From c607f4efe5ce4ec531fef43b298c60d4f861ed33 Mon Sep 17 00:00:00 2001
From: Erin Fahy <efahy@stanford.edu>
Date: Fri, 20 Oct 2017 17:38:28 -0700
Subject: [PATCH] Initial commit

---
 .ebextensions/00_recompile_nginx.config    |  59 +++++
 .ebextensions/01_yum_repos.config          |  29 +++
 .ebextensions/02_install_shib.config       |   3 +
 .ebextensions/03_supervisor.config         |  33 +++
 .ebextensions/04_shib_xml.config           | 251 +++++++++++++++++++++
 .ebextensions/05_load_certs.config         |  11 +
 .ebextensions/06_nginx_conf.config         | 154 +++++++++++++
 .ebextensions/07_start_shib_service.config |  11 +
 8 files changed, 551 insertions(+)
 create mode 100644 .ebextensions/00_recompile_nginx.config
 create mode 100644 .ebextensions/01_yum_repos.config
 create mode 100644 .ebextensions/02_install_shib.config
 create mode 100644 .ebextensions/03_supervisor.config
 create mode 100644 .ebextensions/04_shib_xml.config
 create mode 100644 .ebextensions/05_load_certs.config
 create mode 100644 .ebextensions/06_nginx_conf.config
 create mode 100644 .ebextensions/07_start_shib_service.config

diff --git a/.ebextensions/00_recompile_nginx.config b/.ebextensions/00_recompile_nginx.config
new file mode 100644
index 0000000..0fa3bb3
--- /dev/null
+++ b/.ebextensions/00_recompile_nginx.config
@@ -0,0 +1,59 @@
+packages:
+  yum:
+    git: []
+    gd-devel: []
+    perl-ExtUtils-Embed: []
+    GeoIP-devel: []
+    gperftools-devel: []
+
+files:
+  /root/build-nginx.sh:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      rm -rf build
+      mkdir ./build ; cd ./build
+
+      # the headers-more-nginx-module requires nginx 1.11.2
+      wget -O - http://nginx.org/download/nginx-1.11.2.tar.gz | tar xfvz -
+      git clone https://github.com/nginx-shib/nginx-http-shibboleth.git
+      git clone https://github.com/openresty/headers-more-nginx-module.git
+
+      cd nginx-1.11.2/
+
+      ./configure --add-module=../nginx-http-shibboleth \
+      --add-module=../headers-more-nginx-module \
+      --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
+      --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf \
+      --error-log-path=/var/log/nginx/error.log \
+      --http-log-path=/var/log/nginx/access.log \
+      --http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
+      --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
+      --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
+      --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
+      --http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
+      --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx \
+      --user=nginx --group=nginx --with-file-aio --with-ipv6 \
+      --with-http_ssl_module --with-http_v2_module --with-http_realip_module \
+      --with-http_addition_module --with-http_xslt_module=dynamic \
+      --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic \
+      --with-http_sub_module --with-http_dav_module --with-http_flv_module \
+      --with-http_mp4_module --with-http_gunzip_module \
+      --with-http_gzip_static_module --with-http_random_index_module \
+      --with-http_secure_link_module --with-http_degradation_module \
+      --with-http_slice_module --with-http_stub_status_module \
+      --with-http_perl_module=dynamic --with-http_auth_request_module \
+      --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit \
+      --with-stream=dynamic --with-stream_ssl_module \
+      --with-google_perftools_module --with-debug \
+      --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' \
+      --with-ld-opt=' -Wl,-E'
+
+      make
+      make install
+
+commands:
+  01_build_nginx:
+    test: test -e $(2>&1 nginx -V | tr -- - '\n' | grep _module | grep shib)
+    command: chmod +x ~/build-nginx.sh && ~/build-nginx.sh
diff --git a/.ebextensions/01_yum_repos.config b/.ebextensions/01_yum_repos.config
new file mode 100644
index 0000000..609142a
--- /dev/null
+++ b/.ebextensions/01_yum_repos.config
@@ -0,0 +1,29 @@
+files:
+  /etc/yum.repos.d/jcu.repo:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      [jcu-eresearch]
+      name=JCU eResearch EL6 Custom Repo
+      baseurl=https://www.hpc.jcu.edu.au/repos/jcu_eresearch/centos-6/
+      gpgcheck=0
+      enabled=1
+      priority=1
+  /etc/yum.repos.d/shib.repo:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      [security_shibboleth]
+      name=Shibboleth (RHEL_6)
+      baseurl=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/
+      gpgcheck=1
+      gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/repodata/repomd.xml.key
+      enabled=1
+
+commands:
+  01_clean_yum:
+    command: yum clean all
+  02_update_yum:
+    command: yum update
diff --git a/.ebextensions/02_install_shib.config b/.ebextensions/02_install_shib.config
new file mode 100644
index 0000000..6e3a8b2
--- /dev/null
+++ b/.ebextensions/02_install_shib.config
@@ -0,0 +1,3 @@
+packages:
+  yum:
+    shibboleth: []
diff --git a/.ebextensions/03_supervisor.config b/.ebextensions/03_supervisor.config
new file mode 100644
index 0000000..a9206d1
--- /dev/null
+++ b/.ebextensions/03_supervisor.config
@@ -0,0 +1,33 @@
+files:
+  /etc/supervisord.conf:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      [fcgi-program:shibauthorizer]
+      command=/usr/lib64/shibboleth/shibauthorizer
+      socket=unix:///opt/shibboleth/shibauthorizer.sock
+      socket_owner=shibd:shibd
+      socket_mode=0660
+      user=shibd
+      stdout_logfile=/var/log/shibboleth/shibauthorizer.log
+      stderr_logfile=/var/log/shibboleth/shibauthorizer.error.log
+
+      [fcgi-program:shibresponder]
+      command=/usr/lib64/shibboleth/shibresponder
+      socket=unix:///opt/shibboleth/shibresponder.sock
+      socket_owner=shibd:shibd
+      socket_mode=0660
+      user=shibd
+      stdout_logfile=/var/log/shibboleth/shibresponder.log
+      stderr_logfile=/var/log/shibboleth/shibresponder.error.log
+
+      [supervisord]
+
+      [supervisorctl]
+
+commands:
+  01_install_supervisor:
+    command: easy_install supervisor
+  02_supervise_auth_and_respond:
+    command: supervisord -c /etc/supervisord.conf
diff --git a/.ebextensions/04_shib_xml.config b/.ebextensions/04_shib_xml.config
new file mode 100644
index 0000000..87a53c6
--- /dev/null
+++ b/.ebextensions/04_shib_xml.config
@@ -0,0 +1,251 @@
+files:
+  /etc/shibboleth/shibboleth2.xml:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">
+      <!--
+       READ ME!
+
+            This configuration file is based on Shibboleth SP v2.4.4. Stanford
+            runs both a production and development IdP (identity provider)
+            system, each with a pair of load balanced servers. This file is
+            pre-configured against the production IdP. If you ever want to
+            authenticate against dev instead, replace 'idp.stanford.edu' with
+            'idp-dev.stanford.edu' in the two locations below (SSO link and
+            metadata download).
+
+            More information:
+
+            * https://itservices.stanford.edu/service/shibboleth/sp
+            * http://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
+
+      -->
+      <!--
+
+          By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+          are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+
+      -->
+      <!--
+
+          To customize behavior for specific resources on Apache, and to link vhosts or
+          resources to ApplicationOverride settings below, use web server options/commands.
+          See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+
+          For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+          file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
+
+      -->
+
+      <RequestMapper type="XML">
+          <RequestMap>
+              <Host name="SERVICENAME"
+                      authType="shibboleth"
+                      requireSession="true"
+                      redirectToSSL="443">
+                  <Path name="/secure" />
+              </Host>
+          </RequestMap>
+      </RequestMapper>
+
+      <!--
+       The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+      -->
+      <ApplicationDefaults entityID="PROVIDERID" REMOTE_USER="eppn persistent-id targeted-id">
+      <!--
+
+              Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+              You MUST supply an effectively unique handlerURL value for each of your applications.
+              The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+              a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+              the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+              in that case. Note that while we default checkAddress to "false", this has a negative
+              impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+
+      -->
+      <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+      <!--
+
+                  Configures SSO for a default IdP. To allow for >1 IdP, remove
+                  entityID property and adjust discoveryURL to point to discovery service.
