diff --git a/group_vars/ezproxy/common.yml b/group_vars/ezproxy/common.yml index 773affd3a8..3ca3e6e921 100644 --- a/group_vars/ezproxy/common.yml +++ b/group_vars/ezproxy/common.yml @@ -1,4 +1,5 @@ --- +ezproxy_admin_password: "{{ vault_ezproxy_admin_password }}" shib_admin_user: - jm110@princeton.edu - kr2@princeton.edu @@ -20,4 +21,4 @@ logrotate_rules: postrotate: | if /usr/sbin/service ezproxy status > /dev/null ; then \ /usr/sbin/service ezproxy restart > /dev/null; \ - fi; \ No newline at end of file + fi; diff --git a/group_vars/ezproxy/testing.yml b/group_vars/ezproxy/testing.yml index 922c314414..c00b9d679f 100644 --- a/group_vars/ezproxy/testing.yml +++ b/group_vars/ezproxy/testing.yml @@ -1,7 +1,8 @@ --- install_ruby_from_source: true -desired_ruby_version: "3.1.0" -ruby_version_override: "ruby-3.1.0" +# these can go to common when we merge testing +desired_ruby_version: "3.4.4" +ruby_version_override: "ruby-3.4.4" domain_name: "ezproxy-test" domain_place_name: "ezproxy-test" generic_app_user: ezproxy @@ -11,3 +12,6 @@ ezproxy_public_host: ezproxy-test.princeton.edu # being passed to the campus IDP for Shibbleth/SAML integration. # See pul-it-handbook: https://github.com/pulibrary/pul-it-handbook/blob/main/services/ezproxy.md cert_value: "3" +sudo_options: "ALL=(ALL) NOPASSWD: /usr/sbin/service ezproxy *" +microsoft_entra_idp_uuid: "{{ vault_microsoft_entra_testing_idp_uuid }}" +microsoft_entra_app_uuid: "{{ vault_microsoft_entra_testing_app_uuid }}" diff --git a/group_vars/ezproxy/vault.yml b/group_vars/ezproxy/vault.yml index 914d2cee0b..b3491f625a 100644 --- a/group_vars/ezproxy/vault.yml +++ b/group_vars/ezproxy/vault.yml @@ -1,14 +1,24 @@ -$ANSIBLE_VAULT;1.1;AES256 -64393166663436613661613835303939623631383236393563626435366237353336396363343131 -3730303231643865626436383231303865623139363431370a626230663864316536363733373662 -30643637326437623933346137666462613935386364666439363962643537336664623638613236 -3333633438343431370a336165643130663937643861356437306433323333616534626164636537 -65633866363464393936366338636565653436323239653239333362613739336236323032306339 -37353435653830323738336433656530393731633665333439616230346335643731663732353461 -34356437376663303637313935333537626234633862636232373234393964656433363537386235 -32633565343030643734366261636539323364663832616264363961636337643634343337366530 -30353435666465306436656237636639663064393438363064653936616534323839653964336538 -64656639353731393936346362613563363666643064663238646261666161306238373233303535 -64333832613965623762653039623264616464646336643864636263326262633866373034376666 -63366439356233316433613362343633343633653535636333396539336166643338313066653432 -3634 +$ANSIBLE_VAULT;1.2;AES256;pul +65303738656531363232386635383430646261333333316438343330633335383737663462366133 +3332616164656665623533303038323131313138393331330a336636636366623033306439656333 +32663363343038363662363431383839303635666662386266636439643332653739656265636131 +3463333063323066360a366535616366333939353436633937643234353831343365306337393465 +30393137373535386430313930373438623264316530626533303839653464613135396633666165 +61336133353534346565636536636162613162333433643734663138316431663862666134643630 +65326433636264353966393133626566383165386636663466303032323539633637386466346163 +63613465616463663763343130373739313233323766343566393837303535323863393464373133 +34303137363566616631353633326163386130303833396465306430393132396436363733653562 +39346436356439353763376166333363303031343138353766396134646631326638333334326365 +64323834373163353934656263313664353634323562653462393532613730353862303966636637 +30363239653566343632626631666230613630663036353035346465343831663239633063363437 +33326431383366343838343337356539343231643565343963336663666236393966613062313235 +64396264663333336532303264323363313633356133313731393561653635326135326564643565 +35386638366435396463353866636334303532313061333934363963616236353836353233333131 +33323161303938636464353736323935333232646633393031316333346465613834663134393330 +34353332393433306238306638376437396135666365303761643062616331666166643364343662 +37343736343165633066316666326634373437396237366661656635663835313538613031343162 +31613237353731326665366663356230613266366564663334663030313634346638356532306662 +35616331613439333236383436663830383337393736313132626536623665623162353861376466 +61336235303164326230353062386664316566336165323666656164363162333534333538626535 +66613235613031663831646362636435663132386331393635363930646631386330636238396636 +653961653633616164316365646565356264 diff --git a/roles/deploy_user/tasks/main.yml b/roles/deploy_user/tasks/main.yml index bb484b11db..732fa8b4f9 100644 --- a/roles/deploy_user/tasks/main.yml +++ b/roles/deploy_user/tasks/main.yml @@ -1,9 +1,7 @@ ---- - name: deploy_user | create system user group ansible.builtin.group: name: "{{ deploy_user }}" gid: "{{ deploy_user_uid }}" - - name: deploy_user | create system user ansible.builtin.user: name: "{{ deploy_user }}" @@ -11,7 +9,6 @@ group: "{{ deploy_user }}" home: "/home/{{ deploy_user }}" shell: "{{ deploy_user_shell }}" - # this task uses the '*.keys' GitHub URLs to access key contents # the contents are used in a template two tasks further down - name: deploy_user | get key content from github @@ -21,8 +18,6 @@ changed_when: false run_once: true tags: update_keys - - - name: deploy_user | create the .ssh directory ansible.builtin.file: path: "/home/{{ deploy_user }}/.ssh/" @@ -30,7 +25,6 @@ owner: "{{ deploy_user }}" group: "{{ deploy_user }}" mode: 0700 - - name: deploy_user | build authorized keys file ansible.builtin.template: src: authorized_keys.j2 @@ -40,26 +34,90 @@ mode: '0600' backup: true tags: update_keys - - name: deploy_user | allow "authorized_key" files ansible.builtin.lineinfile: > - dest=/etc/ssh/sshd_config - state=present - backrefs=yes - regexp='^#AuthorizedKeysFile(.*?)$' - line="AuthorizedKeysFile\1" + dest=/etc/ssh/sshd_config state=present backrefs=yes regexp='^#AuthorizedKeysFile(.*?)$' line="AuthorizedKeysFile\1" + when: - running_on_server +# Gather existing AllowUsers users from legacy main sshd_config +- name: deploy_user | gather AllowUsers from /etc/ssh/sshd_config + ansible.builtin.command: + cmd: awk '/^AllowUsers/ {for (i=2;i<=NF;i++) print $i}' /etc/ssh/sshd_config + register: deploy_legacy_allowusers + changed_when: false + failed_when: false + when: running_on_server -- name: deploy_user | allow deploy user to SSH - ansible.builtin.lineinfile: > - dest=/etc/ssh/sshd_config - state=present - backrefs=yes - regexp='^AllowUsers(.*?)( ?)({{ deploy_user }})?$' - line="AllowUsers\1 {{ deploy_user }}" +# Gather existing AllowUsers users from the old drop-in file, if it exists +- name: deploy_user | gather AllowUsers from /etc/ssh/sshd_config.d/99-allowusers-pulsys.conf + ansible.builtin.command: + cmd: awk '/^AllowUsers/ {for (i=2;i<=NF;i++) print $i}' /etc/ssh/sshd_config.d/99-allowusers-pulsys.conf + register: deploy_dropin_allowusers + changed_when: false + failed_when: false + when: running_on_server + +# Build list of existing AllowUsers entries from both places +- name: deploy_user | build existing AllowUsers list + ansible.builtin.set_fact: + deploy_ssh_allowusers_existing: >- + {{ + ( + (deploy_legacy_allowusers.stdout_lines | default([])) + + (deploy_dropin_allowusers.stdout_lines | default([])) + ) | unique + }} + when: running_on_server + +# Build unified list including deploy_user (only if pulsys is already present) +- name: deploy_user | build unified AllowUsers list + ansible.builtin.set_fact: + deploy_ssh_allowusers_unified: >- + {{ + (deploy_ssh_allowusers_existing + [deploy_user]) | unique + }} + when: + - running_on_server + - deploy_ssh_allowusers_existing is defined + - "'pulsys' in deploy_ssh_allowusers_existing" + +# Write new unified sshd drop-in +- name: deploy_user | write unified AllowUsers drop-in + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/99-allowusers.conf + owner: root + group: root + mode: '0644' + content: | + # Managed by Ansible + AllowUsers {{ deploy_ssh_allowusers_unified | join(' ') }} + when: + - running_on_server + - deploy_ssh_allowusers_unified is defined + notify: + - restart sshd + +# Remove legacy AllowUsers line from main sshd_config +- name: deploy_user | remove legacy AllowUsers from /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + state: absent + regexp: '^AllowUsers\b' when: - running_on_server + - deploy_ssh_allowusers_unified is defined + notify: + - restart sshd + +# Remove old pulsys-only drop-in +- name: deploy_user | remove legacy 99-allowusers-pulsys.conf + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/99-allowusers-pulsys.conf + state: absent + when: + - running_on_server + - deploy_ssh_allowusers_unified is defined notify: - restart sshd @@ -86,7 +144,6 @@ IdentityFile ~/.ssh/id_rsa User git register: deploy_ssh_config - - name: deploy_user | set sudo options for {{ deploy_user }} ansible.builtin.template: src: sudo.j2 @@ -96,7 +153,6 @@ - sudo_options is defined loop_control: label: "{{ deploy_user }}" - - name: deploy_user | Run all handlers notified by the deploy_user role ansible.builtin.meta: flush_handlers changed_when: false diff --git a/roles/ezproxy/.env.local.yml b/roles/ezproxy/.env.local.yml new file mode 100644 index 0000000000..f4b537550f --- /dev/null +++ b/roles/ezproxy/.env.local.yml @@ -0,0 +1,2 @@ +--- +MOLECULE_DOCKER_PLATFORM: linux/arm64 diff --git a/roles/ezproxy/defaults/main.yml b/roles/ezproxy/defaults/main.yml index 889d494bda..c6cc5205a8 100644 --- a/roles/ezproxy/defaults/main.yml +++ b/roles/ezproxy/defaults/main.yml @@ -1,4 +1,7 @@ --- +# shibboleth variables +microsoft_entra_idp_uuid: "{{ vault_microsoft_entra_idp_uuid | default('981dbab5-14a9-4b31-acc0-a8d0faec04d6') }}" +microsoft_entra_app_uuid: "{{ vault_microsoft_entra_app_uuid | default('1b833779-ac8f-40a1-84e2-44449d8d33be') }}" shib_admin_user: [] deploy_id_rsa_private_key: 'bogus_rsa_key' ezproxy_git_repo: "git@github.com:pulibrary/ezproxy_conf.git" @@ -7,4 +10,6 @@ ezproxy_default_branch: "master" oclc_wskey: "{{ vault_oclc_key | default('12345') }}" systems_user: "{{ admin_user | default('deploy') }}" deploy_private_key: "~/.ssh/id_rsa" -ezproxy_server_name: "{{ ezproxy_host | default('localhost') }}" \ No newline at end of file +ezproxy_server_name: "{{ ezproxy_host | default('localhost') }}" +ezproxy_admin_password: "{{ omit }}" +host_name: "{{ ezproxy_hostname | default('ezproxy-test.princeton.edu') }}" diff --git a/roles/ezproxy/molecule/default/molecule.yml b/roles/ezproxy/molecule/default/molecule.yml index 5a85b6a112..a968a2f3a8 100644 --- a/roles/ezproxy/molecule/default/molecule.yml +++ b/roles/ezproxy/molecule/default/molecule.yml @@ -9,7 +9,7 @@ lint: | ansible-lint platforms: - name: instance - image: "quay.io/pulibrary/jammy-ansible:latest" + image: "ghcr.io/pulibrary/vm-builds/ubuntu-22.04" command: "" volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/roles/ezproxy/tasks/cap_deployment.yml b/roles/ezproxy/tasks/cap_deployment.yml new file mode 100644 index 0000000000..081a2f0608 --- /dev/null +++ b/roles/ezproxy/tasks/cap_deployment.yml @@ -0,0 +1,63 @@ +--- +# capistrano based tasks +- name: Ezproxy | Create app directory + ansible.builtin.file: + path: "{{ ezproxy_repo_root }}" + state: directory + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + mode: "0750" + recurse: true + become: true + +- name: Ezproxy | Ensure .ssh directory exists. + ansible.builtin.file: + path: "/home/{{ deploy_user }}/.ssh" + state: directory + mode: "0700" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + +- name: Ezproxy | Allow ability to restart ezproxy for {{ deploy_user }} + ansible.builtin.lineinfile: + dest: "/etc/sudoers" + state: "present" + line: "{{ deploy_user }} ALL=(ALL) NOPASSWD: /usr/sbin/service ezproxy restart" + validate: "visudo -cf %s" + +- name: Ezproxy | chmod back permissions + ansible.builtin.file: + path: "{{ ezproxy_repo_root }}" + state: directory + recurse: true + mode: "0750" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + become: true + +- name: Ezproxy | add geoip ppa + ansible.builtin.apt_repository: + repo: "ppa:maxmind/ppa" + state: present + +- name: Ezproxy | install geoupdate + ansible.builtin.apt: + name: geoipupdate + state: present + +- name: Ezproxy | add geoip configuration file + ansible.builtin.template: + src: geoip_conf.j2 + dest: "/etc/GeoIP.conf" + mode: "0644" + when: + - running_on_server + +- name: Ezproxy | run a cronjob to update + ansible.builtin.cron: + name: "run the update" + minute: 49 + hour: 8 + job: "/usr/bin/geoipupdate" + when: + - running_on_server diff --git a/roles/ezproxy/tasks/geoip.yml b/roles/ezproxy/tasks/geoip.yml new file mode 100644 index 0000000000..ff9faae9b1 --- /dev/null +++ b/roles/ezproxy/tasks/geoip.yml @@ -0,0 +1,27 @@ +--- +- name: Ezproxy | add geoip ppa + ansible.builtin.apt_repository: + repo: "ppa:maxmind/ppa" + state: present + +- name: Ezproxy | install geoupdate + ansible.builtin.apt: + name: geoipupdate + state: present + +- name: Ezproxy | add geoip configuration file + ansible.builtin.template: + src: geoip_conf.j2 + dest: "/etc/GeoIP.conf" + mode: "0644" + when: + - running_on_server + +- name: Ezproxy | run a cronjob to update + ansible.builtin.cron: + name: "run the update" + minute: 49 + hour: 8 + job: "/usr/bin/geoipupdate" + when: + - running_on_server \ No newline at end of file diff --git a/roles/ezproxy/tasks/main.yml b/roles/ezproxy/tasks/main.yml index 908740acce..d432716898 100644 --- a/roles/ezproxy/tasks/main.yml +++ b/roles/ezproxy/tasks/main.yml @@ -27,7 +27,7 @@ - name: Ezproxy | install missing file replacements ansible.builtin.command: /var/local/ezproxy/ezproxy -m become: true - become_user: "{{ deploy_user }}" + become_user: root register: proxy_results changed_when: false failed_when: "proxy_results.rc != 1" @@ -37,24 +37,17 @@ - name: Ezproxy | install ezproxy startup script (requires root) ansible.builtin.command: /var/local/ezproxy/ezproxy -si become: true - become_user: "root" + become_user: root changed_when: false when: running_on_server - name: Ezproxy | run command with WSKey ansible.builtin.command: /var/local/ezproxy/ezproxy -k "{{ oclc_wskey }}" become: true + become_user: root changed_when: false when: running_on_server -- name: Ezproxy | create ezproxy tls directory - ansible.builtin.file: - path: "/var/local/ezproxy/tls" - state: directory - group: "{{ deploy_user }}" - owner: "{{ deploy_user }}" - mode: "0755" - - name: Ezproxy | Clean apt cache ansible.builtin.command: apt-get clean changed_when: false @@ -80,6 +73,26 @@ msg: "Cache update failed after adding repository" when: ezproxy_cache_update.rc != 0 +- name: Ezproxy | Allow HTTP and HTTPS traffic + community.general.ufw: + rule: allow + port: "{{ item }}" + proto: tcp + loop: + - "80" + - "443" + when: + - running_on_server + +- name: Ezproxy | Allow checkmk from 128.112.0.0/16 + community.general.ufw: + rule: allow + port: "6556" + proto: tcp + src: "128.112.0.0/16" + when: + - running_on_server + - name: Ezproxy | install certbot ansible.builtin.apt: name: certbot @@ -89,25 +102,6 @@ ansible.builtin.command: /usr/bin/certbot certonly --standalone --non-interactive --agree-tos --email lsupport@princeton.edu --server https://acme.sectigo.com/v2/InCommonRSAOV --eab-kid {{ vault_acme_eab_kid }} --eab-hmac-key {{ vault_acme_eab_hmac_key }} --domain {{ domain_name }}.princeton.edu --cert-name {{ domain_place_name }} when: running_on_server -- name: Ezproxy | Creates a log directory for ezproxy - ansible.builtin.file: - path: "/var/local/ezproxy/log" - state: directory - owner: "{{ deploy_user }}" - group: "{{ deploy_user }}" - mode: "0755" - become: true - -- name: Ezproxy | Create app directory - ansible.builtin.file: - path: "{{ ezproxy_repo_root }}" - state: directory - owner: "{{ deploy_user }}" - group: "{{ deploy_user }}" - mode: "0750" - recurse: true - become: true - - name: Ezproxy | Ensure .ssh directory exists. ansible.builtin.file: path: "/home/{{ deploy_user }}/.ssh" @@ -123,16 +117,6 @@ line: "{{ deploy_user }} ALL=(ALL) NOPASSWD: /usr/sbin/service ezproxy restart" validate: "visudo -cf %s" -- name: Ezproxy | chmod back permissions - ansible.builtin.file: - path: "{{ ezproxy_repo_root }}" - state: directory - recurse: true - mode: "0750" - owner: "{{ deploy_user }}" - group: "{{ deploy_user }}" - become: true - - name: Ezproxy | add geoip ppa ansible.builtin.apt_repository: repo: "ppa:maxmind/ppa" @@ -186,21 +170,76 @@ when: - running_on_server +- name: Ezproxy | create ezproxy tls directory + ansible.builtin.file: + path: "/var/local/ezproxy/tls" + state: directory + group: "{{ deploy_user }}" + owner: "{{ deploy_user }}" + mode: "0755" + +- name: Ezproxy | Creates a log directory for ezproxy + ansible.builtin.file: + path: "/var/local/ezproxy/log" + state: directory + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + mode: "0755" + become: true + +- name: Ezproxy | add user config file + ansible.builtin.template: + src: "user.txt.j2" + dest: /var/local/ezproxy/user.txt + mode: "0644" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + changed_when: false + when: + - running_on_server + - name: Ezproxy | add shib config user ansible.builtin.template: src: "shibuser.txt.j2" dest: /var/local/ezproxy/shibuser.txt mode: "0644" - owner: root - group: root + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + changed_when: false + when: + - running_on_server - name: Ezproxy | add princeton allow IP ranges ansible.builtin.template: src: "princeton_allow.txt.j2" dest: /var/local/ezproxy/princeton_allow.txt mode: "0644" - owner: root - group: root + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + changed_when: false + when: + - running_on_server + +- name: Ezproxy | copy ezproxy config.txt + ansible.builtin.template: + src: "config.txt.j2" + dest: "/var/local/ezproxy/config.txt" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + mode: "0644" + changed_when: false + when: + - running_on_server + +- name: Ezproxy | chmod back permissions + ansible.builtin.file: + path: "/var/local/ezproxy" + state: directory + recurse: true + mode: "0755" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + become: true - name: Ezproxy | copy a systemd service ansible.builtin.template: @@ -219,25 +258,6 @@ when: - running_on_server -- name: Ezproxy | copy ezproxy config.txt - ansible.builtin.template: - src: "config.txt.j2" - dest: "/var/local/ezproxy/config.txt" - owner: root - group: root - mode: "0644" - changed_when: false - when: - - running_on_server - -- name: Ezproxy | add user config file - ansible.builtin.template: - src: "user.txt.j2" - dest: /var/local/ezproxy/user.txt - mode: "0644" - owner: root - group: root - - name: Ezproxy | start ezproxy ansible.builtin.service: name: ezproxy diff --git a/roles/ezproxy/templates/config.txt.j2 b/roles/ezproxy/templates/config.txt.j2 index 67cacdf65f..2d84acacce 100644 --- a/roles/ezproxy/templates/config.txt.j2 +++ b/roles/ezproxy/templates/config.txt.j2 @@ -1,24 +1,39 @@ -### Make the hostfile configurable by ansible -Name {{ inventory_hostname }} -Option ForceHTTPSLogin +{{ ansible_managed | comment }} +Name {{ host_name }} + +# IncludeFile hostname.txt + Option ProxyByHostname -## Loadbalancer IP -Option ForceHTTPSLogin + +## Loadbalancer IP ## +# initial install cannot have https +# Option ForceHTTPSLogin +# LoginPortSSL 443 + ## By default, EZproxy listens on port 2048. LoginPort 80 -#Option DisableSSLv2 -LoginPortSSL 443 + ## Shibboleth Configuration -ShibbolethDisable 1.3 -ShibbolethMetadata -EntityID=http://{{ ezproxy_public_host }} -File=idp_princeton.xml -Cert={{ cert_value }} +# ShibbolethDisable 2.0 +## Shibboleth Metadata (see: https://help.oclc.org/Library_Management/EZproxy/Authenticate_users/EZproxy_authentication_methods/SAML_authentication) +## Find out the need for Cert=3 below +# ShibbolethMetadata \ +# -EntityID=http://{{ host_name }} \ +# -File=MetadataFile \ +# -SignResponse=false -SignAssertion=true -EncryptAssertion=false \ +# -Cert=3 \ +# -URL=https://login.microsoftonline.com/{{ microsoft_entra_idp_uuid }}/federationmetadata/2007-06/federationmetadata.xml?appid={{ microsoft_entra_app_uuid }} + ## Connection limits. == see: http://www.oclc.org/support/documentation/ezproxy/cfg/limits.htm MaxLifetime 30 MaxSessions 500 MaxVirtualHosts 17000 MaxConcurrentTransfers 300 -# Adding Per OCLC Support Ticket + +## Adding Per OCLC Support Ticket ChargeSetLatency SaveUsage 120 + ## Securing EZproxy == see: http://www.oclc.org/support/documentation/ezproxy/example/securing.htm Audit Most AuditPurge 360 @@ -27,28 +42,30 @@ Option LogSession IntruderIPAttempts -interval=5 -expires=15 20 IntruderUserAttempts -interval=5 -expires=15 10 UsageLimit -interval=10 -expires=120 -MB=300 -transfers=600 Global -# Set up Support for IP Geo Coding + +## Set up Support for IP Geo Coding Location -File=/usr/share/GeoIP/GeoLite2-City.mmdb Option BlockCountryChange -# Log formatting + +## Log formatting LogFormat %h %l %u %t "%r" %s %b "%{Country()}e" "%{user-agent}i" LogFile -strftime log/ezp%Y%m%d.log -# send logfiles to the log subdir -# log starting point URLs +## send logfiles to the log subdir +## log starting point URLs LogSPU -strftime log/spu%Y%m%d.log %h %l %u %t "%r" %s %b # for analysis in tab delimited file -# Princeton IP Blocks -IncludeFile config/current/admin/ipblocks.txt #Community EZproxy block repo # -IncludeFile config/current/admin/neverproxy.txt -IncludeFile