I need to connect an Apache webserver on port 8079 with a Tomcat instance on port 8080 through mod_auth_openidc module (for a specific login). The purpose is to carry on the user identification through OpenID Connect to the webapp hosted on Tomcat with no need of further login request.
I configure OIDC according the OIDC server request (e.g. Google) and registered the client, I also enabled mod_jk. I'm not able to reach last mile. I also considered to use the PROXY/REVERSEPROXY within the virtualhost section on http.config apache file. So far this is not correcting redirecting as supposed..
Can someone provide help?
You can use the following configuration to proxy a path protected by mod_auth_openidc to a backend server like Tomcat:
<Location "/">
AuthType openid-connect
Require valid-user
ProxyPass http://tomcat:8080/
ProxyPassReverse http://localhost:8080/
</Location>
The solution you own provided isn't enough when the backend needs to have access to user information for authorization or data isolation.
I found a more complete way to archive it.
<Location "/tomcat">
AuthType openid-connect
Require valid-user
RequestHeader set Authorization "Bearer %{OIDC_access_token}e"
ProxyPass "http://tomcat:8080"
ProxyPassReverse "http://tomcat:8080"
</Location>
Related
I am trying to add single sign on for grafana using LDAP, I have come across Grafana documentation for LDAP but I did not understand.
Can I get Single Sign On feature using LDAP?
If yes, Can somebody give me a step by step procedure to follow to setup single sign on using ldap and grafana.
Grafana Version : 5.2.1
OS: WINDOWS
Update 1
I have been able to configure LDAP with grafana. Now I'm trying to integrate LDAP with wamp for SSO. In apache error log file I'm getting this error
auth_ldap authenticate: user username authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax].
My apache config file.
<VirtualHost *:80>
ServerName localhost
RewriteEngine on
ErrorLog "logs/authproxy-error_log"
CustomLog "logs/authproxy-access_log" common
<Location "/grafana/">
LDAPReferrals off
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
AuthLDAPBindPassword "password"
AuthLDAPGroupAttributeIsDN off
Require ldap-filter ldapsettingshere
AuthLDAPMaxSubGroupDepth 1
RequestHeader unset Authorization
Require valid-user
</Location>
<Proxy *>
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass /grafana/ http://localhost:3000/
ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>
Update 2
Able to resolve the issue by changing the bindURL and bindDN.
I have been able to do SSO by following these steps.
Configuring LDAP with Grafana by following steps in grafana documentation
Disabling the grafana login page by using Apache’s auth work together with Grafana’s AuthProxy documenation
Integrating LDAP with Apache for reverse proxy authentication by modifying httpd.conf file as mentioned above
Disabled reverse proxy authentication pop up by passing username and password into the url in the script.
With these steps I have been able to get SSO functionality.
I have two application one runs on Apache server, and other one is running on Windows/IIS.
By using VPN I can connect with my first which is running on Apache but I am unable to access my other application which is hosted on Windows/IIS Server.
So I want to use reverse proxy for accessing the application which is running on Windows/IIS Server.
Apache Server ip http://10.101.9.111
Window IIS Server ip http://10.101.9.112
So what I really want that when in enter http://10.101.9.111/hrms the url automatically load application which is actually available and running on http://10.101.9.112/hrms.
I have made changes in apache httpd.conf file.
ProxyRequests Off
ProxyPreserveHost On
<Proxy /hrms>
Order deny,allow
Allow from all
</Proxy>
<Location /hrms>
Order deny,allow
Allow from all
ProxyPass http://10.100.6.119/hrms/
ProxyPassReverse http://10.100.6.119/hrms/
RequestHeader unset Authorization
AuthType Basic
AuthName "businessHr"
AuthBasicProvider file
AuthUserFile c:\tmp\users
Require valid-user
</Location>
Here's the outcome I am trying to achieve:
Client browser (Chrome in my case) hits the Apache HTTPd server (server1) on 50070. The client browser has no access to Kerberos KDC and carries no Kerberos/GSS auth data.
