Example to support both SAML and OpenIDC - apache

I have a requirement to support both OIDC(openidc) and Mellon(Saml) in our application.We have created two apps in Okta for testing the flow.
OIDC App
SAML App
httpd.conf looks something like below :
<IfModule mod_ssl.c>
<Location />
MellonVariable "cookie"
MellonEnable "auth"
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
MellonSPCertFile /etc/apache2/saml/mellon.crt
MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
</Location>
<VirtualHost _default_:443>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
OIDCScope "openid email profile"
OIDCClientID "xxxx"
OIDCClientSecret "xxxxx"
OIDCCryptoPassphrase "xxxx"
OIDCMetadataDir "/var/cache/apache2/mod_auth_openidc/metadata"
OIDCRedirectURI "https://apachesso.example.com/callback"
OIDCResponseType "code"
<Location /uliya>
<If "%{REQUEST_URI} =~ /callback=/">
AuthType openid-connect
Require valid-user
</If>
<Else>
AuthType "Mellon"
Require valid-user
MellonEnable "auth"
</Else>
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /uliya>
AuthType openid-connect
require valid-user
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /transport>
AuthType "Mellon"
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
</IfModule>
The goal is that, the request to https://apachesso.example.com/uliya should go through openid-connect Auth Flow and request to https://apachesso.example.com/transport should go through mellon flow.
However, with above configuration all the request authentication goes to Mellon Plugin by default and below config doesnt take effect.
<Location /uliya>
AuthType openid-connect
Require valid-user
</Location>
Is it possible to get both these plugins to work together?

Just don't use any authentication directives on "/", but use mod_auth_openidc directives on "/uliya" (including setting OIDCRedirectURI to /uliya/redirect_uri" and use mod_mellon directives only on "/transport".

Related

Configuring multiple SAML apps with mod_auth_mellon in Apache?

We have a requirement to support SAML for SSO (Okta and Google). I have been able to set up my own custom SAML application in Google and configure mellon in apache. However, we have a requirement to configure SAML in Okta for customers and SAML in Google for our internal users.
#################################################################################
# Global configuration for mod_auth_mellon.
# This configuration is shared by every virtual server and location in this instance of apache.
#################################################################################
# MellonCacheSize sets the maximum number of sessions which can be active at once. When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions. The server must be restarted before any changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100
# MellonLockFile is the full path to a file used for synchronizing access to the session data. The path should only be used by one instance of apache at a time.The server must be restarted before any changes to this option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"
# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100
###########################################################################
# End of global configuration for mod_auth_mellon.
###########################################################################
<Location />
MellonEnable "info"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
MellonEndpointPath /mellon
MellonDefaultLoginPath /
RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
</Location>
<VirtualHost *:443>
ServerName host_name
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
<Location />
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
<Location /protected>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
How can we differentiate incoming request between Okta and Google (SAML) as Location /> directive can be configured by only either one of SAML provider.
The mod_auth_mellon module only applies SAML to a specific <Location />...</Location>, so you would have to configure a location for each idP provider.
<VirtualHost *:443>
ServerName host_name
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
# GoogleSaml
<Location />
MellonEnable "info"
Require valid-user
AuthType "GoogleSaml"
MellonVariable "cookie"
MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
MellonEndpointPath /mellon
MellonDefaultLoginPath /
RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
</Location>
# Okta
<Location /protected>
Require valid-user
AuthType "OktaSaml"
MellonEnable "auth"
MellonDecoder "none"
MellonVariable "cookie"
MellonSecureCookie On
MellonUser "NAME_ID"
MellonSetEnv "e-mail" "mail"
MellonEndpointPath "/endpoint"
MellonDefaultLoginPath "/"
MellonSessionLength 300
MellonSPPrivateKeyFile /etc/apache2/mellon/http_192.168.14.130_okta.key
MellonSPCertFile /etc/apache2/mellon/http_192.168.14.130_okta.cert
MellonIdPMetadataFile /etc/apache2/mellon/metadata
MellonSamlResponseDump On
MellonSessionDump On
</Location>
</VirtualHost>
If you want to do this dynamically based on the user's headers, I wouldn't recommend mod_auth_mellon, having your application serve up the authentication would make more sense.
Hope this helps.
I have tried below config and it works for openidc and mellon both. Apparently, this scenario would be helpful for those willing to configure Okta (mellon) and google sso for internal IDP.
<Location />
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
MellonSPCertFile /etc/apache2/saml/mellon.crt
MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
MellonVariable "mellon_cookie"
MellonDefaultLoginPath /
MellonSecureCookie on
</Location>
<VirtualHost *:443>
ServerName zzz.xxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/xxxxx_prod.pem
SSLCertificateKeyFile /etc/ssl/private/xxxxx.com.key
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCRedirectURI "https://zzz.xxxx..com/openidc_callback"
OIDCDiscoverURL https://zzz.xxxx.com/idp-discovery.html
<Location /uliya>
AuthType "mellon"
Require valid-user
MellonEnable "auth"
</Location>
<Location /transport>
AuthType openid-connect
Require valid-user
OIDCUnAuthAction auth
</Location>
<Location "/idp-page.html">
Require all granted
</Location>
</VirtualHost>

