OpenID Provider on Nginx and SimpleSamlPHP

This is a bit tricky, but I'd thought I'd share my findings when it comes to openid, self-signed certificates, simplesamlphp and nginx. I like nginx, and I've made my way to run simplesamlphp on nginx. Nevertheless self signed certificates are some kind of problem, as openid sites do not trust self signed certificates. But they trust non-ssl sites. How great of them. That's why I made up my thoughts on how to abuse this with nginx interferring, and redirecting to https on the right time. Here's my nginx config. How to setup simplesamlphp as an openid provider is best described on the SSP webpages.

nginx config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# http plaintext
server {
 listen 1.2.3.4:80; 
 listen [2000:1:2:3::1]:80;
 server_name openid.server.com;
 root /var/www/saml/public_html/current/www/;
 access_log /var/log/nginx/openid.server.com.access.log;
 error_log /var/log/nginx/openid.server.com.error.log;
 index index.php index.html index.htm;
  # here the actual redirection takes place when the user signs up. 
 location ~ /module.php/core/loginuserpass.php {
 rewrite ^(.*)$ https://openid.server.com/$1;
 }
 location ~ \.php(.*)$ {
 include /etc/nginx/fastcgi_params;

 # A handy function that became available in 0.7.31 that breaks down
 # The path information based on the provided regex expression
 # This is handy for requests such as file.php/some/paths/here/
 fastcgi_split_path_info ^(/[a-z]+\.php)(.+)$;

 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_path_info;
 fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
 fastcgi_param REQUEST_URI $request_uri;

 fastcgi_pass unix:/var/run/fpm/openid.server.com;
 }
}

# https
server {
 listen 1.2.3.4:443; 
 listen [2000:1:2:3::1]:443;
 server_name openid.server.com;
 root /var/www/saml/public_html/current/www/;
 access_log /var/log/nginx/openid.server.com.access.log;
 error_log /var/log/nginx/openid.server.com.error.log;
 index index.php index.html index.htm;
 ssl on;
 ssl_session_timeout 5m;
 ssl_protocols SSLv3 TLSv1;
 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
 ssl_prefer_server_ciphers on;
 ssl_certificate ssl/openid.cert.pem;
 ssl_certificate_key ssl/openid.key.pem;

 location ~ \.php(.*)$ {
 include /etc/nginx/fastcgi_params;

 # A handy function that became available in 0.7.31 that breaks down
 # The path information based on the provided regex expression
 # This is handy for requests such as file.php/some/paths/here/
 fastcgi_split_path_info ^(/[a-z]+\.php)(.+)$;

 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_path_info;
 fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
 fastcgi_param REQUEST_URI $request_uri;

 fastcgi_pass unix:/var/run/fpm/openid.server.com;
 }
}

Letzte Änderung: 2013