Institutions typically use different ways (Shibboleth, LDAP, etc.) to authenticate users. It is difficult to achieve a one-size-fits-all deployment to address all the different authentication in OLE. This bottleneck can be cleared by using a reverse proxy.
...
Alternatively, a System Parameter can be created with Namespace code KR-NS and Parameter Name, LOGOFF_REDIRECT_URL and the URL specified in Parameter Value and OLE would pick the URL as the redirect link. The value in the System Parameter overrides the configuration in olefs-config-defaults.xml.
Note |
---|
It should be noted that though the Logout button invalidates the OLE session, the session established by the application residing on the Proxy Server may continue and may need to be handled externally. |
...
Code Block |
---|
|
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} (.*)olefs(/portal\.do)?$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} |
Sample Configuration Files
Source:
Jira Legacy |
---|
server | Kuali: Jira |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | be3acfec-fcc2-335b-8051-b2b053a39956 |
---|
key | OLE-6321 |
---|
|
Code Block |
---|
language | xml |
---|
title | VirtualHost Config for Tomcat on 8080 |
---|
linenumbers | true |
---|
collapse | true |
---|
|
<VirtualHost *:80>
ServerAdmin ccc2@lehigh.edu
ServerName oletest.lib.lehigh.edu
ProxyPreserveHost On
RewriteEngine On
DocumentRoot "/var/www/olehome"
<Directory "/var/www/olehome">
Options Indexes FollowSymLinks Includes ExecCGI
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride All
</Directory>
# For staff
<Location /olefs>
Redirect permanent / https://oletest.lib.lehigh.edu/
</Location>
# Allow from Library and Computing Center subnets.
# Should be a shorter list, since anyone
# who can go here can also go to oledocstore/bib/dataimport
# We'll narrow this down later
<Location /oledocstore>
Order Allow,Deny
Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.12 128.180.13 128.180.82 128.180.83
ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore
ProxyPassReverse /oledocstore
</Location>
# Allow from Linderman subnet
# Also should be narrowed down more
<Location /dataimport>
Order Allow,Deny
Allow from 128.180.82 128.180.83
ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/bib/dataimport
ProxyPassReverse /dataimport
</Location>
# Accessible to outside
# /ncip -> oleapp:8080/olefs/OLENCIPResponder
# special Relais IP range and a few testing machines on campus
<Location /ncip>
Order Allow,Deny
Allow from 66.201.221.194/29
Allow from 128.180.82.95
Allow from 128.180.82.4
ProxyPass http://oletest.lib.lehigh.edu:8080/olefs/OLENCIPResponder
ProxyPassReverse /ncip
</Location>
#/sru -> oleapp:8080/oledocstore/sru
# open to world
<Location /sru>
Order Allow,Deny
Allow from all
ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/sru
ProxyPassReverse /sru
</Location>
#/documentrest/* -> oleapp:8080/oledocstore/documentrest/*
# Probably only necessary from VuFind servers, but just limited to
# library subnets for now
<Location /documentrest>
Order Allow,Deny
Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.82 128.180.83 128.180.12 128.180.13
ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/documentrest
ProxyPassReverse /documentrest
</Location> |
Code Block |
---|
language | xml |
---|
title | VirtualHost Config for Tomcat on 8443 |
---|
linenumbers | true |
---|
collapse | true |
---|
|
<VirtualHost _default_:443>
ServerAdmin ccc2@lehigh.edu
ServerName oletest.lib.lehigh.edu
ProxyPreserveHost On
ProxyRequests Off
RewriteEngine On
#Works to force SSL before auth, but then OLE redirects to
#regular http, which asks for auth again ...
#If I change OLE to have https in common-config.xml, then
#search boxes don't work
#RewriteCond %{HTTPS} off
#RewriteCond %{REQUEST_URI} (.*)olefs(/portal\.do)?$
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
DocumentRoot "/var/www/olehome"
<Directory "/var/www/olehome">
Options Indexes FollowSymLinks Includes ExecCGI
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
#
AllowOverride All
</Directory>
# For staff
<Location /olefs>
Order Allow,Deny
Allow from all
#mod_auth_form comes with Apache 2.4, which isn't in Wheezy ...
#AuthType form
#AuthName "ole"
#gives you the ability to log in with ldap OR userid and passwords in the AuthUserFile
#AuthFormProvider ldap file
#AuthLDAPBindAuthoritative off
#LDAPReferrals -- off below because of this error
#https://www.apachelounge.com/viewtopic.php?t=4851&view=next
# LDAPReferrals Off
#AuthLDAPURL ldap://nis3.cc.lehigh.edu/dc=lehigh,dc=edu?uid
#AuthUserFile /var/www/olehome/.htpasswd
#AuthFormLoginRequiredLocation http://oletest.lib.lehigh.edu/olehome/ldap.html
#AuthFormLoginSuccessLocation http://oletest.lib.lehigh.edu:8080/olefs
#require valid-user
# So we'll stick with Basic auth for now
AuthType Basic
AuthName "Lehigh OLE"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://nis.cc.lehigh.edu/dc=lehigh,dc=edu?uid"
AuthBasicProvider ldap file
AuthUserFile /var/www/olehome/.htpasswd
require valid-user
ProxyPass http://oletest.lib.lehigh.edu:8443/olefs
ProxyPassReverse http://oletest.lib.lehigh.edu:8443/olefs
RequestHeader set Remote-User %{REMOTE_USER}s
</Location>
# Allow from Library and Computing Center subnets.
# Should be a shorter list, since anyone
# who can go here can also go to oledocstore/bib/dataimport
# We'll narrow this down later
<Location /oledocstore>
Order Allow,Deny
Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.12 128.180.13 128.180.82 128.180.83
ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore
ProxyPassReverse /oledocstore
</Location>
# Allow from Linderman subnet
# Also should be narrowed down more
<Location /dataimport>
Order Allow,Deny
Allow from 128.180.82 128.180.83
ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/bib/dataimport
ProxyPassReverse /dataimport
</Location>
# Accessible to outside
# /ncip -> oleapp:8443/olefs/OLENCIPResponder
# special Relais IP range and a few testing machines on campus
<Location /ncip>
Order Allow,Deny
Allow from 66.201.221.194/29
Allow from 128.180.82.95
Allow from 128.180.82.4
ProxyPass http://oletest.lib.lehigh.edu:8443/olefs/OLENCIPResponder
ProxyPassReverse /ncip
</Location>
#/sru -> oleapp:8443/oledocstore/sru
# open to world
<Location /sru>
Order Allow,Deny
Allow from all
ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/sru
ProxyPassReverse /sru
</Location>
#/documentrest/* -> oleapp:8443/oledocstore/documentrest/*
# Probably only necessary from VuFind servers, but just limited to
# library subnets for now
<Location /documentrest>
Order Allow,Deny
Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.82 128.180.83 128.180.12 128.180.13
ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/documentrest
ProxyPassReverse /documentrest
</Location>
... SSL configuration continues from here |
Version related issues
Note |
---|
Apache versions prior to Apache 2.4.4 (especially Apache 2.2.x shipped with Red Hat Enterprise Linux 6.x) cannot forward PATCH requests via the AJP protocol, which can interfere with some of OLE's APIs. |
If you are experiencing HTTP 501 ("Method Not Implemented") errors, this may be the cause. Check your Apache version and error logs for messages such as "ajp_marshal_into_msgb - No such method PATCH".
Possible Fixes
- Use mod_proxy_http instead of mod_proxy_ajp in your proxy setup.
- Use at least Apache 2.4.4 with mod_proxy_ajp.
- (Unverified) Use mod_jk instead of mod_proxy_ajp.