim is whitelisted, it blacklists ALL OTHER CLAIMS. Also note that the access token is whitelisted regardless. | |
APACHE_PLAIN_LOCATIONS = < unprotected paths > | ^/(healthcheck| Admin(Proxy(Status| Info)| Logs| GCViz)) |
Paths that are allowed over HTTP (and without Meechum auth if enabled). Note that the Admin URLs are IP whitelisted. This expression must be in Apache LocationMatch compatible format. Note that if APACHE_LOCATIONS_FILE is set then APACHE_PLAIN_LOCATIONS has no effect. Ex. APACHE_PLAIN_LOCATIONS = ^/(healthcheck | Admin(Proxy(Status| Info)| Logs| GCViz)) |
APACHE_PROXY = [ajp| http] |
ajp | Defines the protocol for use to proxy connections to a Tomcat application. AJP is the default protocol. When using EZConfig, any existing Tomcat 'server.xml' configuration will get overwritten to support the protocol and the port defined in TOMCAT_HTTPPORT. |
TOMCAT_HTTPPORT= < tomcat listen port > | 8009 | The application listener port. It can be changed to suit your application port, regardless if it's Tomcat. |
More options: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf