I’ve spent way too much time on this in the last couple days, and the solution ended up being far too simple. I’ll spare you my agony by sticking to a straightforward howto format.
I just set up Kibana, but of course I wanted my users to connect over HTTPS and with proper authentication. Well, I thought, we have Google Apps here at Exosite — how hard could it be to set up a gateway that uses OpenID to authenticate you with Google Apps before passing you through to the content?
The answer: it’s super easy to set up, but it’s kind of tricky to figure out at first. Luckily for you, I’ve already done the figuring out.
Step 1: Install the things
The following is all I need to install on Debian 7:
apt-get install apache2 libapache2-mod-auth-openid
Step 2: Write your Apache config
This example runs an HTTPS server with the hostname “coolstuff.danslimmon.com”, and it assumes you have an SSL cert for that domain in /etc/ssl/certs. It forces the user to log into Google Apps with an email address ending in “@danslimmon.com”, and then proxies their request to another web server listening on localhost port 5601.
If you don’t have an SSL cert and you don’t mind having your users get SSL validation warnings in their browsers, you can use the default Snakeoil certs.
Put this file in “/etc/apache2/sites-available/openid”:
<VirtualHost *:443> ServerName coolstuff.danslimmon.com ProxyPass / http://localhost:5601/ SSLEngine on SSLCertificateFile /etc/ssl/certs/coolstuff.danslimmon.com.crt SSLCertificateKeyFile /etc/ssl/private/coolstuff.danslimmon.com.key SSLProxyEngine on SSLProxyCACertificatePath /etc/ssl/certs # Require a danslimmon.com email address via Google's OpenID <Location /> AuthType OpenID Require valid-user # Require Google's OpenID endpoint AuthOpenIDSingleIdP https://www.google.com/accounts/o8/id # Require an @danslimmon.com email address AuthOpenIDAXRequire email \ http://axschema.org/contact/email @danslimmon\.com$ </Location> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>
Step 3: Enable the site
a2enmod ssl a2enmod proxy a2enmod proxy_http a2enmod authopenid a2ensite openid service apache2 restart
That should do it!