How to install mod_auth_openidc module in an Apache server running on Docker
Instead of manually downloading the necessary libraries I moved that process to the Dockerfile, now the image is created correctly:
FROM httpd:2.4COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.confCOPY ./server.crt /usr/local/apache2/conf/COPY ./server.key /usr/local/apache2/conf/COPY ./mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.soRUN apt-get update && apt-get install -y curl && apt-get install -y libjansson4 && apt-get install -y wget && apt-get install -y libhiredis0.10 && apt-get install -y apache2-binRUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/libcjose0_0.5.1-1.jessie.1_amd64.deb && dpkg -i libcjose0_0.5.1-1.jessie.1_amd64.debRUN wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.3/libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb && \dpkg -i libapache2-mod-auth-openidc_2.3.3-1.jessie.1_amd64.deb
You can use the https://github.com/zmartzone/mod_auth_openidc/blob/master/Dockerfile-alpine to build the image and just do your post configurations specific for your site afterwards.
FROM alpine:3.10ENV MOD_AUTH_OPENIDC_REPOSITORY https://github.com/zmartzone/mod_auth_openidc.gitENV MOD_AUTH_OPENIDC_BRANCH masterENV BUILD_DIR /tmp/mod_auth_openidcENV APACHE_LOG_DIR /var/log/apache2ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf# add testing repository (for cjose library)RUN echo "http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories# ADD sourceRUN mkdir ${BUILD_DIR}# add dependencies, build and install mod_auth_openidc, need atomic operation for image sizeRUN apk update && apk add --no-cache \ apache2 \ apache2-proxy \ wget \ jansson \ hiredis \ cjose \ cjose-dev \ git \ autoconf \ build-base \ automake \ curl \ apache2-dev \ curl-dev \ pcre-dev \ libtool \ && \ cd ${BUILD_DIR} && \ git clone -b ${MOD_AUTH_OPENIDC_BRANCH} ${MOD_AUTH_OPENIDC_REPOSITORY} && \ cd mod_auth_openidc && \ ./autogen.sh && \ ./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \ make test && \ make install && \ cd ../.. && \ rm -fr ${BUILD_DIR} && \ apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev pcre-dev libtool# configure apache RUN apk add --no-cache sed && \ echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so" >> ${APACHE_DEFAULT_CONF} && \ ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \ chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \ apk del sed# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop# stop gracefully when docker stops, create issue with interactive mode because it's the signal use by the docker engine on windows.STOPSIGNAL WINCH# port to expose, referes to the Listen 80 in the embedded httpd.confEXPOSE 80# launch apacheCMD exec /usr/sbin/httpd -D FOREGROUND -f ${APACHE_DEFAULT_CONF}
In 2021 the zmartzone module is available as a Debian package. So I was able to build an image using a simple Dockerfile, but I only need https (not php etc). I chose to use the httpd buster base image, in buster the package version is 2.3.10.2-1, the latest and greatest today is 2.4.9.4. Here's my Dockerfile, only two commands required:
# Build image with Apache HTTPD and OpenID connect moduleFROM httpd:2.4-busterRUN apt-get update && \ apt-get install --no-install-recommends -y libapache2-mod-auth-openidc# leave entrypoint etc. unchanged from base image
One thing I completely don't understand, that apache httpd base imagehas modules in /usr/local/apache2/modules
but the package installs auth_openidc_module in /usr/lib/apache2/modules
. Maybe someone can explain that to me?
Anyhow, trying to make this answer complete, using this image requires changes to base image files /usr/local/apache2/httpd.conf
and /usr/local/apache2/extra/httpd-ssl.conf
. Here is the first set of diffs:
% diff httpd.conf.orig httpd.conf 94c98< #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so---> LoadModule socache_shmcb_module modules/mod_socache_shmcb.so142c146< #LoadModule proxy_module modules/mod_proxy.so---> LoadModule proxy_module modules/mod_proxy.so161c165< #LoadModule ssl_module modules/mod_ssl.so---> LoadModule ssl_module modules/mod_ssl.so199a204> LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so241c246< #ServerName www.example.com:80---> ServerName server.my.company.com:80541c546< #Include conf/extra/httpd-ssl.conf---> Include conf/extra/httpd-ssl.conf
Also extra/httpd-ssl.conf:
% diff httpd-ssl.conf.orig httpd-ssl.conf125c129< ServerName www.example.com:443---> ServerName server.my.company.com:443290c294,319< </VirtualHost> ---> OIDCProviderMetadataURL https://oidserver.my.company.com/.well-known/openid-configuration> OIDCClientID my-company-client-id> OIDCClientSecret my-company-client-scret> OIDCRedirectURI https://server.my.company.com/secure/redirect_uri> OIDCCryptoPassphrase my-company-crypto-passphrase> > <Location /secure>> AuthType openid-connect> Require valid-user> </Location>> > </VirtualHost>
In my deployment I chose to mount those httpd config files to the container, that avoids building the OID client secrets into the docker image. Here's a sample docker-compose.yml, on the image
line use the tag you applied to the image built from the Dockerfile shown above:
version: "3"services: # httpd starts as root, binds ports then switches to daemon (UID 1) httpd: image: httpd-openidc:local ports: - 80:80 - 443:443 volumes: - /Users/me/apache-httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf - /Users/me/apache-httpd/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf - /Users/me/apache-httpd/my-dev.key:/usr/local/apache2/conf/server.key - /Users/me/apache-httpd/my-dev.crt:/usr/local/apache2/conf/server.crt
So far this works fine, HTH