时间戳

首页 > 解决方案 > Apache 作为具有身份验证 OAuth2.0 的 ReverseProxy 并检查

php - Apache 作为具有身份验证 OAuth2.0 的 ReverseProxy 并检查

问题描述

我在 CentOS 7 上将 Apache 2.4 配置为反向代理,并通过 google 进行身份验证 OAuth 2.0。这是我的http.conf文件:

ProxyRequests off

<Proxy *>
        Order deny,allow
        Deny from all
        Allow from all
</Proxy>
ProxyTimeout 300

<VirtualHost test.mydomain.com:80>
    ServerName test.mydomain.com
    Redirect / https://test.mydomain.com/
</VirtualHost>

<VirtualHost test.mydomain.com:443>
    ServerName test.mydomain.com
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/mydomain.crt
    SSLCertificateKeyFile /etc/httpd/ssl/mydomain.key
    SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt

    ErrorLog /var/www/html/test_error.log
    CustomLog /var/www/html/test_access.log combined

    OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
    OIDCClientID xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
    OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxx
    OIDCRedirectURI https://test.mydomain.com/index.php
    OIDCScope "profile openid"
    OIDCCryptoPassphrase example@3003
    OIDCCookiePath /
    OIDCAuthNHeader X-Forwarded-User
    OIDCRemoteUserClaim sub
    OIDCClaimPrefix example_

    <Location />
        AuthType openid-connect
        Require valid-user
    </Location>

    ProxyPreserveHost On
    ProxyPass / http://192.168.1.1:5563/
    ProxyPassReverse / http://192.168.1.1:5563/
</VirtualHost>

现在,当我输入https://test.mydomain.com时,我重定向到谷歌身份验证,然后(如果登录正常)到http://192.168.1.1:5563/上的反向资源

现在我正在尝试在 PHP 中创建一个自定义登录页面,因为我会检查用户是否可以访问(因为使用 Google OAuth 域的所有成员都可以访问)或者不能访问这个远程资源http://192.168.1.1:5563 /我创建了我的index.php页面:

<?php
session_start();
include('config/config.php');
$login_button = '';

//This $_GET["code"] variable value received after user has login into their Google Account redirct to PHP script then this variable value has been received
if(isset($_GET["code"]))
{
// ... set session variable ...
}

//This is for check user has login into system by using Google account, if User not login into system then it will execute if block of code and make code for display Login link for Login using Google account.
if(!isset($_SESSION['access_token']))
{
 //Create a URL to obtain user authorization
$login_button = '<a href="'.$google_client->createAuthUrl().'"><img src="images/sign-in-with-google.png" /></a>';
$_SESSION['logged'] = false;
 }
?>
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Log in/Sign up screen</title>
 </head>
 <body>
  <div class="container"> 
   <div class="frame">
    <div ng-app ng-init="checked = false">
        <h1><img align="center" src="images/logo_rouded.png" width="100" height="auto"></h1>
     <?php
            if($login_button == '')
            {
                echo "<form class=\"form-signin\" action=\"\" method=\"post\" name=\"form\">";
                echo "<p align=\"center\">Select your enviroment</p>";

                echo "<div class=\"btn-animateOscar\">";
                echo "<a class=\"btn-signin\" onclick=\"window.open('test.php','popUpWindow','height=650,width=1000,left=100,top=100,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no, status=yes')\">test</a>";
                echo "</div>";

                echo "<div class=\"btn-animate_signout\">";
                echo "<a class=\"btn-signin\" href=\"logout.php\">Sign out</a>";
                echo "</div>";
                echo "</form>";
            } else {
                echo "<p align=\"center\">Sign in with Activo Account</p>";
                echo '<div align="center">'.$login_button . '</div>';
            }
            ?>     
          </div> 
    </div>
   </div>
 </body>
</html>

我用 href 调用的test.php是:

<?php
session_start();
?>
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>TEST</title>
  <meta content='width=device-width, initial-scale=1, maximum-scale=1' name='viewport'/>
 </head>
 <body> 
         <?php    
                if(isset($_SESSION['logged']) && $_SESSION['logged']==true){
                    echo "<iframe width=\"100%\" height=\"100%\" src=\"https://test.mydomain.com/TEST\"></iframe>";
                } else {
                    echo "<div class=\"container\">";
                        echo "<div class=\"frame\">";
                            echo "<div ng-app ng-init=\"checked = false\">";
                                echo "<h1><img align=\"center\" src=\"images/logo_rouded.png\" width=\"100\" height=\"auto\"></h1>";
                                    echo "<form class=\"form-signin\" action=\"\" method=\"post\" name=\"form\">";
                                        echo "<p align=\"center\">You are not login, please login</p>"; 
                                        echo "<p align=\"center\">You'll redirect to login page in 5 seconds</p>";
                                        header('Refresh: 5; url=index.php');
                                    echo "</form>";
                            echo "</div>";
                        echo "</div>";
                    echo "</div>";
                }    
            ?>
    </body>
</html>

我改变了我的http.conf如下:

<VirtualHost test.mydomain.com:443>
        ServerName test.mydomain.com
        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/mydomain.com.crt
        SSLCertificateKeyFile /etc/httpd/ssl/mydomain.com.key
        SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
        DocumentRoot /var/www/html/googleaccess/
        DirectoryIndex index.php

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyRequests On
ProxyPass /TEST http://192.168.1.1:5563/ts/ts2/index.html
ProxyPassReverse /TEST http://192.168.1.1:5563/ts/ts2/index.html

</VirtualHost>

现在的问题是:1)反向代理无法正常工作(我认为这是 http.conf 中的错误配置)2)如果我输入https://test.mydomain.com/TEST我会跳过谷歌身份验证,我怎么能阻止这个?3)我无法启用从所有网络到http://192.168.1.1:5563/ts/ts2/index.html的流量,因此我必须使用反向代理。

谢谢您的帮助

标签: phpapacheoauth-2.0google-oauthreverse-proxy

解决方案

推荐阅读