php - Apache 作为具有身份验证 OAuth2.0 的 ReverseProxy 并检查
问题描述
我在 CentOS 7 上将 Apache 2.4 配置为反向代理,并通过 google 进行身份验证 OAuth 2.0。这是我的http.conf文件:
ProxyRequests off
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>
ProxyTimeout 300
<VirtualHost test.mydomain.com:80>
ServerName test.mydomain.com
Redirect / https://test.mydomain.com/
</VirtualHost>
<VirtualHost test.mydomain.com:443>
ServerName test.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
ErrorLog /var/www/html/test_error.log
CustomLog /var/www/html/test_access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxx
OIDCRedirectURI https://test.mydomain.com/index.php
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
<Location />
AuthType openid-connect
Require valid-user
</Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1:5563/
ProxyPassReverse / http://192.168.1.1:5563/
</VirtualHost>
现在,当我输入https://test.mydomain.com时,我重定向到谷歌身份验证,然后(如果登录正常)到http://192.168.1.1:5563/上的反向资源
现在我正在尝试在 PHP 中创建一个自定义登录页面,因为我会检查用户是否可以访问(因为使用 Google OAuth 域的所有成员都可以访问)或者不能访问这个远程资源http://192.168.1.1:5563 /我创建了我的index.php页面:
<?php
session_start();
include('config/config.php');
$login_button = '';
//This $_GET["code"] variable value received after user has login into their Google Account redirct to PHP script then this variable value has been received
if(isset($_GET["code"]))
{
// ... set session variable ...
}
//This is for check user has login into system by using Google account, if User not login into system then it will execute if block of code and make code for display Login link for Login using Google account.
if(!isset($_SESSION['access_token']))
{
//Create a URL to obtain user authorization
$login_button = '<a href="'.$google_client->createAuthUrl().'"><img src="images/sign-in-with-google.png" /></a>';
$_SESSION['logged'] = false;
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Log in/Sign up screen</title>
</head>
<body>
<div class="container">
<div class="frame">
<div ng-app ng-init="checked = false">
<h1><img align="center" src="images/logo_rouded.png" width="100" height="auto"></h1>
<?php
if($login_button == '')
{
echo "<form class=\"form-signin\" action=\"\" method=\"post\" name=\"form\">";
echo "<p align=\"center\">Select your enviroment</p>";
echo "<div class=\"btn-animateOscar\">";
echo "<a class=\"btn-signin\" onclick=\"window.open('test.php','popUpWindow','height=650,width=1000,left=100,top=100,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no, status=yes')\">test</a>";
echo "</div>";
echo "<div class=\"btn-animate_signout\">";
echo "<a class=\"btn-signin\" href=\"logout.php\">Sign out</a>";
echo "</div>";
echo "</form>";
} else {
echo "<p align=\"center\">Sign in with Activo Account</p>";
echo '<div align="center">'.$login_button . '</div>';
}
?>
</div>
</div>
</div>
</body>
</html>
我用 href 调用的test.php是:
<?php
session_start();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>TEST</title>
<meta content='width=device-width, initial-scale=1, maximum-scale=1' name='viewport'/>
</head>
<body>
<?php
if(isset($_SESSION['logged']) && $_SESSION['logged']==true){
echo "<iframe width=\"100%\" height=\"100%\" src=\"https://test.mydomain.com/TEST\"></iframe>";
} else {
echo "<div class=\"container\">";
echo "<div class=\"frame\">";
echo "<div ng-app ng-init=\"checked = false\">";
echo "<h1><img align=\"center\" src=\"images/logo_rouded.png\" width=\"100\" height=\"auto\"></h1>";
echo "<form class=\"form-signin\" action=\"\" method=\"post\" name=\"form\">";
echo "<p align=\"center\">You are not login, please login</p>";
echo "<p align=\"center\">You'll redirect to login page in 5 seconds</p>";
header('Refresh: 5; url=index.php');
echo "</form>";
echo "</div>";
echo "</div>";
echo "</div>";
}
?>
</body>
</html>
我改变了我的http.conf如下:
<VirtualHost test.mydomain.com:443>
ServerName test.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.com.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
DocumentRoot /var/www/html/googleaccess/
DirectoryIndex index.php
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests On
ProxyPass /TEST http://192.168.1.1:5563/ts/ts2/index.html
ProxyPassReverse /TEST http://192.168.1.1:5563/ts/ts2/index.html
</VirtualHost>
现在的问题是:1)反向代理无法正常工作(我认为这是 http.conf 中的错误配置)2)如果我输入https://test.mydomain.com/TEST我会跳过谷歌身份验证,我怎么能阻止这个?3)我无法启用从所有网络到http://192.168.1.1:5563/ts/ts2/index.html的流量,因此我必须使用反向代理。
谢谢您的帮助
解决方案
推荐阅读
- java - 我的应用程序在调试模式下工作正常,但使用签名的 APK 它崩溃
- database - 为大量记录选择的正确数据库是什么?
- c++ - 通过 Web 应用程序访问桌面应用程序 API
- angular - 如何像chartjs图表模型一样显示这个json
- android - 我对这个 android studio Kotlin 程序有疑问:
- sql - 连接两个表时的过滤顺序
- python - 计算具有复数的非常大矩阵的欧几里得距离的最快方法是什么?
- javascript - 按钮 - 数据表中的列可见性
- javascript - Odoo 13 ORM 写入方法的确认框
- amazon-web-services - AWS codebuild 列出其他账户的 s3 存储桶