This page documents an exploration of using Apache to serve MDQ queries. The challenge in this is with the forward slash character in entityIDs. By default Apache will not server URLs whose path includes the forward slash character encoded as "%2F". Instead, it returns a 404 to these URLs. The Apache directive AllowEncodedSlashes allows these URLs to pass through.
Started with a basic CentOS 7 host. First update the packages and install httpd
:
sudo yum update -y sudo yum install -y httpd reboot
Next add mdq.conf
, an apache configuration to serve MDQ files from a configured directory. This file must be placed in the directory /etc/httpd/conf.d
. The contents of that file are:
<VirtualHost *:80> DocumentRoot /var/www/html/mdq # Allow %2F in URLs, and pass them through as '%2F' AllowEncodedSlashes NoDecode # Use the correct content-type for the metadata ForceType application/samlmetadata+xml </VirtualHost>
Create the entities directory and restart httpd:
sudo mkdir -p /var/www/html/mdq/entities sudo systemctl restart httpd
Grab a few select files from the MDQ beta server:
cd /var/www/html/mdq/entities # Fetch the InCommon federation manager sudo wget -O https:%2F%2Ffm.incommon.org%2Fsp http://mdq-beta.incommon.org/global/entities/https%3A%2F%2Ffm.incommon.org%2Fsp # Fetch a mace entity ID sudo wget -O urn:mace:incommon:osu.edu http://mdq-beta.incommon.org/global/entities/urn%3Amace%3Aincommon%3Aosu.edu # Create a symbolic link for the SHA1 alias, this one for osu.edu sudo ln -s urn:mace:incommon:osu.edu {sha1}d4d1ca999a5a9352fa618075eac456eb67956c74
Now you should be able to access the metadata using the MDQ protocol:
curl http://localhost/entities/https%3A%2F%2Ffm.incommon.org%2Fsp curl http://localhost/entities/urn%3Amace%3Aincommon%3Aosu.edu curl http://localhost/entities/%7Bsha1%7Dd4d1ca999a5a9352fa618075eac456eb67956c74
Notes
- My host did not have a firewall running. If yours does you may have to open up port 80
- I'm not sure we've got all the query types. Are there more besides http(s), urn:mace: and {sha1}?
It would be better to make the sha1 entries symbolic links to their named entry, which may require an Apache directive to follow links- This works
Attachments