Why does enabling cleartrust override my shibboleth settings in Apache? - apache

I want to protect one of my virtual hosts with shibboleth and others with cleartrust, but as soon as I enable cleartrust I can access the shibboleth protected virtual hosts without being authorized.
This is my shibboleth virtual host:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
My cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
My cleartrust webagent.conf, by default I disable cleartrust, because I want shibboleth to be used by default instead.
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want.
Have anyone else had a similar issue and knows how to fix this? Thanks in advance! :)

After reading through the Access Manager documentation I found that if cleartrust agent is disabled, it also ignores all other potential authentication modules loaded into Apache by default. In order for Access Manager to pass the authentication to other modules, you must specify a list of authentication realms for which the Access Manager Agent allows requests to be evaluated by other modules.
I achieved this by adding this to my webagent.conf file: cleartrust.agent.apache.pass_realms=*
Final result:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>

Related

Does Apache + geoserver require double logins?

Behaviour:
1) I access the site, enter the userID/password that's required for the site
2) The site starts to load, but when the request is made to the WMS layers being served from the GeoServer ->
3) I get a second login-prompt that only accepts users(in this case the admin user) for the GeoServer.
Obviously,
Point 3 shouldn't be happening because i can access the WMS-requests "standalone" without logging in, so I think that the Geoserver is correctly configured.
The apache-config is as follows:
<VirtualHost *:80>
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
</VirtualHost>
Any ideas why the site asks for the second login-prompt, regarding the geoserver?
This may be similar to an issue my team has had. If you add the same username and password combination as your apache user to your geoserver setup then it should stop prompting for the login.
Geoserver users.xml can be found in /data/security/usergroup/default/users.xml
Or i think you can do it through the geoserver backend.

Open Street Map Tile Server using mod_tile authentication

I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!

Running Jenkins behind Apache 2.2 issue

I need to configure Jenkins behind Apache. For this purpose I installed Apache 2.2 using httpd-2.2.25-win32-x86-openssl-0.9.8y.msi.
Now I have configured jenkins with -
--httpPort=8084 --prefix=/jenkins (inside jenkins.xml)
The securityRealm for Jenkins is (I am using LDAP authentication):
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
<server>ldap://ldap.myserver.com:1234</server>
<rootDN>DC=blah-blah,DC=blah</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>SAMAccountName={0}</userSearch>
<groupSearchFilter></groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter></filter>
</groupMembershipStrategy>
<managerDN>email#mycompany.com</managerDN>
<managerPasswordSecret>XXXX</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
The name of the server where Apache and Jenkins are hosted is : http://abchost/.
Jenkins is hosted at : http://abchost:8084/jenkins.
Now I need to configure Apache server in such a way that, when I enter http://abchost/jenkins in browser it a Proxy should work in between and it should forward the request to http://abchost:8084/jenkins and again, get the result from jenkins and display the result at : http://abchost/jenkins.
For this I have configured Apache like this:
NameVirtualHost abchost:80
Listen 80
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
<VirtualHost *:80>
ServerName abchost.com
ServerAdmin admin#abchost.com
ProxyPass /downloads !
Alias /downloads "d:\myPath1"
<Directory "d:\myPath2">
# Don't allow editing the main repository site.
Options -Indexes
</Directory>
<Directory "d:\myPath3">
# Remove 'Parent Directory' link from the site.
# IndexIgnore ..
#
Options +Indexes
# List file names which will be opened automatically when the folder is opened.
DirectoryIndex index.html toc.html
IndexOptions FancyIndexing HTMLTable FoldersFirst SuppressDescription
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Jenkins via HTTP.
ProxyPass /jenkins/ http:/abchost:8084/jenkins/ nocanon
ProxyPassReverse /jenkins http://abchost:8084/jenkins/
</VirtualHost>
After this configuration, I am able to login in jenkins using http:/abchost:8084/jenkins/, but, not using http:/abchost/jenkins/.
Point to note is:
When I am logging in http:/abchost/jenkins/ using proper user id and pswd, it looks like the page refreshes and blank login page appears again.
When I am logging in http:/abchost/jenkins/ using wrong user id and pswd combination, it shows message that LDAP authentication failed.
Can anyone please enlighten me?
Thanks in advance!

How to login into Web App with kerberos/AD but still allow access to non AD users

I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.

How to filter url in Apache configuration

We have an Apache web server that receive user requests. It only allows https connections JkHTTPSIndicator HTTPS. But now we have a new requirement, which will allow a particular url pattern like /myurl on http via Apache. That is, we want Apache to only accept http if a particular url pattern is thrown at it.
You can use a Location block to restrict/allow access
http://httpd.apache.org/docs/2.2/sections.html
I'm not quite sure if this is what you want, but you could block the root location:
<Location />
Deny from all
</Location>
And then add a location to allow
<Location /myurl>
Allow from all
</Location>
The above suggestion did not work for me with Apache 2.2.15. I had to do something different although still along the lines suggested above:
<VirtualHost *:80>
...
<Location / >
Require all denied
</Location>
<Location /my-dir>
Require all granted
</Location>
</VirtualHost>