jpda/000-default.conf

## 000-default.conf
# start with a redirect to 443
<VirtualHost *:80>
	Redirect / https://myapp.example.com
</VirtualHost>
<VirtualHost *:443>
	ServerName myapp.example.com # the DNS name users will use to connect to your app
	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/myapp-example-com.pem # your cert path
	SSLCertificateKeyFile /etc/ssl/certs/myapp-example-com-key.pem # your cert's key path
	LimitRequestFieldSize 65536 # certain headers can grow larger than the default, 64K is a reasonable size

  	# your oidc provider, e.g., for aad https://login.microsoftonline.com/<your-aad-tenant>/v2.0/.well-known/openid-configuration
	OIDCProviderMetadataURL https://some-oidc-provider/.well-known/openid-configuration
	OIDCClientID <client-id>
	OIDCClientSecret <client-secret>
  	# a path somewhere within the protected location
	OIDCRedirectURI https://myapp.example.com/signin-oidc
	OIDCCryptoPassphrase <random string used by mod_auth_oidc for state encryption>
	OIDCScope "openid profile" # scopes to request
	OIDCRemoteUserClaim preferred_username # this claim value is mapped to the REMOTE_USER variable

  	# enable this for verbose rewrite logging, good for troubleshooting
	# LogLevel warn rewrite:trace8

	# proxy requests to the target, while also updating headers to match
	# if URLs are absolute in the source, use mod_proxy_html to let apache update those
	ProxyPass / http(s)://original-site/and/path/if/required
	ProxyPassReverse / http(s)://original-site/and/path/if/required

  	# since we want all paths on this server protected with AAD, plus we also need it for the /signin-oidc path to work
	<Location />
		AuthType openid-connect
		AuthName "aad"
    		# valid-user in this case means any authenticated user
		Require valid-user
	</Location>

	<Location /api/echo>
		RewriteEngine On
    		# this header name can be _whatever_ your application needs
    		# note earlier we set OIDCRemoteUserClaim to use the preferred_username claim for the REMOTE_USER variable
		RequestHeader set X-some-header-name expr=%{REMOTE_USER} # e.g., someuser@example.com
		RequestHeader edit X-some-header-name @(.*) $2 # this rips out the @realm.com part of the UPN, e.g., someuser
		AuthType openid-connect
		AuthName "api-echo"
		Require valid-user
	</Location>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
	# start with a redirect to 443
	<VirtualHost *:80>
	Redirect / https://myapp.example.com
	</VirtualHost>
	<VirtualHost *:443>
	ServerName myapp.example.com # the DNS name users will use to connect to your app
	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/myapp-example-com.pem # your cert path
	SSLCertificateKeyFile /etc/ssl/certs/myapp-example-com-key.pem # your cert's key path
	LimitRequestFieldSize 65536 # certain headers can grow larger than the default, 64K is a reasonable size

	# your oidc provider, e.g., for aad https://login.microsoftonline.com/<your-aad-tenant>/v2.0/.well-known/openid-configuration
	OIDCProviderMetadataURL https://some-oidc-provider/.well-known/openid-configuration
	OIDCClientID <client-id>
	OIDCClientSecret <client-secret>
	# a path somewhere within the protected location
	OIDCRedirectURI https://myapp.example.com/signin-oidc
	OIDCCryptoPassphrase <random string used by mod_auth_oidc for state encryption>
	OIDCScope "openid profile" # scopes to request
	OIDCRemoteUserClaim preferred_username # this claim value is mapped to the REMOTE_USER variable

	# enable this for verbose rewrite logging, good for troubleshooting
	# LogLevel warn rewrite:trace8

	# proxy requests to the target, while also updating headers to match
	# if URLs are absolute in the source, use mod_proxy_html to let apache update those
	ProxyPass / http(s)://original-site/and/path/if/required
	ProxyPassReverse / http(s)://original-site/and/path/if/required

	# since we want all paths on this server protected with AAD, plus we also need it for the /signin-oidc path to work
	<Location />
	AuthType openid-connect
	AuthName "aad"
	# valid-user in this case means any authenticated user
	Require valid-user
	</Location>

	<Location /api/echo>
	RewriteEngine On
	# this header name can be _whatever_ your application needs
	# note earlier we set OIDCRemoteUserClaim to use the preferred_username claim for the REMOTE_USER variable
	RequestHeader set X-some-header-name expr=%{REMOTE_USER} # e.g., someuser@example.com
	RequestHeader edit X-some-header-name @(.*) $2 # this rips out the @realm.com part of the UPN, e.g., someuser
	AuthType openid-connect
	AuthName "api-echo"
	Require valid-user
	</Location>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>

	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet