Skip to content

Server

Under the server config option the (http) server can be configured.

ip_listen

string optional

The ip_listen config option is used to set the network address to which to bind to. If omitted 0.0.0.0 is used.

config.yaml 
server:
    ip_listen: 127.0.0.1

port

integer 15661 optional

The port config option is used to set the port at which OFFA starts the webserver and listens for incoming requests. Will only be used if tls is not used. If tls is enabled port 443 will be used (and optionally port 80).

config.yaml 
server:
    port: 4242

tls

Under the tls config option settings related to tls can be configured. It is unlikely that one enables tls since a reverse proxy will be used in most cases.

If tls is enabled port 443 will be used.

config.yaml 
server:
    tls:
        enabled: true
        redirect_http: true
        cert: /path/to/cert
        key: /path/to/key

enabled

boolean true optional

If set to false tls will be disabled. Otherwise, it will automatically be enabled, if cert and key are set.

redirect_http

boolean true optional

The redirect_http option determines if port 80 should be redirected to port 443 or not.

cert

file path required for TLS

The cert option is set to the tls cert file.

key

file path required for TLS

The key option is set to the tls key file.

trusted_proxies

list of strings optional

The trusted_proxies option is used to configure a list of trusted proxies by IP address or network range (CIDR notation). If set, only requests from those proxies / networks are accepted at the forward auth endpoint and other requests are not accepted. Without setting this option all requests are accepted.

config.yaml 
server:
    trusted_proxies:
        - "10.0.0.0/8"
        - "172.16.0.0/12"
        - "192.168.0.0/16"
        - "fc00::/7"

forwarded_ip_header

string X-Forwarded-For optional

The forwarded_ip_header option specifies which HTTP header to use for getting the client's real IP address when behind a proxy.

config.yaml 
server:
    forwarded_ip_header: X-Real-IP

paths

mapping / object optional

The paths option is used to set (custom) uri paths for the different endpoints.

config.yaml 
server:
    paths:
        login: /login
        forward_auth: /auth

login

string /login optional

The login option can be used to set the uri path under which the login endpoint is served.

The login endpoint will serve a webinterface where the user can select an OpenID Provider and log in. After a successful login, OFFA sets a session cookie and can redirect the user to the target page.

If OFFA is used with apache and AuthMemCookie only the login endpoint is needed.

forward_auth

string /auth optional

The forward_auth option can be used to set the uri path under which the forward auth endpoint is served.

The forward auth endpoint will receive auth requests from the reverse proxy. OFFA checks if the user is authenticated and authorised to access the requested uri and return the response to the proxy. If the user is not authenticated, the request is redirected to the login endpoint.

web_overwrite_dir

directory path optional

The web_overwrite_dir config option is used to set a base directory path that contains a directory structure with files that will overwrite embedded web content.

This option allows to overwrite html pages, css, and other web-related content. See https://github.com/go-oidfed/offa/tree/main/internal/server/web for the directory structure and content of the embedded files.

config.yaml 
server:
    web_overwrite_dir: /web