Well, How do i need to prepare Specify itself (how to test it)?, how is the link between specify and an idp like entra. Do i need to create same user by hand? Will it be populated? Group restrictions, etc. But for Starting, a Bird view of implementation an “quickstart” would be cool. Everybody knows how OIDC etc. works more or less, but implemetation/integration in a System varies a lot.
1 Like
Hello All, thank to @vinayakjha we have now a working Login with Entra ID. Problem was basically a missing setting. The counterpart of
SECURE_PROXY_SSL_HEADER = (‘HTTP_X_FORWARDED_PROTO’, ‘https’)
was missing in nginx config.
proxy_set_header X-Forwarded-Proto $scheme;
And it worked like a charm!
Edit: Just let me know if you struggle with the Entra-App Part
1 Like
Hello @dfernandez,
Not sure where this line should go in the nginx.conf file:
Could you share a copy of your file?
Thanks
Hy @Heryk
sure, my config file looks like this atm:
server {
listen 443 ssl;
listen 80;
http2 on;
server_name specify.yourdomain.com;
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/certs/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
root /usr/share/nginx;
# serve static files directly
location /static/ {
root /volumes;
rewrite ^/static/config/(.*)$ /specify6/config/$1 break;
rewrite ^/static/depository/(.*)$ /static-files/depository/$1 break;
rewrite ^/static/(.*)$ /static-files/frontend-static/$1 break;
}
# proxy these urls to the asset server
location ~ ^/(fileget|fileupload|filedelete|getmetadata|testkey|web_asset_store.xml) {
resolver 127.0.0.11 valid=30s;
client_max_body_size 5000M;
set $backend "http://asset-server:8080";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# proxy everything else to specify 7
location / {
resolver 127.0.0.11 valid=30s;
client_max_body_size 5000M;
set $backend "http://specify7:8000";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#access_log /etc/nginx/certs/logs/access.log;
#error_log /etc/nginx/certs/logs/error.log;
}
Hope that helps
1 Like