config/current/admin/non_proxy_stanzas.txt +###### This will be configured by the cap deploy ###### +# Princeton IP Blocks +# IncludeFile config/current/admin/ipblocks.txt +# IncludeFile config/current/admin/neverproxy.txt +# IncludeFile config/current/admin/non_proxy_stanzas.txt +# Stanzas that must appear at start of config +# IncludeFile config/current/includes/positiondependent.txt +# Keep in A to Z Order +# IncludeFile config/current/includes.txt ###### Now add the default Group for all other databases ################################# Group Default # Excluded campus IP ranges from proxying IncludeFile princeton_allow.txt - -# Stanzas that must appear at start of config -IncludeFile config/current/includes/positiondependent.txt -# Keep in A to Z Order -IncludeFile config/current/includes.txt diff --git a/roles/ezproxy/templates/ezproxy.service.j2 b/roles/ezproxy/templates/ezproxy.service.j2 index aeadec8ff6..f85b53218e 100644 --- a/roles/ezproxy/templates/ezproxy.service.j2 +++ b/roles/ezproxy/templates/ezproxy.service.j2 @@ -1,17 +1,25 @@ -# {{ ansible_managed | comment }} [Unit] Description=EZProxy Documentation=https://help.oclc.org/Library_Management/EZproxy -After=network.target local-fs.target nss-lookup.target network-online.target +After=network-online.target +Wants=network-online.target [Service] -Type=simple +Type=forking +WorkingDirectory=/var/local/ezproxy +UMask=007 +LimitNOFILE=65536 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE ExecStart=/var/local/ezproxy/ezproxy start ExecStop=/var/local/ezproxy/ezproxy stop ExecReload=/var/local/ezproxy/ezproxy restart Restart=on-failure RestartSec=3 +User=ezproxy +Group=ezproxy +WorkingDirectory=/var/local/ezproxy +UMask=007 [Install] WantedBy=multi-user.target -Alias=ezproxy.service diff --git a/roles/ezproxy/templates/shibuser.txt.j2 b/roles/ezproxy/templates/shibuser.txt.j2 index ee48c4421c..98ec89c930 100644 --- a/roles/ezproxy/templates/shibuser.txt.j2 +++ b/roles/ezproxy/templates/shibuser.txt.j2 @@ -1,13 +1,14 @@ -"{{ ansible_managed | comment }}" +{{ ansible_managed | comment }} # # -If !(auth:issuer eq "https://idp.princeton.edu/idp/shibboleth"); +If !(auth:issuer eq "https://sts.windows.net/{{ microsoft_entra_idp_uuid }}/"); Deny unaffiliated.html -If !(Any(auth:memberOf, "CN=PU:LIB:electronicaccess:remote,OU=Grouper,DC=pu,DC=win,DC=princeton,DC=edu")); - Deny unauthorized.html Group Default +Debug {% for item in shib_admin_user %} -If auth:eduPersonPrincipalName eq "{{ item }}"; +If auth:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" eq "{{ item }}"; Admin {% endfor %} -If auth:eduPersonPrincipalName ne ""; Set login:loguser = auth:eduPersonPrincipalName +If auth:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ne ""; + Set login:loguser = auth:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" + diff --git a/roles/ezproxy/templates/user.txt.j2 b/roles/ezproxy/templates/user.txt.j2 index 82841ecb9c..148f9d663d 100644 --- a/roles/ezproxy/templates/user.txt.j2 +++ b/roles/ezproxy/templates/user.txt.j2 @@ -1,3 +1,6 @@ +{{ ansible_managed | comment }} +# break glass user +ezproxy_admin:{{ ezproxy_admin_password }}:admin ::Common IfCountry CN; Audit Access Denied Unauthorized Country IfCountry RU; Audit Access Denied Unauthorized Country @@ -14,7 +17,8 @@ Audit Deny login attempt from unauthorized country Deny loginbu.htm /Common -### Shib config for Princeton +## Shib for EntraID ::Shibboleth -IDP20 https://idp.princeton.edu/idp/shibboleth +# If login:auth eq "shibboleth"; +IDP20 https://sts.windows.net/{{ microsoft_entra_idp_uuid }}/ /Shibboleth