Skip to content

Meechum Apache Module EZConfig Options

These properties should be included in your /etc/default/ezconfig file, as needed.

For simple use-cases when terminating TLS/https on an ELB

Property/Values Required/Optional Description
APACHE_MEECHUM = enabled Required Enables the module within ezconfig
APACHE_HTTPS_HOSTNAME = < FQDN_of_application > Required Fully qualified DNS name to your application
APACHE_MEECHUM_CLIENT = < meechum_client_id > Required Meechum client_id
APACHE_MEECHUM_SECRET = /run/metatron/decrypted/my_app_secret Required Metatron encrypted client secret
APACHE_TIMEOUT = 61 Required More info
APACHE_KEEPALIVE = Off Required More info
APACHE_HTTPSLISTENPORT = 443 Optional Default 443
CONFIG_SELECT = $NETFLIX_ENVIRONMENT Optional Allows you to have different configurations per environment.
See: ezconfig environment driven configurations

For simple use-cases when terminating TLS/https on instance

Property/Values Required/Optional Description
APACHE_HTTPS = enabled Required Enables TLS termination within Apache
APACHE_HTTPS_HOSTNAME Required Fully qualified dns name to your application
APACHE_HTTPSLISTENPORT = 7002 Optional Default 7002
APACHE_MEECHUM = enabled Required Enables the module within ezconfig
APACHE_MEECHUM_CLIENT Required Meechum client_id
APACHE_MEECHUM_SECRET Required Meechum client_secet OpenEncrypted
APACHE_TLS_CERT = /set/this/to/your/server.crt Required
APACHE_TLS_KEY Required

Additional Optional Properties

Property/Values Defaults - Required/Optional Description
APACHE_LOCATIONS_FILE = < path to vhost configuration > N/A Ex. /apps/myapp/myappvhost.conf
APACHE_MEECHUM_ADDITIONAL_HOOKS = [iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session] profile The 'profile' data point is provided by the 'additional hooks' parameter. The rest: access_token refresh_token session userinfo - are provided by default. Use this parameter to define additional data points.
APACHE_MEECHUM_ADDITIONAL_SCOPES = "< scopes-separated-by-spaces >" Optional Define additional OpenID Connect scopes that are requested from the Module
By default, applications get the 'default' and '< app_name >' scopes.
APACHE_MEECHUM_AUTH_REQUEST_PARAMS = "auth_strategy=< auth strategy endpoint definition >" Optional Different authentication backends can be specified to allow Partner or Prodicle authentication:
Partner Prod Directory and Netflix Google:
"auth_strategy=NetflixPartnerLogin"
Partner Test Directory and Netflix Google auth:

"auth_strategy=NetflixPartnerTestLogin"
Prodicle:
"auth_strategy=Prodicle"
APACHE_MEECHUM_BLACKLISTEDCLAIMS = < space separated list of claims - e.g: [email|org.supervisor|name] > This allows for blacklisting claims.
APACHE_MEECHUM_CACHE_TYPE = [shm|memcache|redis] redis By default, Meechum will use Amazon's 'Elasticache-backed' managed Redis for session cache, using a shared Redis cluster (which exists in our common regions and accounts).
A different Redis cluster/endpoint can be provided to use a private session cache.
Browser Cookie (shm) or memcache can also be used (see below).
APACHE_MEECHUM_CALLBACK_UNAUTHACTION = [auth|pass|401|410] 401 Similar to APACHE_MEECHUM_UNAUTHACTION, except specifically for the /meechum callback link. This is mainly used to handle the session timeout behavior whilst using the infohook feature off of the callback URI.
APACHE_MEECHUM_CLAIM_DELIMITER = < char > "," Ex. APACHE_MEECHUM_CLAIM_DELIMITER = ":"
APACHE_MEECHUM_COOKIE_DOMAIN = < cookie-domain > $APACHE_HTTPS_HOSTNAME Specify the domain for which the "state" and "session" cookies will be set. This must match the APACHE_HTTPS_HOSTNAME and the URL on which you host your protected application. When not defined the default is the server hostname.
APACHE_MEECHUM_COOKIE_PATH = < cookie-path > "/" server-wide Define the cookie path for the "state" and "session" cookies. When not defined the default is a server-wide "/".
APACHE_MEECHUM_DEFAULTURL = < url > https://${HTTP_HOST} Allows for a user-defined URL. Previously, this was hardcoded to: https://%{HTTP_HOST}/%{REQUEST_URI}
APACHE_MEECHUM_ERROR_TEMPLATE = < filename > N/A Template used to display error messages. The template must be prepared to take two strings, an error title and a more details error description, both HTML encoded values, in that order and referenced by (C-style) "%s", e.g.

