Behaviour:
1) I access the site, enter the userID/password that's required for the site
2) The site starts to load, but when the request is made to the WMS layers being served from the GeoServer ->
3) I get a second login-prompt that only accepts users(in this case the admin user) for the GeoServer.
Obviously,
Point 3 shouldn't be happening because i can access the WMS-requests "standalone" without logging in, so I think that the Geoserver is correctly configured.
The apache-config is as follows:
<VirtualHost *:80>
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
</VirtualHost>
Any ideas why the site asks for the second login-prompt, regarding the geoserver?
This may be similar to an issue my team has had. If you add the same username and password combination as your apache user to your geoserver setup then it should stop prompting for the login.
Geoserver users.xml can be found in /data/security/usergroup/default/users.xml
Or i think you can do it through the geoserver backend.
Related
So i have an apache forward proxy setup like this:
<VirtualHost *:8080>
AddRadiusAuth **radius server ip**:1812 **secret** 5:3
ProxyRequests On
ProxyVia On
AllowConnect 443 5601
<Proxy "*">
Order Deny,Allow
Allow from all
AuthType Basic
AuthName "Please Enter Your JumpCloud Credentials"
AuthBasicAuthoritative Off
AuthRadiusAuthoritative on
AuthBasicProvider radius
AuthRadiusActive On
Require valid-user
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy.log combined
</VirtualHost>
now whenever a user tries to connect to the radius server he is allowed to login without any issues, BUT, the user gets this message when trying to login:
this image shows what the user sees when he tries to login using his radius credentials
Now that is not exactly safe because since the proxy connection is not private if anyone is eavesdropping on the connection the attacker can see the user and pass and eventually hack our systems.
How can i make the connection private and secured. I tried enabling SSL module and using a certificate file using these
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/vpn.crt
SSLCertificateKeyFile /etc/apache2/ssl/vpn.key
outside of the proxy tags but that didnt work, if i put them inside the proxy tags i get an error saying that they're not allowed to be there, so what am i missing here?
Any help or guidance is greatly appreciated.
Regards!
I want to protect one of my virtual hosts with shibboleth and others with cleartrust, but as soon as I enable cleartrust I can access the shibboleth protected virtual hosts without being authorized.
This is my shibboleth virtual host:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
My cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
My cleartrust webagent.conf, by default I disable cleartrust, because I want shibboleth to be used by default instead.
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want.
Have anyone else had a similar issue and knows how to fix this? Thanks in advance! :)
After reading through the Access Manager documentation I found that if cleartrust agent is disabled, it also ignores all other potential authentication modules loaded into Apache by default. In order for Access Manager to pass the authentication to other modules, you must specify a list of authentication realms for which the Access Manager Agent allows requests to be evaluated by other modules.
I achieved this by adding this to my webagent.conf file: cleartrust.agent.apache.pass_realms=*
Final result:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>
I'm new to apache so sorry if this is a newbie question. I have a reverse proxy set-up (and working) with the following code which includes a working authentication:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ProxyPass /PIZZA/ http://localhost:3636/PIZZA/
ProxyPassReverse /PIZZA/ http://localhost:3636/PIZZA/
ProxyPreserveHost On
<Location /PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
The above authentication is working if I go do my /PIZZA/ url.
However, if I type in the source IP address for the same url (ex: 192.168.1.11:3636/PIZZA/) the webpage loads without the need for authentication.
My question, is there a way to authenticate the specific source ip address? Something like the following (which doesn't work)?
<Location http://192.168.1.11:3636/PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
Any help would be very much appreciated. Thanks!
In the 2nd case, you're not even accessing Apache, so no Apache configuration is going to make any difference. If you want the backend server to only accept connections from your proxy server, you'll have to configure the backend server appropriately (or count on it being inaccessible over TCP)
Thanks for the responses. It was probably a rookie error trying to do the second authentication.
Arkascha - your answer pointed me in the right direction and I got it to work. I essentially just blocked access to the port in the firewall and that worked.
I would have never figured this out without your pointing me in the right direction so thanks!
I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!
I have trac installed and running great using apache2 and mod_wsgi. However when ever a user tries to access even the front page they are greeted with a login. I've tried several things, but everything I try either disables the authentication all together or won't allow unauthenticated users to view the site. Here's the authentication section of my httpd.conf file:
<Location '/'>
AuthType Basic
AuthName "Trac"
AuthUserFile /home/trac/.htpasswd
Require valid-user
</Location>
I'm almost certain that the solution lies int the require line but I've exhausted my ow creativity. Any thoughts?
EDIT: The answer I selected works great. The link given doesn't have instructions on connecting the password file to the system.
My memory is hazy, but the only solution I found when I had this issue was switching to from Apache authentication to the AccountManagerPlugin.
You can specify when apache should ask about password.
In trac when you select Login it will open site: /trac_folder/login
So defining location for authentication should do the trick.
Check my trac.conf:
WSGIScriptAlias /trac /var/lib/trac/apache/trac.wsgi
## This is required if you plan to use HTTP authorization. Without it the
## user name won't be passed
WSGIPassAuthorization On
<Directory /trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
#AuthType Basic
#AuthName "TracHaselko"
#AuthUserFile /var/lib/trac/authfiles/htpasswd
#Require valid-user
</Directory>
<Location /trac/login>
AuthType Basic
AuthName "TracHaslo"
AuthUserFile /var/lib/trac/authfiles/htpasswd
Require valid-user
</Location>
In you file change:
<Location '/'>
to:
<Location '/login'>