Re: unrestricted access for specific domain
325073 at mail.muni.cz
Fri Nov 2 10:25:31 EDT 2018
thank you anyway, I got useful information, so unless I decide to reconfigure
it to Apache I need to do the job in Nginx or even downstream.
"Cantor, Scott" <cantor.2 at osu.edu> wrote on Fri, 2 Nov 2018 14:15:04 +0000:
> On 11/2/18, 9:46 AM, "users on behalf of Martin Demko" <users-bounces at shibboleth.net on behalf of 325073 at mail.muni.cz> wrote:
> > What I need is a location in our web server which would be accessible
> > some named domain (or IP address) without being treated by IdP.
> All the SP's requireSession commands do is turn it on or off, there are no
> limits on that. What you want can't be done by requiring a session up front.
> Apache might have some way of conditionalizing commands based on the
> requesting domain but you're not using it so that's moot.
> > Ok, maybe I should have started with the information that I use Nginx as a
> > proxy and the documentation for the cooperation of Nginx with Shibboleth is not
> > that wide and clear.
> I don't know anything about how the rules in Nginx work but either way
> that's probably where the work has to be done. The SP doesn't have a
> "require only if" concept because it gets that for free from Apache and it's
> impractical in native code to let people implement simple rule conditions
> like that. You probably would have to be using passive protection for the
> content with the requireSession setting off, and triggering everything in
> application code unless the web server can circumvent the use of the FastCGI
> authorizer because of a separate authorization rule based on IP
> I did look at whether first order Nginx support was a possibility for the
> project. It isn't. They don't support loadable modules and so there is no
> way for me to deliver a built module that works with somebody else's Nginx
> so I stopped looking at it. I would use Apache if you want to use the SP.
> You're trying to fit a square peg into a round hole.
> -- Scott
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users