Versions Compared

Old Version 3

changes.mady.by.user Xavier Gillmann

Saved on

compared with

New Version 4

changes.mady.by.user Xavier Gillmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A sample docker-compose configuration is provided to illustrate the setup. This document describes the sample configuration.

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣

This is however not a production-ready configuration. The minimum changes that have to be performed are:

  • Gateway must accept the https (port 443) connections and redirect all http (port 80) connections to it. This requires certificates setups,...
  • Gateway must be configured to interact with the chosen SSO platform (in the sample configuration it implements a simple basic auth authentication mechanism).
  • Database must be deployed on a dedicated server: docker image is only provided for demo purpose.

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣



The sample openIMIS-gateway is configured to restrict /api urls (rooted to backend server) to users authenticated by a simple basic auth. mechanism.

...

The backend layer checks that there is a corresponding valid (i.e. active) core.User for the provided identity and performs the django login (without password check at this level).

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣


As a consequence, do never expose the backend 8000 port to the outside, or identity spoofing will be as simple as providing the username in the remote-user http header.


💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣

The default username/password authentication has been left active to allow straight access from within openIMIS-net network (without going through the gateway).