search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Add includes to built dynamic packages #46

Closed DaAwesomeP closed 2 years ago

DaAwesomeP commented 2 years ago

Note that support requests for Shibboleth configuration and Nginx or web server setup should be directed to the Shibboleth community users mailing list. See https://www.shibboleth.net/community/lists/ for details.

Description the bug

The includes are not installed by the built dynamic packages.

Expected behaviour

shib_fastcgi_params and shib_clear_headers should be managed by the dynamic packages.

Steps to Reproduce Issue

  1. Build and install a dyanmic shib package
  2. Said files are missing and must be manually installed separate from the versioning/package management

Setup & Logs

N/A

Versions and Systems

module v2.0.1, Debian 11

Additional context

I'm not sure if this is possible with pkg-oss or not. If it is then it would make installing even smoother.

davidjb commented 2 years ago

Thanks for your suggestion, @DaAwesomeP. Packaging of this module is out-of-scope as it relates to the intended deployment environment & your OS. We do make some suggestions as to packaging processes but they're just indications of what could be used. In other words, packaging is a separate process and pkg-oss is a separate tool.

That being said, pkg-oss doesn't have the ability to include arbitrary files in its package builds. It's worth bearing in mind that even if it had this ability, these shib/Nginx include files are provided as templates, requiring customisation to suit your application & environment. Relying on shib_clear_headers without modifying or reviewing its contents will lead to security vulnerabilities. Similarly, whilst shib_fastcgi_params provides some common defaults, different Shibboleth environments can and do use different attributes and thus need specific configuration (plus performance/security is improved by only using directives you explicitly utilise).

If you did feel these templates are useful in their current form, you could either modify the packages you're building to add them (e.g. after being produced by pkg-oss), or otherwise create a tiny package that contains just these files (or, more specifically, ones that match your environment's requirements). As maintainer, I don't intend to move/rename or grossly modify these templates, but I can't give any guarantees as to their stability as they're configuration examples.

DaAwesomeP commented 2 years ago

Thank you very much for your explanation!