How to install mod_auth_openidc module in an Apache server running on Docker

Instead of manually downloading the necessary libraries I moved that process to the Dockerfile, now the image is created correctly:

FROM httpd:2.4COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.confCOPY ./server.crt /usr/local/apache2/conf/COPY ./server.key /usr/local/apache2/conf/COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.soRUN apt-get update && apt-get install -y curl && apt-get install -y libjansson4 && apt-get install -y wget && apt-get install -y libhiredis0.10 && apt-get install -y apache2-binRUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.jessie.1_amd64.deb && dpkg -i libcjose0_0.5.1-1.jessie.1_amd64.debRUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.3/libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb && \dpkg -i libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb

You can use the https://github.com/zmartzone/mod_auth_openidc/blob/master/Dockerfile-alpine to build the image and just do your post configurations specific for your site afterwards.

FROM alpine:3.10ENV MOD_AUTH_OPENIDC_REPOSITORY https://github.com/zmartzone/mod_auth_openidc.gitENV MOD_AUTH_OPENIDC_BRANCH masterENV BUILD_DIR /tmp/mod_auth_openidcENV APACHE_LOG_DIR /var/log/apache2ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf# add testing repository (for cjose library)RUN echo "http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories# ADD sourceRUN mkdir ${BUILD_DIR}# add dependencies, build and install mod_auth_openidc, need atomic operation for image sizeRUN apk update && apk add --no-cache \  apache2 \  apache2-proxy \  wget \  jansson \  hiredis \  cjose \  cjose-dev \  git \  autoconf \  build-base \  automake \  curl \  apache2-dev \  curl-dev \  pcre-dev \  libtool \  && \  cd ${BUILD_DIR} && \  git clone -b ${MOD_AUTH_OPENIDC_BRANCH} ${MOD_AUTH_OPENIDC_REPOSITORY} && \  cd mod_auth_openidc && \  ./autogen.sh && \  ./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \  make test && \  make install && \  cd ../.. && \  rm -fr ${BUILD_DIR} && \  apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev pcre-dev libtool# configure apache RUN  apk add --no-cache sed && \  echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so" >>  ${APACHE_DEFAULT_CONF} && \  ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \  ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \  ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \  chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \  apk del sed# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop# stop gracefully when docker stops, create issue with interactive mode because it's the signal use by the docker engine on windows.STOPSIGNAL WINCH# port to expose, referes to the Listen 80 in the embedded httpd.confEXPOSE 80# launch apacheCMD exec /usr/sbin/httpd -D FOREGROUND -f ${APACHE_DEFAULT_CONF}

In 2021 the zmartzone module is available as a Debian package. So I was able to build an image using a simple Dockerfile, but I only need https (not php etc). I chose to use the httpd buster base image, in buster the package version is 2.3.10.2-1, the latest and greatest today is 2.4.9.4. Here's my Dockerfile, only two commands required:

# Build image with Apache HTTPD and OpenID connect moduleFROM httpd:2.4-busterRUN apt-get update && \    apt-get install --no-install-recommends -y libapache2-mod-auth-openidc# leave entrypoint etc. unchanged from base image

One thing I completely don't understand, that apache httpd base imagehas modules in /usr/local/apache2/modules but the package installs auth_openidc_module in /usr/lib/apache2/modules. Maybe someone can explain that to me?

Anyhow, trying to make this answer complete, using this image requires changes to base image files /usr/local/apache2/httpd.conf and /usr/local/apache2/extra/httpd-ssl.conf. Here is the first set of diffs:

% diff httpd.conf.orig httpd.conf 94c98< #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so---> LoadModule socache_shmcb_module modules/mod_socache_shmcb.so142c146< #LoadModule proxy_module modules/mod_proxy.so---> LoadModule proxy_module modules/mod_proxy.so161c165< #LoadModule ssl_module modules/mod_ssl.so---> LoadModule ssl_module modules/mod_ssl.so199a204> LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so241c246< #ServerName www.example.com:80---> ServerName server.my.company.com:80541c546< #Include conf/extra/httpd-ssl.conf---> Include conf/extra/httpd-ssl.conf

Also extra/httpd-ssl.conf:

% diff httpd-ssl.conf.orig httpd-ssl.conf125c129< ServerName www.example.com:443---> ServerName server.my.company.com:443290c294,319< </VirtualHost>                                  ---> OIDCProviderMetadataURL https://oidserver.my.company.com/.well-known/openid-configuration> OIDCClientID my-company-client-id> OIDCClientSecret my-company-client-scret> OIDCRedirectURI https://server.my.company.com/secure/redirect_uri> OIDCCryptoPassphrase my-company-crypto-passphrase> > <Location /secure>>    AuthType openid-connect>    Require valid-user> </Location>> > </VirtualHost>

In my deployment I chose to mount those httpd config files to the container, that avoids building the OID client secrets into the docker image. Here's a sample docker-compose.yml, on the image line use the tag you applied to the image built from the Dockerfile shown above:

version: "3"services:  # httpd starts as root, binds ports then switches to daemon (UID 1)  httpd:    image: httpd-openidc:local    ports:      - 80:80      - 443:443    volumes:      - /Users/me/apache-httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf      - /Users/me/apache-httpd/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf      - /Users/me/apache-httpd/my-dev.key:/usr/local/apache2/conf/server.key      - /Users/me/apache-httpd/my-dev.crt:/usr/local/apache2/conf/server.crt

So far this works fine, HTH