+                  (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+                  You can also override entityID on /Login query string, or in RequestMap/htaccess.
+
+      -->
+      <SSO entityID="https://idp.stanford.edu/">SAML2 SAML1</SSO>
+      <!--  SAML and local-only logout.  -->
+      <Logout>SAML2 Local</Logout>
+      <!--
+       Extension service that generates "approximate" metadata based on SP configuration.
+      -->
+      <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+      <!--  Status reporting service.  -->
+      <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+      <!--  Session diagnostic service.  -->
+      <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+      <!--  JSON feed of discovery information.  -->
+      <Handler type="DiscoveryFeed" Location="/DiscoFeed" cacheToDisk="false"/>
+      </Sessions>
+      <!--
+
+              Allows overriding of error template information/filenames. You can
+              also add attributes with values that can be plugged into the templates.
+
+      -->
+      <Errors supportContact="EMAIL" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
+      <!--
+       Example of remotely supplied batch of signed metadata.
+      -->
+      <!--
+
+              <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+                    backingFilePath="federation-metadata.xml" reloadInterval="7200">
+                  <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+                  <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+              </MetadataProvider>
+
+      -->
+      <!--
+       Automatically download and refresh the IDP's metadata.
+      -->
+      <MetadataProvider type="XML" uri="https://idp.stanford.edu/metadata.xml" backingFilePath="/etc/shibboleth/metadata/metadata.xml" reloadInterval="7200"></MetadataProvider>
+      <!--  Example of locally maintained metadata.  -->
+      <!--
+
+              <MetadataProvider type="XML" file="partner-metadata.xml"/>
+
+      -->
+      <!--  Map to extract attributes from SAML assertions.  -->
+      <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+      <!--
+       Use a SAML query if no attributes are supplied during SSO.
+      -->
+      <AttributeResolver type="Query" subjectMatch="true"/>
+      <!--
+       Default filtering policy for recognized attributes, lets other data pass.
+      -->
+      <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+      <!--
+       Simple file-based resolver for using a single keypair.
+      -->
+      <CredentialResolver type="File" key="SSLKEY" certificate="SSLCERT"/>
+      <!--
+
+              The default settings can be overridden by creating ApplicationOverride elements (see
+              the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+              Resource requests are mapped by web server commands, or the RequestMapper, to an
+              applicationId setting.
+
+              Example of a second application (for a second vhost) that has a different entityID.
+              Resources on the vhost would map to an applicationId of "admin":
+
+      -->
+      <!--
+
+              <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+
+      -->
+      </ApplicationDefaults>
+      <!--
+       Policies that determine how to process and authenticate runtime messages.
+      -->
+      <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+      <!--
+       Low-level configuration about protocols and bindings available for use.
+      -->
+      <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+      </SPConfig>
+
+  /etc/shibboleth/attribute-map.xml:
+    mode: "000755"
+    owner: root
+    group: root
+    content: |
+      <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+      <!--
+       First some useful eduPerson attributes that many sites might use.
+      -->
+      <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+      <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+      </Attribute>
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+      <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+      </Attribute>
+      <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+      <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+      </Attribute>
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+      <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+      </Attribute>
+      <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+      <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+      </Attribute>
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+      <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+      </Attribute>
+      <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
+      <!--
+       A persistent id attribute that supports personalized anonymous access.
+      -->
+      <!--  First, the deprecated version:  -->
+      <!--
+       Using SAML2 so comment out SAML1 definition.
+          <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+              <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+          </Attribute>
+      -->
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="targeted-id">
+      <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+      </Attribute>
+      <!--  Second, the new version (note the OID-style name):  -->
+      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+      <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+      </Attribute>
+      <!--  Third, the SAML 2.0 NameID Format:  -->
+      <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+      <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+      </Attribute>
+      <!--
+      Examples of common attributes, uncomment to use these.
+          <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+          <Attribute name="urn:mace:dir:attribute-def:uid" id="uid-alt"/>
+          <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+          <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+          <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+          <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+          <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+          <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+          <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+          <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+          <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+          <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+          <Attribute name="urn:oid:2.5.4.12" id="title"/>
+          <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+          <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+          <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+          <Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF"/>
+          <Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
+          <Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
+          <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+          <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+          <Attribute name="urn:mace:dir:attribute-def:suUnivID" id="suUnivID"/>
+          <Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationID" id="suPrimaryOrganizationID" />
+          <Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.1.1" id="suRegID" />
+          <Attribute name="suAffiliation" id="suAffiliation"/>
+          <Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationName" id="suPrimaryOrganizationName"/>
+          <Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.204" id="suPrimaryOrganizationName" />
+          <Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF" />
+          <Attribute name="urn:mace:dir:attribute-def:suDisplayNameLast" id="suDisplayNameLast" />
+          <Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.25" id="suDisplayNameLast" />
+          <Attribute name="urn:mace:dir:attribute-def:suDisplayNameFirst" id="suDisplayNameFirst"/>
+          <Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.23" id="suDisplayNameFirst" />
+          <Attribute name="urn:mace:dir:attribute-def:o" id="o" />
+          <Attribute name="urn:oid:2.5.4.10" id="o" />
+          <Attribute name="urn:mace:dir:attribute-def:description" id="description" />
+          <Attribute name="urn:oid:2.5.4.13" id="description" />
+
+      -->
+      </Attributes>
diff --git a/.ebextensions/05_load_certs.config b/.ebextensions/05_load_certs.config
new file mode 100644
index 0000000..5dddba4
--- /dev/null
+++ b/.ebextensions/05_load_certs.config
@@ -0,0 +1,11 @@
+commands:
+  01_copy_shib_key:
+    command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/shib/shibd.key /etc/shibboleth/
+  02_copy_shib_csr:
+    command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/shib/shibd.crt /etc/shibboleth/
+
+  # this should be a combo with the cert and any intermediates
+  03_copy_ssl_crt:
+    command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/certs/server.crt /etc/pki/tls/certs/
+  04_copy_ssl_key:
+    command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/certs/server.key /etc/pki/tls/private/
diff --git a/.ebextensions/06_nginx_conf.config b/.ebextensions/06_nginx_conf.config
new file mode 100644
index 0000000..5ea3bc3
--- /dev/null
+++ b/.ebextensions/06_nginx_conf.config
@@ -0,0 +1,154 @@
+files:
+  /etc/nginx/conf.d/https.conf:
+    content: |
+      # HTTPS server
+
+      server {
+          listen       443;
+          server_name  SERVICENAME;
+
+          ssl                  on;
+          ssl_certificate      /etc/pki/tls/certs/server.crt;
+          ssl_certificate_key  /etc/pki/tls/private/server.key;
+
+          ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+          ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
+          ssl_prefer_server_ciphers   on;
+
+          ssl_session_cache shared:SSL:20m;
+          ssl_session_timeout 120m;
+
+          add_header Strict-Transport-Security "max-age=31536000" always;
+
+          location / {
+              proxy_pass  http://my_app;
+              proxy_set_header        Host            $host;
+              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          }
+
+          location /assets {
+            alias /var/app/current/public/assets;
+            gzip_static on;
+            gzip on;
+            expires max;
+            add_header Cache-Control public;
+          }
+
+          location /public {
+            alias /var/app/current/public;
+            gzip_static on;
+            gzip on;
+            expires max;
+            add_header Cache-Control public;
+          }
+
+          #FastCGI authorizer for Auth Request module
+          location = /shibauthorizer {
+              internal;
+              include fastcgi_params;
+              fastcgi_pass unix:/opt/shibboleth/shibauthorizer.sock;
+          }
+
+          #FastCGI responder
+          location /Shibboleth.sso {
+              include fastcgi_params;
+              fastcgi_pass unix:/opt/shibboleth/shibresponder.sock;
+          }
+
+          #Resources for the Shibboleth error pages. This can be customised.
+          location /shibboleth-sp {
+              alias /usr/share/shibboleth/;
+          }
+
+          #A secured location.  Here all incoming requests query the
+          #FastCGI authorizer.  Watch out for performance issues and spoofing.
+          location /secure {
+               include shib_clear_headers;
+               #Add your attributes here. They get introduced as headers
+               #by the FastCGI authorizer so we must prevent spoofing.
