unrestricted access for specific domain

Cantor, Scott cantor.2 at osu.edu
Fri Nov 2 12:55:25 EDT 2018

On 11/2/18, 12:24 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:

> But I guess Debian (building, packaging and shippping both nginx and
> the Shib SP) could still ship a Shib module for nginx alongside their
> nginx and other modules?

If the source code existed, yes. I didn't get far enough into it to see how much work it would take, but I also saw a lot of references to people doing things where the nginx author would say "don't do that" so I couldn't tell how well defined its API even was.

> IIRC Debian also enables FastCGI support in their Shib packages by
> default. So that should allow fully prepackaged Shib support on
> Debian (and friends), at least.

I don't think the authorizer support in FastCGI is part of nginx even now. And the thing I found online that uses FastCGI apparently does it in a very weird way that re-introduces the risk of using headers into the equation, so it was all a bit of a mess from what I could see. It wasn't "just making FastCGI work", but some kind of weird reuse of the FastCGI code to implement the support back within nginx by doing some kind of subrequest hack that the nginx author told that guy he shouldn't do.

I stopped looking at that, and then went and looked at the module option, and then that seemed to be impractical as a core deliverable since I'm not going to be packaging nginx and it stopped looking like a great use of my time.

-- Scott

More information about the users mailing list