Recent changes to mod_idcheck.so runtime configuration directives.

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Sat, 08 Nov 2014 00:05:47 -0000

--- v7
+++ v8
@@ -179,13 +179,6 @@
 Example:

     IdcheckCertificateVerify on
-
-    AP_INIT_TAKE1("IdcheckUserRequestHeader",
-                  set_dir_config_string_user_request_header,
-                  (void *)APR_OFFSETOF(_dir_config,user_request_header),
-                  OR_AUTHCFG,
-                  "Set a specific header that contains the username when authenticated."),
-

 ---

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:56:26 -0000

--- v6
+++ v7
@@ -1,6 +1,16 @@
+mod_idcheck apache run-time configuration directives.
+=====================================================
+
+These settings can be used in a client webserver that has mod_idcheck.so loaded in. To load in the module place the following somewhere sensible in your apache config files. Note that the file path will depend on which OS you are running.
+
+
+    LoadModule idcheck_module /usr/lib/apache2/modules/mod_idcheck.so
+
+There are two main types of configuration directive. Ones that you use in the main virtual host or server configuration sections and ones that you can use in limit blocks (e.g. <Directory> or <Location>) to limit access to certain groups of user.
+
+
 Main apache server config 
-=========================
-
+-------------------------

 (i.e. outside of limit blocks like <Directory>):

@@ -182,7 +192,7 @@

 Directives that can be used inside a limit block.
-=================================================
+-------------------------------------------------

 **Idcheck**

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:50:10 -0000

--- v5
+++ v6
@@ -116,7 +116,7 @@

 The local IP address that is used to connect to the idcheck server. This is only useful if your server has multiple ethernet interfaces or ip aliases.

-  IdcheckBindAddress 192.168.99.1
+    IdcheckBindAddress 192.168.99.1

 ---
@@ -155,7 +155,7 @@

 Example:

-IdcheckCertificateAuthority /etc/ssl/certs/MyOwnCA.pem
+    IdcheckCertificateAuthority /etc/ssl/certs/MyOwnCA.pem

 ---

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:49:10 -0000

--- v4
+++ v5
@@ -238,9 +238,11 @@

 **IdcheckAllowRegex**

-Arguments: Coming soon check source code if you are in a hurry.
+Arguments: Multiple regular expressions.

 Similar to IdcheckAllowData except that it uses a perl compatible regular expression.
+
+Note that these directives cannot be ORed on separate lines like IdcheckAllowData.

 Example:

@@ -307,15 +309,15 @@

 ---

-
-
-
-
-
-
-
-
-
-
-
-
+FIN.
+
+
+
+
+
+
+
+
+
+
+

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:46:41 -0000

--- v3
+++ v4
@@ -1,4 +1,3 @@
-
 Main apache server config 
 =========================

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:46:22 -0000

--- v2
+++ v3
@@ -1,7 +1,7 @@
-

 Main apache server config 
--------------------------
+=========================
+

 (i.e. outside of limit blocks like <Directory>):

@@ -19,7 +19,7 @@

     IdcheckLoginUrl https://idcheck.example.com/idcheck

-
+---

 **IdcheckCheckUrl**

@@ -45,6 +45,7 @@

     IdcheckAllowRequest /robots.txt$ /favicon.ico$

+---

 **IdcheckNoAccessBehaviour**

@@ -55,6 +56,8 @@
 Example:

     IdcheckNoAccessBehavior server
+
+---

 **IdcheckRedirectUrl**
@@ -67,6 +70,9 @@

        IdcheckRedirectURL http://somewhere.else.com/foo

+---
+
+
 **IdcheckSetEnv**

 Arguments: VAR REGEXP SUBSTITUTION
@@ -82,6 +88,8 @@
     IdcheckSetEnv NAME "ldap:cn=(.+)$" "$1"
     IdcheckSetEnv MAIL "ldap:attribute=mail: (.+)$" "$1"

