jpda · October 30, 2019 12:50
diff --git a/000-default.conf b/000-default.conf
 # start with a redirect to 443
 <VirtualHost *:80>
 	Redirect / https://myapp.example.com
 </VirtualHost>
 <VirtualHost *:443>
 	ServerName myapp.example.com # the DNS name users will use to connect to your app
 	SSLEngine on
 	SSLCertificateFile /etc/ssl/certs/myapp-example-com.pem # your cert path
 	SSLCertificateKeyFile /etc/ssl/certs/myapp-example-com-key.pem # your cert's key path
 	LimitRequestFieldSize 65536 # certain headers can grow larger than the default, 64K is a reasonable size

  	# your oidc provider, e.g., for aad https://login.microsoftonline.com/<your-aad-tenant>/v2.0/.well-known/openid-configuration
 	OIDCProviderMetadataURL https://some-oidc-provider/.well-known/openid-configuration
 	OIDCClientID <client-id>
 	OIDCClientSecret <client-secret>
  	# a path somewhere within the protected location
 	OIDCRedirectURI https://myapp.example.com/signin-oidc
 	OIDCCryptoPassphrase <random string used by mod_auth_oidc for state encryption>
 	OIDCScope "openid profile" # scopes to request
 	OIDCRemoteUserClaim preferred_username # this claim value is mapped to the REMOTE_USER variable
 	
  	# enable this for verbose rewrite logging, good for troubleshooting
 	# LogLevel warn rewrite:trace8

 	# proxy requests to the target, while also updating headers to match
 	# if URLs are absolute in the source, use mod_proxy_html to let apache update those
 	ProxyPass / http(s)://original-site/and/path/if/required
 	ProxyPassReverse / http(s)://original-site/and/path/if/required

  	# since we want all paths on this server protected with AAD, plus we also need it for the /signin-oidc path to work
 	<Location />
 		AuthType openid-connect
 		AuthName "aad"
    		# valid-user in this case means any authenticated user
 		Require valid-user
 	</Location>

 	<Location /api/echo>
 		RewriteEngine On
    		# this header name can be _whatever_ your application needs
    		# note earlier we set OIDCRemoteUserClaim to use the preferred_username claim for the REMOTE_USER variable
 		RequestHeader set X-some-header-name expr=%{REMOTE_USER} # e.g., [email protected]
 		RequestHeader edit X-some-header-name @(.*) $2 # this rips out the @realm.com part of the UPN, e.g., someuser
 		AuthType openid-connect
 		AuthName "api-echo"
 		Require valid-user
 	</Location>

 	ErrorLog ${APACHE_LOG_DIR}/error.log
 	CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
	# start with a redirect to 443
	<VirtualHost *:80>
	Redirect / https://myapp.example.com
	</VirtualHost>
	<VirtualHost *:443>
	ServerName myapp.example.com # the DNS name users will use to connect to your app
	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/myapp-example-com.pem # your cert path
	SSLCertificateKeyFile /etc/ssl/certs/myapp-example-com-key.pem # your cert's key path
	LimitRequestFieldSize 65536 # certain headers can grow larger than the default, 64K is a reasonable size

	# your oidc provider, e.g., for aad https://login.microsoftonline.com/<your-aad-tenant>/v2.0/.well-known/openid-configuration
	OIDCProviderMetadataURL https://some-oidc-provider/.well-known/openid-configuration
	OIDCClientID <client-id>
	OIDCClientSecret <client-secret>
	# a path somewhere within the protected location
	OIDCRedirectURI https://myapp.example.com/signin-oidc
	OIDCCryptoPassphrase <random string used by mod_auth_oidc for state encryption>
	OIDCScope "openid profile" # scopes to request
	OIDCRemoteUserClaim preferred_username # this claim value is mapped to the REMOTE_USER variable

	# enable this for verbose rewrite logging, good for troubleshooting
	# LogLevel warn rewrite:trace8

	# proxy requests to the target, while also updating headers to match
	# if URLs are absolute in the source, use mod_proxy_html to let apache update those
	ProxyPass / http(s)://original-site/and/path/if/required
	ProxyPassReverse / http(s)://original-site/and/path/if/required

	# since we want all paths on this server protected with AAD, plus we also need it for the /signin-oidc path to work
	<Location />
	AuthType openid-connect
	AuthName "aad"
	# valid-user in this case means any authenticated user
	Require valid-user
	</Location>

	<Location /api/echo>
	RewriteEngine On
	# this header name can be _whatever_ your application needs
	# note earlier we set OIDCRemoteUserClaim to use the preferred_username claim for the REMOTE_USER variable
	RequestHeader set X-some-header-name expr=%{REMOTE_USER} # e.g., [email protected]
	RequestHeader edit X-some-header-name @(.*) $2 # this rips out the @realm.com part of the UPN, e.g., someuser
	AuthType openid-connect
	AuthName "api-echo"
	Require valid-user
	</Location>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>

	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet