apacheのmod-auth-openidcについて

BASIC認証かけるみたいに簡単にGoogle認証を追加できた

公式サイト
https://www.mod-auth-openidc.org/

インストール

apt install libapache2-mod-auth-openidc

設定 /etc/apache2/mods-enabled/auth_openidc.conf

OIDCRedirectURI https://hoge.example.jp/oidc/redirect_uri
OIDCCryptoPassphrase hogehoge-foobar
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCScope "openid email"
OIDCClientID xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

リバースプロキシ的に使う例
/adminかつ、プライベートIP以外の場合はGoogle認証で hogehoge@gmail.com のみ許可

<VirtualHost *:443>
    ServerName hoge.example.jp

    <Location />
        Require all granted
    </Location>

    <Location /oidc/>
        AuthType openid-connect
        Require valid-user
    </Location>

    <Location /admin>
        AuthType openid-connect
        Require claim email:hogehoge@gmail.com
        Require ip 192.168.0.0/24
    </Location>

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8080/ keepalive=On
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader unset X-Forwarded-For
    RequestHeader unset X-Forwarded-Server
    RequestHeader unset X-Forwarded-Host
    # SSL設定等が続く
    ...
</VirtualHost>