-
-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #347 from ITfoxtec/test
Test
- Loading branch information
Showing
27 changed files
with
163 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Custom domain | ||
|
||
Each FoxIDs tenant can be configured with a custom domain. The custom domain can be configured with [Control Client](control.md#foxids-control-client) | ||
in your tenants master track under Settings --> Tenant settings. | ||
|
||
![Configure reverse proxy secret](images/configure-tenant-custom-domain-my-track.png) | ||
|
||
> When a new custom domain is added it needs to be verified. | ||
## FoxIDs.com | ||
Configuring a custom domain in a FoxIDs.com tenant: | ||
|
||
1. In your DNS, add a CNAME with your custom domain and the target `custom-domains.foxids.com` | ||
2. Configure your custom domain in your FoxIDs tenants master track. | ||
3. Write an email to [FoxIDs support ([email protected])](mailto:[email protected]) and ask for a custom domain verification. | ||
4. FoxIDs support will ask you to add one or two TXT records to your DNS for verification. | ||
5. After successfully verification your domain become active. | ||
|
||
## Your own private cloud FoxIDs | ||
Custom domains is only supported if the FoxIDs service is behind a [reverse proxy](reverse-proxy.md) that can do domain rewrite. | ||
|
||
A domain is marked as verified in the master tenants master track and is thereafter accepted by FoxIDs. | ||
|
||
All custom domains on all tenants can be configured with [Control Client](control.md#foxids-control-client) and [Control API](control.md#foxids-control-api) in the master tenants master track. | ||
Where also the domain can be marked as verified at the same time. | ||
|
||
![Configure reverse proxy secret](images/configure-tenant-custom-domain-track.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# Reverse proxy | ||
It is recommended to place FoxIDs behind a reverse proxy. | ||
|
||
The [custom primary domains](deployment.md#custom-primary-domains) exposed on the reverse proxy need to be the same as on the FoxIDs and FoxIDs Control Azure App services. | ||
The FoxIDs service support [custom domains](custom-domain.md) which is handled with domain rewrite through the reverse proxy. | ||
|
||
> FoxIDs only support [custom domains](custom-domain.md) if it is behind a reverse proxy and the access is restricted by the `X-FoxIDs-Secret` HTTP header. | ||
## Restrict access | ||
Both the FoxIDs service and FoxIDs Control sites can restrict access based on the `X-FoxIDs-Secret` HTTP header. | ||
The access restriction is activated by adding a secret with the name `Settings--ProxySecret` in Key Vault. | ||
|
||
![Configure reverse proxy secret](images/configure-reverse-proxy-secret.png) | ||
|
||
> The sites needs to be restarted to read the secret. | ||
After the reverse proxy secret has been configured in Key Vault the reverse proxy needs to add the `X-FoxIDs-Secret` HTTP header in all backed calls to FoxIDs to get access. | ||
|
||
## Read HTTP headers | ||
FoxIDs service support reading the client IP address in the following prioritized HTTP headers: | ||
|
||
1. `CF-Connecting-IP` | ||
2. `X-Azure-ClientIP` | ||
3. `X-Forwarded-For` | ||
|
||
FoxIDs service support reading the [custom domain](custom-domain.md) (host name) exposed on the revers proxy in the following prioritized HTTP headers: | ||
|
||
1. `X-ORIGINAL-HOST` | ||
2. `X-Forwarded-Host` | ||
|
||
> The host header is only read if access is restricted by the `X-FoxIDs-Secret` HTTP header. | ||
## Tested reverse proxies | ||
FoxIDs is tested with the following reverse proxies. | ||
|
||
### Azure Front Door | ||
Azure Front Door can be configured as a reverse proxy with close to the default setup. Azure Front Door rewrite domains by default. | ||
The `X-FoxIDs-Secret` HTTP header can optionally be added but is required to support [custom domain](custom-domain.md). | ||
|
||
### Cloudflare | ||
Cloudflare can be configured as a reverse proxy. But Cloudflare require a Enterprise plan to rewrite domains (host headers). The `X-FoxIDs-Secret` HTTP header should can be added. | ||
|
||
### IIS ARR Proxy | ||
Internet Information Services (IIS) Application Request Routing (ARR) Proxy require a Windows server. ARR Proxy rewrite domains with a rewrite rule. | ||
The `X-FoxIDs-Secret` HTTP header can optionally be added (recommended depended on the infrastructure) but is required to support [custom domain](custom-domain.md). | ||
|
||
An accept all external exposed domains rule can be configured. This example is a global rule, rules can also be added to websites. | ||
Optionally both requiring (`secret1`) and sending (`secret2`) in a `X-FoxIDs-Secret` HTTP header. You could require a `X-FoxIDs-Secret` HTTP header if you have a reverse proxy in front of the ARR Proxy. | ||
|
||
<globalRules> | ||
<rule name="my-rule-name" patternSyntax="Wildcard" stopProcessing="true"> | ||
<match url="*" /> | ||
<conditions> | ||
<add input="{HTTP_X-FoxIDs-Secret}" pattern="... secret1 ..." ignoreCase="false" /> | ||
</conditions> | ||
<action type="Rewrite" url="https://my-foxids-installation.com/{R:1}" /> | ||
<serverVariables> | ||
<set name="HTTP_X-ORIGINAL-HOST" value="{HTTP_HOST}" /> | ||
<set name="HTTP_X-FoxIDs-Secret" value="... secret2 ..." /> | ||
</serverVariables> | ||
</rule> | ||
</globalRules> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,20 @@ | ||
# Standard support | ||
|
||
- All tokens are [JSON Web Token (JWT) (RFC 7519)](https://tools.ietf.org/html/rfc7519) | ||
- All tokens are JSON Web Token (JWT) | ||
- [RFC 7519](https://tools.ietf.org/html/rfc7519) | ||
- OpenID Connect 1.0 supported in both down-parties and up-parties | ||
- [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) | ||
- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) | ||
- [OpenID Connect Session Management 1.0 ](http://openid.net/specs/openid-connect-session-1_0.html) | ||
- [OpenID Connect Front-Channel Logout 1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html) | ||
- [OpenID Connect RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) | ||
- [Proof Key for Code Exchange (PKCE) (RFC 7636)](https://tools.ietf.org/html/rfc7636) supported in OpenID Connect down-parties and up-parties | ||
- Proof Key for Code Exchange (PKCE) supported in OpenID Connect down-parties and up-parties | ||
- [RFC 7636](https://tools.ietf.org/html/rfc7636) | ||
- SAML 2.0 supported in both down-parties and up-parties | ||
- [SAML 2.0 Core](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) | ||
- [SAML 2.0 bindings](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) limited to POST and redirect binding | ||
- [SAML 2.0 metadata](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) | ||
- OAuth 2.0 ([RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)) limited to down-party [Client Credential Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) | ||
- OAuth 2.0 limited to down-party [Client Credential Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) | ||
- [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749) | ||
- One-Time Password (OPT) supported by MFA | ||
- [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,10 @@ | ||
using System; | ||
using System.Collections.Generic; | ||
using System.Linq; | ||
using System.Text; | ||
using System.Threading.Tasks; | ||
|
||
namespace FoxIDs.Models.Config | ||
namespace FoxIDs.Models.Config | ||
{ | ||
public class CacheSettings | ||
{ | ||
/// <summary> | ||
/// Time to cache custom domains in seconds (default 12 hours). | ||
/// Time to cache custom domains in seconds (default 24 hours). | ||
/// </summary> | ||
public int CustomDomainCacheLifetime { get; set; } = 43200; | ||
public int CustomDomainCacheLifetime { get; set; } = 86400; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.