anyone successfully get saml-strict working running everything in docker?
On Tuesday, April 2, 2024 at 09:49:04 AM EDT, Nick Couchman
<vn...@apache.org> wrote:
On Tue, Apr 2, 2024 at 9:03 AM Jesus Malena <jesus.mal...@gmail.com> wrote:
Hi Nick,
Thanks for the quick response. I should have added my NginX configuration here
as well so that this information would be more complete. Below is my NginX
config.
# HTTPS server
upstream guacservice {
server 127.0.0.1:8080;
}
server {
listen 443 ssl http2;
server_name guactest.mytestserver.com;
server_tokens off;
access_log /var/log/nginx/ssl_access.log main;
ssl_certificate ssl/guactest_mytestserver_com.pem;
ssl_certificate_key ssl/guactest_mytestserver_com.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on;
gzip on;
gzip_types text/javascript;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
location / {
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=16000000;
includeSubDomains; always;";
proxy_pass http://guacservice;
proxy_hide_header X-Powered-By;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $http_true_client_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path ~(.*) "$1; secure; SameSite=None";
proxy_redirect default;
proxy_redirect http://$host https://$host;
proxy_redirect http://hostname https://$host;
}
location = /404.html {}
location = /50x.html {}
}
server {
listen 80;
server_name _;
server_tokens off;
location / {
rewrite ^(.*) https://$http_host$1 redirect;
}
location /nginx_status {
stub_status on; access_log off;
allow 127.0.0.1;
deny all;
}
}
There are some settings which you have suggested which I do not have which deal
with websockets so I will have to look into those and implement them once I
validate from the documentation. I will also have to go over some of my
settings in this section and update some of these accordingly, like the
proxy_set_header Host $http_host to just proxy_set_header Host $host as this is
cleaner based on NginX documentation, but the X-Forwarded-Proto one is one that
I do have set. There may be some additional cleanup that may need to be done on
the above configuration, but this above configuration does work. If you see any
glaring configuration issues above please let me know.
I would say just add the additional headers that I mentioned - it is a more
complete list than is in the manual (manual needs some updating in that
respect).
-Nick