+---
+

 **IdcheckGuestMode and IdcheckGuestModeUser**

@@ -100,6 +108,8 @@
     IdcheckGuestMode on
     IdcheckGuestModeUser guest

+---
+

 **IdcheckBindAddress**

@@ -110,6 +120,8 @@
   IdcheckBindAddress 192.168.99.1

+---
+
 **IdcheckDebug**

 Argument: Boolean on/off.
@@ -120,6 +132,8 @@

     IdcheckDebug on

+---
+

 **IdcheckSecure**

@@ -131,6 +145,8 @@

     IdcheckSecure on

+---
+

 **IdcheckCertificateAuthority**

@@ -141,6 +157,8 @@
 Example:

 IdcheckCertificateAuthority /etc/ssl/certs/MyOwnCA.pem
+
+---

 **IdcheckCertificateVerify**
@@ -160,10 +178,27 @@
                   "Set a specific header that contains the username when authenticated."),

+---
+

 Directives that can be used inside a limit block.
--------------------------------------------------
+=================================================
+
+**Idcheck**
+
+Argument: Boolean on/off
+
+Switch on idcheck for a limit block.
+
+Example:
+
+    <Directory>
+      Idcheck on
+      ...
+    <Directory>
+
+---

 **IdcheckAllowUser**

@@ -174,6 +209,8 @@
 Example:

     IdcheckAllowUser martin kieran tom terry
+
+---

 **IdcheckAllowData**
@@ -197,6 +234,9 @@
     IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"

+---
+
+
 **IdcheckAllowRegex**

 Arguments: Coming soon check source code if you are in a hurry.
@@ -208,6 +248,8 @@
     # allow physics or maths staff in.
     IdcheckAllowRegex "^ldap:unit=(Physics|Maths)$" "^ldap:container=ou=staff$"

+
+---

 **IdcheckClearAllowLists**

@@ -233,6 +275,8 @@
       ...
     </Directory>

+---
+

 **IdcheckUserRequestHeader**

@@ -242,12 +286,14 @@

 Example:

-     <Directory ...="">
+    <Directory ...="">
        Idcheck on
        IdcheckUserRequestHeader x-webobjects-remote-user
        ...
-     </Directory>
-
+    </Directory>
+
+
+---

 Deprecated options:
@@ -260,15 +306,17 @@
 Was used in a very old version of the idcheck protocol. The source IP address which will be allowed to check the cookies. This is probably the primary IP address of the origin webserver. Set this only if you want to use trusted request cookies - which you probably do not.

-
-
-
-
-
-
-
-
-
-
-
-
+---
+
+
+
+
+
+
+
+
+
+
+
+
+

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:38:26 -0000

--- v1
+++ v2
@@ -1,4 +1,3 @@
-

 Main apache server config 
@@ -7,6 +6,9 @@
 (i.e. outside of limit blocks like <Directory>):

 **IdcheckLoginUrl**
+
+Arguments: the URL of the idcheck server.
+
 This is normally the login page of the idcheck server. It is the page to which the user will be redirected if they are not presenting a valid idcheck cookie for the website they are trying to get into.

 Note that the scope of the registration request cookie (i.e. the cookie domain) is set to the domain of the login_url. So its not possible to run a server with idcheck.foo.bar.example.com. you must run it as idcheck.example.com.
@@ -21,6 +23,8 @@

 **IdcheckCheckUrl**

+Arguments: the URL of the idcheck server.
+
 mod_idcheck.so uses this URL to check cookie requests against the URL of the main server. 

 This can be non-https... but only if you trust your internal network and the value of the data that you are keeping on the mod_idcheck.so server is not essential. e.g. a large intranet that can be viewed by thousands of people. If security is important here then this needs to be a HTTPs URL.
@@ -32,6 +36,8 @@

 **IdcheckAllowRequest**

+Arguments: One or more URL paths.
+
 Allows requests that match this regexp. This can be used to prevent robots.txt, image and favicon.ico requests from generating request cookies.

@@ -42,6 +48,8 @@

 **IdcheckNoAccessBehaviour**

+Argument: Either "server" or a URL.
+
 Redirect to the server page (with argument "server") or to a specified URL (give URL as argument) if authorisation directives (IdcheckAllowData and IdcheckAllowUser) fails.

 Example:
@@ -50,6 +58,8 @@

 **IdcheckRedirectUrl**
+
+Argument: a URL.

 Forces the idcheck server to redirect elsewhere after authentication. It overrides the default behavior which redirects the user back to the page they were attempting to access.

@@ -57,110 +67,91 @@

        IdcheckRedirectURL http://somewhere.else.com/foo

-
-
-
-Directives that can be used inside a limit block.
--------------------------------------------------
-
-**IdcheckAllowUser**
-
-Permit specified users by their username. Multiple usernames can be specified on a single directive or in multiple directives.
-
-Example:
-
-    IdcheckAllowUser martin kieran tom terry
-
-
-**IdcheckAllowData**
-
-The idcheck server, when it has checked a cookie will return data about the user to
-the webserver that is requesting the check. This will include a set of strings that may specify things like the department the user is working for. These strings can be viewed
-on the idcheck-info url when logged in.
-
-This directive permits users with the specified data authorisation strings access to a resource.
-
-Multiple arguments are ANDed. Multiple directives are ORed. Arguments can be prefixed with a ! to NOT them.
-
-This authorisation list will be passed down to any paths below the one where it is defined. Sometimes this is not what is wanted. See IdcheckClearAllowLists.
-
-Example:
-
-    # Permit IT staff and physics students only.
-    IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
-    IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"
-
-
-**IdcheckAllowRegex**
-
-Similar to IdcheckAllowData except that it uses a perl compatible regular expression.
-
-Example:
-
-        Coming soon.
-
-**IdcheckClearAllowLists**
-
-Use this to clear any idcheck access control lists already present at this location. Use this if you need to tighten access controls.
-
-Example:
-
-    <Directory var="" www="" intranet="">
-      ...
-      # Permit IT staff and physics students only.
-      IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
-      IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"
-      ...
-    </Directory>
-
-    <Directory var="" www="" intranet="" staff-only="">
-      ...
-      # Permit IT staff only.
-      IdcheckClearAllowLists
-      IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
-      ...
-    </Directory>
-
-
-
-
-Deprecated options:
--------------------
-
-Do not use these options unless you know what you are doing.
-
-**IdcheckCheckIP**
-
-Was used in a very old version of the idcheck protocol. The source IP address which will be allowed to check the cookies. This is probably the primary IP address of the origin webserver. Set this only if you want to use trusted request cookies - which you probably do not.
-
-
-
-
-
-
-    AP_INIT_TAKE3("IdcheckSetEnv",
-                  set_dir_config_setenv,
-                  (void *)APR_OFFSETOF(_dir_config,setenv),
-                  OR_AUTHCFG,
-                  "Can be used to set additional environment variables based on idcheck authorisation data. Take3 arguments are the variable name, a regular expression and a substitution pattern."),
-
-    AP_INIT_FLAG("IdcheckGuestMode", set_dir_config_flag_guest_mode,
-                 (void *)APR_OFFSETOF(_dir_config,guest_mode),
-                 OR_AUTHCFG,
-                 "Use this to let idcheck assign a fake username (IdcheckGuestModeUser) and permit access to the page if authentication would otherwise fail."),
-
-    AP_INIT_TAKE1("IdcheckGuestModeUser",
-                  set_server_config_string_guest_mode_user,
-                  (void *)APR_OFFSETOF(_server_config,guest_mode_user),
-                  RSRC_CONF,
-                  "The username that will be set by idcheck if IdcheckGuestMode is on."
-                  ),
-
-    AP_INIT_TAKE1("IdcheckBindAddress",
-                  set_server_config_string_bindaddr,
-                  (void *)APR_OFFSETOF(_server_config,bindaddr),
-                  RSRC_CONF,
-                  "The local IP address that is used to connect to the idcheck server."),
+**IdcheckSetEnv**
+
+Arguments: VAR REGEXP SUBSTITUTION
+
+This is useful if you want to pass idcheck data to a PHP or CGI script to make use of it. By default. In addition to REMOTE_USER, idcheck also sets a number of IDCHECK_DATAXX variables that are available to the script. This option is a way of providing a nicer environment variable.
+
+Can be used to set additional environment variables based on idcheck authorisation data. Arguments are the variable name, a regular expression and a substitution pattern.
+
+These environment variables can be seen in the standard php info page if it is protected with mod_idcheck. 
+
+Example:
+
+    IdcheckSetEnv NAME "ldap:cn=(.+)$" "$1"
+    IdcheckSetEnv MAIL "ldap:attribute=mail: (.+)$" "$1"
+
+
+**IdcheckGuestMode and IdcheckGuestModeUser**
+
+Arguments: Boolean (IdcheckGuestMode) and username (IdcheckGuestModeUser).
+
+Setting this option allows anyone in, but tells the webserver that the logged in user is "guest" unless they have already negotiated a cookie and have some other username.
+
+IdcheckGuestModeUser lets you set the username that will be assumed. The username does not have to exist outside of mod_idcheck configuration (though you should probably check that it really doesnt).
+
+Use this to let idcheck assign a fake username (IdcheckGuestModeUser) and permit access to the page if authentication would otherwise fail."),
+
+Note that this directive can be used in combination with a limit block elsewhere on the server that is fully protected and whose contents simply redirect back to the public area. In this case, you can present a page and also supply a log in link that just links to the fully protected area. Users will be "guest" when they arrive and after using the link will have their proper username. Applications can be adapted to make use of this.
+
+Example:
+
+    IdcheckGuestMode on
+    IdcheckGuestModeUser guest
+
+
+**IdcheckBindAddress**
+
+Argument: IPv4 or IPv6 address.
+
+The local IP address that is used to connect to the idcheck server. This is only useful if your server has multiple ethernet interfaces or ip aliases.
+
+  IdcheckBindAddress 192.168.99.1
+
+
+**IdcheckDebug**
+
+Argument: Boolean on/off.
+
+Turns on debug mode (and fills your error log up).
+
+Example:
+
+    IdcheckDebug on
+
+
+**IdcheckSecure**
+
+Argument: Boolean on/off.
+
+Lies to the apache server. Set this to true if your website is operating over HTTPS but the SSL offloading is done by a load balancer elsewhere and the apache server itself is only running on HTTP. It adds the secure flag to the cookies if the servers are running over plain HTTP. If the apache server is running as HTTPS this option is not required as mod_idcheck auto detects that and sets the secure flags in that case.
+
+Example:
+
+    IdcheckSecure on
+
+
+**IdcheckCertificateAuthority**
+
+Arguments: file path.
+
+This is a file holding one or more certificates to verify the idcheck server with when mod_idcheck checks cookies over https (in IdcheckCheckUrl). By default mod_idcheck uses curl and so will use a libcurl cacert bundle (see the libcurl option CURLOPT_CAINFO). Setting this will set an alternative CA and the default libcurl bundle will not be used. It is only used if IdcheckCertificateVerify is set. PEM format works, others might too.
+
+Example:
+
+IdcheckCertificateAuthority /etc/ssl/certs/MyOwnCA.pem
+
+
+**IdcheckCertificateVerify**
+
+Arguments: Boolean on/off.
+
+Set to on if you want to verify the SSL certificates presented by the idcheck server when mod_idcheck checks its cookies. By default, certs will be checked against the default CA bundle provided with libcurl on your operating system. If you want to override this then see IdcheckCertificateAuthority directive.
+
+Example:
+
+    IdcheckCertificateVerify on

     AP_INIT_TAKE1("IdcheckUserRequestHeader",
                   set_dir_config_string_user_request_header,
@@ -168,27 +159,116 @@
                   OR_AUTHCFG,
                   "Set a specific header that contains the username when authenticated."),

-    AP_INIT_TAKE1("IdcheckCertificateAuthority",
-                  set_server_config_string_certificate_authority,
-                  (void *)APR_OFFSETOF(_server_config,certificate_authority),
-                  RSRC_CONF,
-                  "This is a file holding one or more certificates to verify the idcheck server with when mod_idcheck checks cookies over https (in IdcheckCheckUrl). By default mod_idcheck uses curl and so will use a libcurl cacert bundle (see the libcurl option CURLOPT_CAINFO). Setting this will set an alternative CA and the default libcurl bundle will not be used. It is only used if IdcheckCertificateVerify is set. PEM format works, others might too."),
-
-    AP_INIT_FLAG("IdcheckCertificateVerify",
-                  set_server_config_flag_certificate_verify,
-                 (void *)APR_OFFSETOF(_server_config,certificate_verify),
-                 RSRC_CONF,
-                 "Set to on if you want to verify the SSL certificates presented by the idcheck server when mod_idcheck checks its cookies. By default, certs will be checked against the default CA bundle provided with libcurl on your operating system. If you want to override this then see IdcheckCertificateAuthority directive."),
-
-    AP_INIT_FLAG("IdcheckSecure",
-                  set_server_config_flag_secure,
-                 (void *)APR_OFFSETOF(_server_config,secure),
-                 RSRC_CONF,
-                 "Set this to true if your website is operating over HTTPS but the SSL offloading is done by a load balancer elsewhere. It adds the secure flag to the cookies if the servers are running over plain HTTP."),
-
-    AP_INIT_FLAG("IdcheckDebug",
-                  set_server_config_flag_debug,
-                 (void *)APR_OFFSETOF(_server_config,debug),
-                 RSRC_CONF,
-                 "Switch on debug messages."),
-
+
+
+
+Directives that can be used inside a limit block.
+-------------------------------------------------
+
+**IdcheckAllowUser**
+
+Arguments: one or more usernames.
+
+Permit specified users by their username. Multiple usernames can be specified on a single directive or in multiple directives.
+
+Example:
+
+    IdcheckAllowUser martin kieran tom terry
+
+
+**IdcheckAllowData**
+
+Arguments: multiple idcheck data strings.
+
+The idcheck server, when it has checked a cookie will return data about the user to
+the webserver that is requesting the check. This will include a set of strings that may specify things like the department the user is working for. These strings can be viewed
+on the idcheck-info url when logged in.
+
+This directive permits users with the specified data authorisation strings access to a resource.
+
+Multiple arguments are ANDed. Multiple directives are ORed. Arguments can be prefixed with a ! to NOT them.
+
+This authorisation list will be passed down to any paths below the one where it is defined. Sometimes this is not what is wanted. See IdcheckClearAllowLists.
+
+Example:
+
+    # Permit IT staff and physics students only.
+    IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=staff"
+    IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"
+
+
+**IdcheckAllowRegex**
+
+Arguments: Coming soon check source code if you are in a hurry.
+
+Similar to IdcheckAllowData except that it uses a perl compatible regular expression.
+
+Example:
+
+    # allow physics or maths staff in.
+    IdcheckAllowRegex "^ldap:unit=(Physics|Maths)$" "^ldap:container=ou=staff$"
+
+
+**IdcheckClearAllowLists**
+
+Arguments: none.
+
+Use this to clear any idcheck access control lists already present at this location. Use this if you need to tighten access controls.
+
+Example:
+
+    <Directory var="" www="" intranet="">
+      ...
+      # Permit IT staff and physics students only.
+      IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
+      IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"
+      ...
+    </Directory>
+
+    <Directory var="" www="" intranet="" staff-only="">
+      ...
+      # Permit IT staff only.
+      IdcheckClearAllowLists
+      IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
+      ...
+    </Directory>
+
+
+**IdcheckUserRequestHeader**
+
+Arguments: A HTTP header.
+
+This can be used to set a custom header in the input table to contain the username. Some web applications might want this.
+
+Example:
+
+     <Directory ...="">
+       Idcheck on
+       IdcheckUserRequestHeader x-webobjects-remote-user
+       ...
+     </Directory>
+
+
+
+Deprecated options:
+-------------------
+
+Do not use these options unless you know what you are doing.
+
+**IdcheckCheckIP**
+
+Was used in a very old version of the idcheck protocol. The source IP address which will be allowed to check the cookies. This is probably the primary IP address of the origin webserver. Set this only if you want to use trusted request cookies - which you probably do not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+

mod_idcheck.so runtime configuration directives. modified by mdte

mdte — Fri, 07 Nov 2014 17:04:16 -0000

Main apache server config

(i.e. outside of limit blocks like <Directory>):

IdcheckLoginUrl
This is normally the login page of the idcheck server. It is the page to which the user will be redirected if they are not presenting a valid idcheck cookie for the website they are trying to get into.

Note that the scope of the registration request cookie (i.e. the cookie domain) is set to the domain of the login_url. So its not possible to run a server with idcheck.foo.bar.example.com. you must run it as idcheck.example.com.

You must ensure that this page is SSL protected, even if the website you are protecting is not as the cookie that is negotiated between the browser and the idcheck server is the most important one.

Example:

IdcheckLoginUrl https://idcheck.example.com/idcheck

IdcheckCheckUrl

mod_idcheck.so uses this URL to check cookie requests against the URL of the main server.

This can be non-https... but only if you trust your internal network and the value of the data that you are keeping on the mod_idcheck.so server is not essential. e.g. a large intranet that can be viewed by thousands of people. If security is important here then this needs to be a HTTPs URL.

Example:

IdcheckCheckUrl http://idcheck.example.com/idcheck

IdcheckAllowRequest

Allows requests that match this regexp. This can be used to prevent robots.txt, image and favicon.ico requests from generating request cookies.

Example:

IdcheckAllowRequest /robots.txt$ /favicon.ico$

IdcheckNoAccessBehaviour

Redirect to the server page (with argument "server") or to a specified URL (give URL as argument) if authorisation directives (IdcheckAllowData and IdcheckAllowUser) fails.

Example:

IdcheckNoAccessBehavior server

IdcheckRedirectUrl

Forces the idcheck server to redirect elsewhere after authentication. It overrides the default behavior which redirects the user back to the page they were attempting to access.

Example:

   IdcheckRedirectURL http://somewhere.else.com/foo

Directives that can be used inside a limit block.

IdcheckAllowUser

Permit specified users by their username. Multiple usernames can be specified on a single directive or in multiple directives.

Example:

IdcheckAllowUser martin kieran tom terry

IdcheckAllowData

The idcheck server, when it has checked a cookie will return data about the user to
the webserver that is requesting the check. This will include a set of strings that may specify things like the department the user is working for. These strings can be viewed
on the idcheck-info url when logged in.

This directive permits users with the specified data authorisation strings access to a resource.

Multiple arguments are ANDed. Multiple directives are ORed. Arguments can be prefixed with a ! to NOT them.

This authorisation list will be passed down to any paths below the one where it is defined. Sometimes this is not what is wanted. See IdcheckClearAllowLists.

Example:

# Permit IT staff and physics students only.
IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"

IdcheckAllowRegex

Similar to IdcheckAllowData except that it uses a perl compatible regular expression.

Example:

    Coming soon.

IdcheckClearAllowLists

Use this to clear any idcheck access control lists already present at this location. Use this if you need to tighten access controls.

