I'm trying to enable google authentication on my Apache 2.4 reverse proxy installed on CentOS7.
I installed mod_auth_openidc
I created OAuth 2.0 Client IDs on GSUITE console
This is my /etc/httpd/conf/http.conf:
<VirtualHost mtest.mydomain.com:80>
ServerName mtest.mydomain.com
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxx
OIDCRedirectURI https://mtest.mydomain.com/
OIDCScope "profile openid"
OIDCCryptoPassphrase example#3003
OIDCCookiePath /
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
<Location />
AuthType openid-connect
Require valid-user
</Location>
Redirect / https://mtest.mydomain.com/
</VirtualHost> <VirtualHost mtest.mydomain.com:443>
ServerName mtest.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.com.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
</VirtualHost>
But when I digit the url: http://mtest.mydomain.com I didn't rediret to google authentication page.
Where is my error?
I solved in this way:
ProxyRequests off
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy> ProxyTimeout 300
<VirtualHost test.mydomain.com:80>
ServerName test.mydomain.com
Redirect / https://test.mydomain.com/
</VirtualHost>
<VirtualHost test.mydomain.com:443>
ServerName test.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mydomain.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain.key
SSLCACertificateFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxx
OIDCRedirectURI https://test.mydomain.com/home.html
OIDCScope "profile openid"
OIDCCryptoPassphrase example#3003
OIDCCookiePath /
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
<Location />
AuthType openid-connect
Require valid-user </Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
</VirtualHost>
Related
I have a requirement to support both OIDC(openidc) and Mellon(Saml) in our application.We have created two apps in Okta for testing the flow.
OIDC App
SAML App
httpd.conf looks something like below :
<IfModule mod_ssl.c>
<Location />
MellonVariable "cookie"
MellonEnable "auth"
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
MellonSPCertFile /etc/apache2/saml/mellon.crt
MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
</Location>
<VirtualHost _default_:443>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
OIDCScope "openid email profile"
OIDCClientID "xxxx"
OIDCClientSecret "xxxxx"
OIDCCryptoPassphrase "xxxx"
OIDCMetadataDir "/var/cache/apache2/mod_auth_openidc/metadata"
OIDCRedirectURI "https://apachesso.example.com/callback"
OIDCResponseType "code"
<Location /uliya>
<If "%{REQUEST_URI} =~ /callback=/">
AuthType openid-connect
Require valid-user
</If>
<Else>
AuthType "Mellon"
Require valid-user
MellonEnable "auth"
</Else>
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /uliya>
AuthType openid-connect
require valid-user
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /transport>
AuthType "Mellon"
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
</IfModule>
The goal is that, the request to https://apachesso.example.com/uliya should go through openid-connect Auth Flow and request to https://apachesso.example.com/transport should go through mellon flow.
However, with above configuration all the request authentication goes to Mellon Plugin by default and below config doesnt take effect.
<Location /uliya>
AuthType openid-connect
Require valid-user
</Location>
Is it possible to get both these plugins to work together?
Just don't use any authentication directives on "/", but use mod_auth_openidc directives on "/uliya" (including setting OIDCRedirectURI to /uliya/redirect_uri" and use mod_mellon directives only on "/transport".
I have a small envirnment where I have 3 services on one server and I want to put all three behind a reverse proxy.
Prometheus server running on port 9090
Prometheus Alert manager running on port 9093
Grafana running on port 3000
My current configuration is below
<VirtualHost *:80>
ServerName metrics.example.com
Redirect permanent / https://metrics.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName metrics.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl.crt/example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/example.key
ErrorLog /var/log/apache2/metrics.example.com-error_log
CustomLog /var/log/apache2/metrics.example.com-access_log combined
<Location "/">
ProxyPreserveHost On
ProxyPass http://localhost:9090/
ProxyPassReverse http://localhost:9090/
</Location>
<Location "/alertmanager/">
ProxyPreserveHost On
ProxyPass http://localhost:9093/
ProxyPassReverse http://localhost:9093/
</Location>
<Location "/grafana/">
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
# <Proxy *>
# AuthType Basic
# AuthName "Restricted Content"
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
# </Proxy>
</VirtualHost>
For now everything works, but Prometheus and Alertmanager don't have own auth, Grafana does. If I uncomment section Grafana stops working. The goal is to protect both Prometheus and Alertmanager with basic auth but not the Grafana instance.
Is it possible (and how) to protect root ("/") directory and /alertmanager subdirectory but with omitting /grafana subdirectory in single vhost?
I want to configure an apache Auth proxy for access to QuestDB that does not have Authentication system. I try it to VM in a first time.
I made a very simple configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
ProxyRequests Off
</VirtualHost>
I configured my QuestDB with a bind adress http://127.0.0.1:9000.
When I go to http://myipadress and give my Apache authentified user, I have :
Bad request
refresh
Content without CSS
refresh
Bad request
refresh
QuestDB opened
refresh
and looping like this forever.
Any idea ?
When I just set the ProxyPass / ProxyPassReverses lines, I got the same phenomenom.
I have enabled my Apache server mods : proxy_http, proxy, rewrite and cache and the default ones that are enabled.
The below config is working for me. I think the difference is I am not using a DocumentRoot.
<VirtualHost *:80>
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyRequests Off
ServerName 127.0.0.1:80
ServerAlias localhost
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>
I have a proxy defined in my apache, there is any way to disable security for a sub path.
In the config I have /app pointing to port localhost:8000 and I want that /app/public point to localhost:8000/public.
Here is my config file (with security for all paths):
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /app http://localhost:8000
ProxyPassReverse /app http://localhost:8000
ServerName example.com
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
</VirtualHost>
I found the solution, I used LocationMatch instead Proxy tag, this is the resulting conf file:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /app http://localhost:8000
ProxyPassReverse /app http://localhost:8000
ServerName example.com
<LocationMatch "^(?!/path/to/exclude)/[^/]+">
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</LocationMatch>
</VirtualHost>
I have a problem with the apache reverse proxy configuration..
I have a service running on port 3000 and when i try to do the login even if it's succesfull it keeps me in the login page..i think it's a cookie session problem but i can't figure out a solution..
ServerAdmin webmaster#localhost
ServerName localhost
ProxyRequests Off
ProxyPreserveHost On
<proxy *>
Order Allow,Deny
Allow from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</proxy>
ProxyPass "/" "http://127.0.0.1:3000/"
ProxyPassReverse "/" "http://127.0.0.1:3000/"
ProxyPassReverseCookieDomain "http://127.0.0.1:3000/" "http:foo/"
This configuration finally works..
<VirtualHost *:*>
ServerAdmin webmaster#localhost
ServerName http://localhost
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
ProxyErrorOverride On
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
RequestHeader unset Authorization
Order Allow,Deny
Allow from all
</Location>