Message:%s

Description:%s

. When not defined a bare-bones internal template is used.
Ex. APACHE_MEECHUM_ERROR_TEMPLATE = /apps/myapp/error.html
APACHE_MEECHUM_LOCATIONS = < sso protected paths > ^/ Paths requiring authentication. By default, authenticate everything not explicitly whitelisted in APACHE_PLAINLOCATIONS.
This expression must be in Apache LocationMatch compatible format.
Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_LOCATIONS has no effect.
Ex. APACHE_MEECHUM_LOCATIONS = ^/
APACHE_MEECHUM_LOGOUT_URL = < url > N/A Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. When not defined and no URL was passed explicitly, a default internal page will be shown.
APACHE_MEECHUM_MEMCACHE_SERVER = < hostname >[:] evcache_sso.{region}.dyn{env}.netflix.net:11211
APACHE_MEECHUM_OAUTH_ACCEPT_TOKENS_AS = [header|post|query|cookie[:]+ "header" Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. Must be one or several of: "header" : an "Authorization: bearer" header "post" : an HTTP Post parameter called "access_token" "query" : as an HTTP query parameter called "access_token" "cookie" : as a cookie header called whatever is specified after ":"
APACHE_MEECHUM_OAUTH_JWKS_URL = < url > default < url > generated by default: https://meechum.netflix.com/ext/oauth/nflxJwTDefault/jwks
APACHE_MEECHUM_OAUTH_LOCATIONS = < oauth20 protected paths > N/A Paths requiring OAuth authentication. By default, authenticate nothing.
This expression must be in Apache LocationMatch compatible format.
Note that if APACHE_LOCATIONS_FILE is set then APACHE_MEECHUM_OAUTH_LOCATIONS has no effect. Note also that these locations will require the scope matching the OIDCClientID (EZConfig Option APACHE_MEECHUM_CLIENT)
Ex. APACHE_MEECHUM_OAUTH_LOCATIONS = ^/REST
APACHE_MEECHUM_PASS_CLAIMS_AS = [none|headers|environment|both] "headers" Define the way in which the claims and tokens are passed to the application environment:
"none": no claims/tokens are passed
"environment": claims/tokens are passed as environment variables
"headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
"both": claims/tokens are passed as both headers as well as environment variables (default)
When not defined the default is "both". The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: APACHE_MEECHUM_PASS_REFRESH_TOKEN)
List of attributes/claims
APACHE_MEECHUM_PASS_REFRESH_TOKEN = [On|Off] Off Indicates whether the refresh token will be passed to the application in a header/environment variable
Ex. APACHE_MEECHUM_PASS_REFRESH_TOKEN = On
APACHE_MEECHUM_PASSCOOKIES = [ < cookie-name > ]+ N/A Specify the names of cookies to pickup from the browser and send along on backchannel calls to the OP and AS endpoints. This can be used for load-balancing purposes. When not defined, no such cookies are sent.
APACHE_MEECHUM_REDIS_SERVER = < hostname >[:] sso-cache.{region}.meechum.{env}.netflix.net:6379
APACHE_MEECHUM_SCRUB_REQUEST_HEADERS = [On|Off] "On" Scrub user name and claim headers (as configured above) from the user's request. The default is "On"; use "Off" only for testing and debugging because it renders your system insecure.
APACHE_MEECHUM_SESSION_INACTIVITY_TIMEOUT = < seconds > 3600 (seconds) Interval in seconds after which the session will be invalidated when no interaction has occurred.
APACHE_MEECHUM_SESSION_MAX_DURATION = < seconds > 7100 (seconds) Maximum duration of the application session
APACHE_MEECHUM_UNAUTHACTION = [auth|pass|401|410] auth Defines the action to be taken when an unauthenticated request is made.
"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
"401" means that HTTP 401 Unauthorized is returned.
"410" means that HTTP 410 Gone is returned
"pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
APACHE_MEECHUM_USERINFOREFRESHINTERVAL = < seconds > 900 (seconds) Automatic return of claims every 900 seconds(15 minutes).
APACHE_MEECHUM_WHITELISTEDCLAIMS = < space separated list of claims - e.g: [email|org.supervisor|name] > This allows for whitelisting of claims - Mainly to help reduce header sizes by giving the developer some control over what is passed. Please note that when a claim is whitelisted, it blacklists ALL OTHER CLAIMS. Also note that the access token is whitelisted regardless.
APACHE_PLAIN_LOCATIONS = < unprotected paths > ^/(healthcheck|Admin(Proxy(Status|Info)|Logs|GCViz)) Paths that are allowed over HTTP (and without Meechum auth if enabled).
Note that the Admin URLs are IP whitelisted.
This expression must be in Apache LocationMatch compatible format.
Note that if APACHE_LOCATIONS_FILE is set then APACHE_PLAIN_LOCATIONS has no effect.
Ex. APACHE_PLAIN_LOCATIONS = ^/(healthcheck|Admin(Proxy(Status|Info)|Logs|GCViz))
APACHE_PROXY = [ajp|http] ajp Defines the protocol for use to proxy connections to a Tomcat application. AJP is the default protocol. When using EZConfig, any existing Tomcat 'server.xml' configuration will get overwritten to support the protocol and the port defined in TOMCAT_HTTPPORT.
TOMCAT_HTTPPORT= < tomcat listen port > 8009 The application listener port. It can be changed to suit your application port, regardless if it's Tomcat.

More options: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf