summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorTom Downes <tpdownes@gmail.com>2016-04-14 01:03:50 +0000
committerTom Downes <tpdownes@gmail.com>2016-04-14 01:03:50 +0000
commit897892132334f4004719d2489530898491f4fff6 (patch)
tree1e42e78f01d87a172cdf6c807a82462d24cf731a /doc
parent091c77e3c54b15fa2378a89d15400795dc9f91ee (diff)
downloadgitlab-ce-897892132334f4004719d2489530898491f4fff6.tar.gz
Update shibboleth configuration for GitLab 8.6 and Apache 2.4
Diffstat (limited to 'doc')
-rw-r--r--doc/integration/shibboleth.md47
1 files changed, 47 insertions, 0 deletions
diff --git a/doc/integration/shibboleth.md b/doc/integration/shibboleth.md
index a0be3dd4e5c..b6b2d4e5e88 100644
--- a/doc/integration/shibboleth.md
+++ b/doc/integration/shibboleth.md
@@ -76,3 +76,50 @@ sudo gitlab-ctl reconfigure
```
On the sign in page there should now be a "Sign in with: Shibboleth" icon below the regular sign in form. Click the icon to begin the authentication process. You will be redirected to IdP server (Depends on your Shibboleth module configuration). If everything goes well the user will be returned to GitLab and will be signed in.
+
+## Apache 2.4 / GitLab 8.6 update
+The order of the first 2 Location directives is important. If they are reversed,
+you will not get a shibboleth session!
+
+```
+ <Location />
+ Require all granted
+ ProxyPassReverse http://127.0.0.1:8181
+ ProxyPassReverse http://YOUR_SERVER_FQDN/
+ </Location>
+
+ <Location /users/auth/shibboleth/callback>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibUseHeaders On
+ Require shib-session
+ </Location>
+
+ Alias /shibboleth-sp /usr/share/shibboleth
+
+ <Location /shibboleth-sp>
+ Require all granted
+ </Location>
+
+ <Location /Shibboleth.sso>
+ SetHandler shib
+ </Location>
+
+ RewriteEngine on
+
+ #Don't escape encoded characters in api requests
+ RewriteCond %{REQUEST_URI} ^/api/v3/.*
+ RewriteCond %{REQUEST_URI} !/Shibboleth.sso
+ RewriteCond %{REQUEST_URI} !/shibboleth-sp
+ RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
+
+ #Forward all requests to gitlab-workhorse except existing files
+ RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+ RewriteCond %{REQUEST_URI} ^/uploads/.*
+ RewriteCond %{REQUEST_URI} !/Shibboleth.sso
+ RewriteCond %{REQUEST_URI} !/shibboleth-sp
+ RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+ RequestHeader set X_FORWARDED_PROTO 'https'
+ RequestHeader set X-Forwarded-Ssl on
+``` \ No newline at end of file