+               more_clear_input_headers 'displayName' 'mail' 'persistent-id';
+               shib_request /shibauthorizer;
+               shib_request_use_headers on;
+               proxy_pass http://my_app;
+           }
+
+      }
+
+  /etc/nginx/shib_clear_headers:
+      content: |
+        # Ensure that you add directives to clear input headers for *all* attributes
+        # that your backend application uses. This may also include variations on these
+        # headers, such as differing capitalisations and replacing hyphens with
+        # underscores etc -- it all depends on what your application is reading.
+        #
+        # Note that Nginx silently drops headers with underscores
+        # unless the non-default `underscores_in_headers` is enabled.
+
+        # Shib-* doesn't currently work because * isn't (yet) supported
+        more_clear_input_headers
+          Auth-Type
+          Remote-User;
+
+  /etc/nginx/shib_fastcgi_params:
+    content: |
+      # vim: set filetype=conf :
+
+      # Replace `fastcgi_param` with `sgci_param`, `uwsgi_param` or similar
+      # directive for use with different upstreams. Consult the relevant upstream
+      # documentation for more information on environment parameters.
+      #
+      # Auth-Type is configured as authType in
+      # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings.
+      # Other default SP variables are as per
+      # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-CustomSPVariables
+
+      shib_request_set $shib_auth_type $upstream_http_variable_auth_type;
+      fastcgi_param Auth-Type $shib_auth_type;
+
+      shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
+      fastcgi_param Remote-User $shib_remote_user;
+
+
+      # Uncomment any of the following core attributes. Consult your Shibboleth
+      # Service Provider (SP) attribute-map.xml file for details about attribute
+      # IDs.  Add additional directives for any Shibboleth attributes released to
+      # your SP.
+
+      # shib_request_set $shib_eppn $upstream_http_variable_eppn;
+      # fastcgi_param EPPN $shib_eppn;
+      #
+      # shib_request_set $shib_affliation $upstream_http_variable_affiliation;
+      # fastcgi_param Affiliation $shib_affiliation;
+      #
+      # shib_request_set $shib_unscoped_affliation $upstream_http_variable_unscoped_affiliation;
+      # fastcgi_param Unscoped-Affiliation $shib_unscoped_affiliation;
+      #
+      # shib_request_set $shib_entitlement $upstream_http_variable_entitlement;
+      # fastcgi_param Entitlement $shib_entitlement;
+
+
+      # shib_request_set $shib_targeted_id $upstream_http_variable_targeted_id;
+      # fastcgi_param Targeted-Id $shib_targeted_id;
+      #
+      # shib_request_set $shib_persistent_id $upstream_http_variable_persistent_id;
+      # fastcgi_param Persistent-Id $shib_persistent_id;
+      #
+      # shib_request_set $shib_transient_name $upstream_http_variable_transient_name;
+      # fastcgi_param Transient-Name $shib_transient_name;
+
+
+      # shib_request_set $shib_commonname $upstream_http_variable_commonname;
+      # fastcgi_param Commonname $shib_commonname;
+      #
+      # shib_request_set $shib_displayname $upstream_http_variable_displayname;
+      # fastcgi_param DisplayName $shib_displayname;
+      #
+      # shib_request_set $shib_email $upstream_http_variable_email;
+      # fastcgi_param Email $shib_email;
+      #
+      # shib_request_set $shib_organizationname $upstream_http_variable_organizationname;
+      # fastcgi_param OrganizationName $shib_organizationname;
+
+container_commands:
+  01_restart_nginx:
+    command: service nginx restart
diff --git a/.ebextensions/07_start_shib_service.config b/.ebextensions/07_start_shib_service.config
new file mode 100644
index 0000000..e89cc9b
--- /dev/null
+++ b/.ebextensions/07_start_shib_service.config
@@ -0,0 +1,11 @@
+container_commands:
+  01_add_nginx_to_shibd:
+    command: usermod -G shibd -a nginx
+  02_mkdir_for_metadata:
+    command: mkdir /etc/shibboleth/metadata && chown shibd /etc/shibboleth/metadata
+
+services:
+  sysvinit:
+    shibd:
+      enabled: true
+      ensureRunning: true