Example:

<Directory /var/www/intranet>
  ...
  # Permit IT staff and physics students only.
  IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
  IdcheckAllowData "ldap:unit=Physics" "ldap:container=ou=students"
  ...
</Directory>

<Directory /var/www/intranet/staff-only>
  ...
  # Permit IT staff only.
  IdcheckClearAllowLists
  IdcheckAllowData "ldap:unit=IT" "ldap:container=ou=people"
  ...
</Directory>

Deprecated options:

Do not use these options unless you know what you are doing.

IdcheckCheckIP

Was used in a very old version of the idcheck protocol. The source IP address which will be allowed to check the cookies. This is probably the primary IP address of the origin webserver. Set this only if you want to use trusted request cookies - which you probably do not.

AP_INIT_TAKE3("IdcheckSetEnv",
              set_dir_config_setenv,
              (void *)APR_OFFSETOF(_dir_config,setenv),
              OR_AUTHCFG,
              "Can be used to set additional environment variables based on idcheck authorisation data. Take3 arguments are the variable name, a regular expression and a substitution pattern."),

AP_INIT_FLAG("IdcheckGuestMode", set_dir_config_flag_guest_mode,
             (void *)APR_OFFSETOF(_dir_config,guest_mode),
             OR_AUTHCFG,
             "Use this to let idcheck assign a fake username (IdcheckGuestModeUser) and permit access to the page if authentication would otherwise fail."),

AP_INIT_TAKE1("IdcheckGuestModeUser",
              set_server_config_string_guest_mode_user,
              (void *)APR_OFFSETOF(_server_config,guest_mode_user),
              RSRC_CONF,
              "The username that will be set by idcheck if IdcheckGuestMode is on."
              ),

AP_INIT_TAKE1("IdcheckBindAddress",
              set_server_config_string_bindaddr,
              (void *)APR_OFFSETOF(_server_config,bindaddr),
              RSRC_CONF,
              "The local IP address that is used to connect to the idcheck server."),

AP_INIT_TAKE1("IdcheckUserRequestHeader",
              set_dir_config_string_user_request_header,
              (void *)APR_OFFSETOF(_dir_config,user_request_header),
              OR_AUTHCFG,
              "Set a specific header that contains the username when authenticated."),

AP_INIT_TAKE1("IdcheckCertificateAuthority",
              set_server_config_string_certificate_authority,
              (void *)APR_OFFSETOF(_server_config,certificate_authority),
              RSRC_CONF,
              "This is a file holding one or more certificates to verify the idcheck server with when mod_idcheck checks cookies over https (in IdcheckCheckUrl). By default mod_idcheck uses curl and so will use a libcurl cacert bundle (see the libcurl option CURLOPT_CAINFO). Setting this will set an alternative CA and the default libcurl bundle will not be used. It is only used if IdcheckCertificateVerify is set. PEM format works, others might too."),

AP_INIT_FLAG("IdcheckCertificateVerify",
              set_server_config_flag_certificate_verify,
             (void *)APR_OFFSETOF(_server_config,certificate_verify),
             RSRC_CONF,
             "Set to on if you want to verify the SSL certificates presented by the idcheck server when mod_idcheck checks its cookies. By default, certs will be checked against the default CA bundle provided with libcurl on your operating system. If you want to override this then see IdcheckCertificateAuthority directive."),

AP_INIT_FLAG("IdcheckSecure",
              set_server_config_flag_secure,
             (void *)APR_OFFSETOF(_server_config,secure),
             RSRC_CONF,
             "Set this to true if your website is operating over HTTPS but the SSL offloading is done by a load balancer elsewhere. It adds the secure flag to the cookies if the servers are running over plain HTTP."),

AP_INIT_FLAG("IdcheckDebug",
              set_server_config_flag_debug,
             (void *)APR_OFFSETOF(_server_config,debug),
             RSRC_CONF,
             "Switch on debug messages."),