Remove URL user credentials before pass to Reverse Proxy - Apache

i am trying to configure apache as a reverse proxy with basic auth. The problem is that URL credentials should not be proxied to the service (http://localhost:8000).
For example: if the user access http://user:password#my-host.com , the URL credentials should not be passed like http://user:password#localhost:8000, it should be just http://localhost:8000
The conf file:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ProxyRequests off
<Location />
AuthType Basic
AuthName "namex"
AuthUserFile /etc/apache2/.htpasswd
Require valid-use
ProxyPass http://localhost:8000/
Order allow,deny
Allow from all
RequestHeader set Authorization "Basic base64userpass"
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How should i do that?
Thanks!

Reverse Proxy Apche2.4 how to enable google authentication

I'm trying to enable google authentication on my Apache 2.4 reverse proxy installed on CentOS7.
I installed mod_auth_openidc
I created OAuth 2.0 Client IDs on GSUITE console
This is my /etc/httpd/conf/http.conf:
<VirtualHost mtest.mydomain.com:80>
ServerName mtest.mydomain.com
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxx
OIDCRedirectURI https://mtest.mydomain.com/
OIDCScope "profile openid"
OIDCCryptoPassphrase example#3003
OIDCCookiePath /
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
<Location />
AuthType openid-connect
Require valid-user
</Location>
Redirect / https://mtest.mydomain.com/
</VirtualHost> <VirtualHost mtest.mydomain.com:443>
ServerName mtest.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.com.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
</VirtualHost>
But when I digit the url: http://mtest.mydomain.com I didn't rediret to google authentication page.
Where is my error?
I solved in this way:
ProxyRequests off
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy> ProxyTimeout 300
<VirtualHost test.mydomain.com:80>
ServerName test.mydomain.com
Redirect / https://test.mydomain.com/
</VirtualHost>
<VirtualHost test.mydomain.com:443>
ServerName test.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxx
OIDCRedirectURI https://test.mydomain.com/home.html
OIDCScope "profile openid"
OIDCCryptoPassphrase example#3003
OIDCCookiePath /
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
<Location />
AuthType openid-connect
Require valid-user </Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
</VirtualHost>

Apache: Authentification before proxing

I got a VM with a aplication running on it. It doenst support password protection. I connect to it like sub.domain.com:6000 (redirecting port 6000 to 80 of VM)
So i like to use apache as a Proxy with authentication.
My VirtualHost config:
<VirtualHost *:*>
DocumentRoot /var/www/html/
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass "/" "http://127.0.0.1:5000/"
ProxyPassReverse "/" "http://127.0.0.1:5000/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It redirects me, but there is no password protection.
What's wrong?
The <Directory> directive is used to enclose a group of directives that will apply only to the named directory, sub-directories of that directory, and the files within the respective directories. Proxied server is none of that, so you have to use <Location> directive which limits the scope of the enclosed directives by URL:
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>

Apache reverse proxy with LDAP authentication for multiple Application

We have to perform Apache as a reverse proxy with LDAP Authentication (AWS EMR)for 2 different applications. Reverse Proxy and LDAP are working Fine but the Contents of Application's Web Page are not loading fully. We are getting 404 error code for some of the dependencies of the webpage through reverse proxying .
Here is our httpd.conf file:-
<VirtualHost *:80>
ServerName localhost
ProxyHTMLExtended On
RequestHeader unset Accept-Encoding
ProxyRequests off
ProxyPass /zeppelin/ http://localhost:8890/
ProxyHTMLURLMap http://localhost:8890 /zeppelin
ProxyPass /jupyter/ http://localhost:8900/
ProxyHTMLURLMap http://localhost:8900 /jupyter
<Location /zeppelin/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /zeppelin/
RequestHeader unset Accept-Encoding
</Location>
<Location /jupyter/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /jupyter/
RequestHeader unset Accept-Encoding
</Location>
DocumentRoot /var/www
<Directory /var/www>
Options -Indexes
Order allow,deny
allow from all
</Directory>
</VirtualHost>