Federation: Shibboleth Protecting EZProxy and Apache Reverse Proxy

Glenn Wearen Middleware Specialist, HEAnet

Sponsored by BT

Ezproxy

• EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus users use the proxy so that correct IP is

presented – Authentication to EZproxy by LDAP or Shibboleth – Some libraries link to publishers via ezproxy

regardless of location E.g. Links in the library catalogue are hardcoded to

ezproxy www.publisher.com.ezproxy.mit.ie

Ezproxy

EZproxy

• EZproxy could be used for non-library uses

EZproxy

• EZproxy works with Shibboleth – Typically EZProxy will be an SP that bilaterally

trusts a single IdP

EZproxy

EZproxy

• EZproxy works with Shibboleth – Seamlessly works with a federation Multiple IDP’s can be connected to EZProxy

EZproxy

Apache Reverse Proxy

• Configured Apache in front of a web server to proxy content from the back-end

• Can perform authentication using – BASIC AUTH (proxying credentials) – REMOTE_USER (proxying user idenfifier)

• Useful to federate appliances where – No opportunity to add SAML plugin to appliance

Apache Reverse Proxy

Front-end config

<IfModule mod_proxy.c>

ProxyRequests Off

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

<Location /app>

AuthType shibboleth

ShibRequireSession On

ShibUseHeaders On

require valid-user

RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)

RewriteRule . - [E=RU:%1]

RequestHeader set X-Remote-User "%{RU}e" env=RU

ProxyPass http://vmworkshop12.heanet.ie/

ProxyPassReverse http://vmworkshop12.heanet.ie/

</Location>

</IfModule>

Back-end config

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

AuthName test

AuthType Basic

Require user user5@vmworkshop01.heanet.ie

</Directory>