Apache HTTPd has access to KDC and is configured to require Kerberos authentication, but with a password fallback (i.e. KrbMethodK5Passwd is On, so it accepts "Authorization: Basic" in HTTP headers).
Client browser prompts user for login and password thanks to the fallback option (as there's no Kerberos ticket offered by client). Apache HTTPd validates supplied login and password against Kerberos, and obtains the correct user principal Kerberos ticket and keeps that in memory (it also saves it to /tmp, thanks to KrbSaveCredentials option).
Apache HTTPd reverse-proxies to a backend server (server2), which also listens on port 50070. The backend server is running Jetty, which accepts Kerberos only, without any password/Basic authentication fallback - if there's no Kerberos ticket, there's no entry. Apache HTTPd sends the user principal Kerberos ticket obtained from KDC using login+pass to server2.
In my current configuration, points 1, 2 & 3 work successfully - i.e. the client to server1 authentication works correctly and I can see Apache saving the user principal ticket on server1 for a brief moment.
However, I'm having difficulty forcing Apache HTTPd to use the obtained user Kerberos ticket to authenticate with server2. Basically no authentication detail is sent at all to server2.
Here's my configuration:
<VirtualHost 1.2.3.4:50070>
ServerAlias server1.example.com:50070
ServerAlias server1:50070
ProxyPreserveHost Off
ProxyRequests Off
ProxyPass / http://server2.example.com:50070/ retry=0
ProxyPassReverse / http://server2.example.com:50070/ retry=0
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel debug
<Location />
Options None
AuthType Kerberos
AuthName "NameNode"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user
</Location>
</VirtualHost>
I have also tried using SetEnv proxy-chain-auth offered by mod_proxy_http, which I suppose works as designed, it does indeed send the exact content of "Authorization: Basic ..." header that client came to server1 with, onward to server2, but server2 does not support anything but Kerberos (i.e. "Authorization: Negotiate"), and complains about unknown auth method in its logs.
Is there a way to force Apache HTTPd to use the Kerberos ticket obtained from KDC, using the login and password provided by client browser, to then authenticate using Negotiate method (with ticket) with the target server2 I'm reverse proxying to?
I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.
Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).
However, what I would like to do is be able to use Apache to handle the authentication so that:
I don't have to give out single password to everyone
I can have multiple usernames and passwords using Apache's BasicAuth
For internal users, I don't have to prompt for a password
EDIT: Second part about richer authentication has been moved to new question
Here's more or less what I have now:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://192.168.1.253:8080/endpoint
ProxyPassReverse / http://192.168.1.253:8080/endpoint
# The endpoint has a mandatory password that I want to avoid requiring users to type
# I.e. something like this would be nice (but does not work)
# ProxyPass / http://username:password#192.168.1.253:8080/endpoint
# ProxyPassReverse / http://username:password#192.168.1.253:8080/endpoint
# Also need to be able to require a password to access proxy for people outside local subnet
# However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint
# Ideas?
</VirtualHost>
Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)
Enable the mod_headers module if not already done.
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:
SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest
http://en.wikipedia.org/wiki/Basic_access_authentication
http://httpd.apache.org/docs/2.0/mod/mod_headers.html
http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
EXAMPLE
# ALL remote users ALWAYS authenticate against reverse proxy's
# /www/conf/passwords database
#
<Directory /var/web/pages/secure>
AuthBasicProvider /www/conf/passwords
AuthType Basic
AuthName "Protected Area"
Require valid-user
</Directory>
# reverse proxy authenticates against master server as:
# Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:password#camarafeliz3.compufiber.com and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S
<Location /camarafeliz1/ >
# usuario admin password 123456
ProxyPass http://192.168.0.39/
ProxyPassReverse http://192.168.0.39/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
# usuario admin password 123456
ProxyPass http://192.168.0.99/
ProxyPassReverse http://192.168.0.99/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
and the iphone 4s stopped complaining about security because of user and password in the link.