How to concat variables in apache - apache

I'm working with apache module mod_auth_openidc. and i'm trying to concat some variables in order to send it to my application.
OIDCScope "profile email openid offline_access"
OIDCRemoteUserClaim sub
<Location "/app2">
AuthType openid-connect
Require valid-user
ProxyPass "http://192.168.10.237/myapp"
ProxyPassReverse "http://192.168.10.237/myapp"
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}]
RequestHeader set REMOTE_USER %{PROXY_USER}e
</Location>
</VirtualHost>
My application display the HTTP header attributs
enter image description here
The purpose is to concat "sub" and "email" values and put them together in REMOTE_USER variable.
any siggestions please ?

You can use something like:
RequestHeader set REMOTE_USER "%{PROXY_USER}e:%{OIDC_CLAIM_email}e"
since the email claim - if it exists - will have been propagated in the OIDC_CLAIM_email environment variable.

Related

Apache redirect with REMOTE_USER variable not working

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} "=username"
RewriteRule ^/sourcepath$ $1/destpath [L,R=302,QSD]
<IfModule mod_auth_basic.c>
<LocationMatch "^/sourcepath(.html|/.*)">
Header unset Cache-Control
RequestHeader unset Authorization
AuthType Basic
AuthName "XYZ"
AuthBasicProvider file
AuthUserFile "/location of auth file"
Require valid-user
</LocationMatch>
</IfModule>
the authentication works but it is not redirecting to the destination url
In this line:
RewriteRule ^/sourcepath$ $1/destpath
You haven't used any parentheses, so $1 refers to nothing. Did you mean $0 which refers to the entire match, i.e. change /sourcepath to /sourcepath/destpath?

Authentication with apache: pass group as header to application server

I would like to use Apache web server as a reverse proxy in front of an application server to handle authentication.
The idea is that after authentication Apache will pass on the user and group(s) to the app server in request headers.
How can I capture the group(s) of the authenticated user in an environment variable so that I can use it for setting request headers?
I've managed to write the user to a header like so:
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
I'm assuming it would be similar for groups, but I can't find what variable I should use in RewriteCond. (Or is there another way to do it?)
RewriteCond %{???} (.+) # <--- what variable should I use here
RewriteRule . - [E=RG:%1,NS]
RequestHeader set X-Forwarded-User-Groups %{RG}e
A more complete example of the configuration I'm trying to use:
<VirtualHost *:80>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Location />
AuthType Basic
AuthBasicProvider file
AuthName "Restricted Content"
AuthUserFile "/path/to/userfile"
AuthGroupFile "/path/to/groupfile"
Require group users
Require group admins
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
RewriteCond %{???} (.+)
RewriteRule . - [E=RG:%1,NS]
RequestHeader set X-Forwarded-User-Groups %{RG}e
RequestHeader unset Authorization
</Location>
</VirtualHost>
I just had the same issue, and after an extensive search and looking at the mod_authz_groupfile.c source it just doesn't seem possible with just configuration.
The group is not exposed as a variable, and there doesn't seem to be a way to use the require group statement in an expression. You could probably get the group into a variable using the RewriteMap directive to read the AuthGroupsFile again with a custom external command (the default commands like txt aren't sufficient), but that is way complicated and probably slow.
Note that using the file function to read the AuthGroupsFile within an <If> expression will not work, as the expression is evaluated before authentication and thus the value of the REMOTE_USER variable will not yet be available.

How do I set REMOTE_USER in a HTTP header?

I've got an issue with my Apache settings.
I installed a web application that partly accepts external authentication:
I use Apache to manage the access to my application web pages.
If the authentication is successful, the environment variable REMOTE_USER is set with the user's name.
Then the user name is passed to my application through the HTTP header so the application opens on the user session.
This is mostly an Apache configuration for the application. I only set the name of the variable (HTTP header) that contains the username in my application config file.
Here is the issue : I can authenticate successfully (most of the time) but my HTTP header is set to null.
Some additional details :
I use Apache and the mod_perl modules (AuthenNIS + AuthzNIS + Net-NIS) to authenticate to my app with NIS account.
With the following Apache config file I have the authentication form when I try to access my application but the REMOTE_USER header is set to null.
Listen 2208
<VirtualHost *:2208>
RewriteEngine on
DocumentRoot "/path/to/static"
<Directory "/path/to/static">
Options +Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Authentifiez vous"
PerlAuthenHandler Apache2::AuthenNIS
PerlAuthzHandler Apache2::AuthzNIS
PerlSetVar AllowAlternateAuth no
require valid-user
</Directory>
RewriteEngine on
RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}]
RequestHeader set REMOTE_USER %{RU}e
RewriteRule ^/apps$ /apps/ [R]
RewriteRule ^/static/style/(.*) /path/to/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /path/to/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /path/to/static/$1 [L]
RewriteRule ^/favicon.ico /path/to/static/favicon.ico [L]
RewriteRule ^/robots.txt /path/to/static/robots.txt [L]
RewriteRule ^(.*) http://localhost:2209$1 [P]
</VirtualHost>
If I set RequestHeader set REMOTE_USER "username" the application opens on the corresponding user session.
To see the value of REMOTE_USER I use the Firebug Firefox module to display the values of the http header + my application has a script that displays the value of variables passed to it.
I tested an almost identical Apache configuration on an index.php page that displays the values of server variables in a http request. The difference lies in the RewriteRules.
<?PHP
foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";
}
?>
In this case, I get a REMOTE_USER et HTTP_REMOTE_USER with a username value.
I don't understand where my problem lies.
Apache 2.2.31
RedHat 6.5
Thanks in advance !
do NOT use the following, because you will get into trouble with execution phases if the REMOTE_USER is set with a module like mod_authn_ntlm (ntlm with local computer, see https://support.microsoft.com/en-us/kb/896861).
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User %{RU}e
instead use the following methods:
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
there is also a solution with mod_ssl
RequestHeader set X-Remote-User %{REMOTE_USER}s
In Apache 2.2 server we gave below configuration. We have C# ASP.NET Core 2.1 application and in our HTTP Request header we get user name like below
<LocationMatch ^/mylocation>
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
NTLMBasicRealm xxx_yy
AuthType NTLM
require valid-user
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User %{RU}e
</LocationMatch>
In our C# ASP.NET Core 2.1 application application we get below in HTTP Request Header
Key: X-Remote-User, Value=xxx_yy\abcdefg

Apache ACL based on environment variable value

I have a vendor Apache module (PingFederate) that sets environment variables based on a token it receives. I would like to control access to directories based on the value of an environment variable.
For example the module sets variables like this:
[PF_AUTH_SUBJECT] => aaron
[PF_AUTH_GROUPS] => CN=Application.E18.Users,OU=Internal,DC=local,CN=Application.E17.Users,OU=Internal,DC=local
I want to secure a directory so that only users in group CN=Application.E18... can access it. My location direction conf looks like this:
<Location /example_app>
SetEnvIf %{PF_AUTH_GROUPS} ^.*CN=Application.E18.Users.*$ ALLOWED
AuthName "ACL PingFederate restricted"
AuthType PFApacheAgent
Order Deny,Allow
Deny from all
Allow from all
</Location>
This doesn't seem to work. I've tried:
SetEnvIf %{PF_AUTH_GROUPS} ^.*CN=Application.E18.Users.*$ ALLOWED
SetEnvIf %{PF_AUTH_GROUPS} ^.*Application.*$ ALLOWED
SetEnvIf %{PF_AUTH_GROUPS} ^.*A.*$ ALLOWED
The only thing that works is:
SetEnvIf %{PF_AUTH_GROUPS} ^.*$ ALLOWED
That obviously won't work.
https://issues.apache.org/bugzilla/show_bug.cgi?id=25725 somewhat intimates that SetEnvIf won't test environment variables but the docs at http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html mentions "an environment variable in the list of those associated with the request", which this should be.
I've also tried mod_rewrite using this:
RewriteEngine On
<Location /example_app>
RewriteCond %{PF_AUTH_GROUPS} ^.*Application.E18.Users.*$
RewriteRule - [E=ALLOWED:1]
AuthName "ACL PingFederate restricted"
AuthType PFApacheAgent
Order Deny,Allow
Deny from all
Allow from all
</Location>
In all of these instances the ALLOWED environment variable is not set.
You'll need to make mod_rewrite execute 2 times to be able to leverage the headers produced by mod_pf, since the latter executes after the former:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_PASS} !1
RewriteRule .* $1 [L,E=PASS:1]
RewriteCond %{HTTP:PF_AUTH_GROUPS} !^.*ECN.*$
RewriteRule .* $1 [L,R=401]
This is also documented here: https://ping.force.com/Support/PingIdentityArticle?id=kA340000000Gs7bCAC

Set up apache proxy with openAM cert auth - set header if GET parameter is present

Cert-based authentication in OpenAM need to set http header X-Client-Cert. I want use apache as reverse proxy and to set this header, when url is /openam/UI/Login?module=PKI.
/openam/UI/Login is for username and password authentication.
I have this configuration:
...
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
RequestHeader set X-Client-Cert ""
<Location "/openam/UI/Login/PKI">
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
SSLVerifyDepth 10
SSLVerifyClient require
</Location>
RewriteRule /openam/UI/Login/PKI balancer://mycluster/openam/UI/Login?module=PKI [P]
...
and it can do the trick, but the cost is rewrite of
/openam/UI/Login?module=PKI
to
/openam/UI/Login/PKI
and I don't like it.
Can you advice me how to do it without this rewrite?
Thanks.
With apache2.4 I can do it with:
<If "%{QUERY_STRING} =~ /module=PKI/">
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
SSLVerifyDepth 10
SSLVerifyClient require
<Else>
RequestHeader set X-Client-Cert ""
</If>
I think this is possible using a combination of SetEnvIf and RequestHeader.
Use SetEnvIf to set a variable indicating that the URI is for the right path:
SetEnvIf Request_URI "/openam/UI/Login?module=PKI" x_client_cert=1
And use the optional env=[!]variable parameter to RequestHeader:
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s" x_client_cert=1
I've probably got the syntax slightly wrong -- in particular possibly the escaping and format of the second (URI) parameter to SetEnvIf, but this approach should work.
Documentation links:
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader