I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!
Related
So i have an apache forward proxy setup like this:
<VirtualHost *:8080>
AddRadiusAuth **radius server ip**:1812 **secret** 5:3
ProxyRequests On
ProxyVia On
AllowConnect 443 5601
<Proxy "*">
Order Deny,Allow
Allow from all
AuthType Basic
AuthName "Please Enter Your JumpCloud Credentials"
AuthBasicAuthoritative Off
AuthRadiusAuthoritative on
AuthBasicProvider radius
AuthRadiusActive On
Require valid-user
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy.log combined
</VirtualHost>
now whenever a user tries to connect to the radius server he is allowed to login without any issues, BUT, the user gets this message when trying to login:
this image shows what the user sees when he tries to login using his radius credentials
Now that is not exactly safe because since the proxy connection is not private if anyone is eavesdropping on the connection the attacker can see the user and pass and eventually hack our systems.
How can i make the connection private and secured. I tried enabling SSL module and using a certificate file using these
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/vpn.crt
SSLCertificateKeyFile /etc/apache2/ssl/vpn.key
outside of the proxy tags but that didnt work, if i put them inside the proxy tags i get an error saying that they're not allowed to be there, so what am i missing here?
Any help or guidance is greatly appreciated.
Regards!
I want to protect one of my virtual hosts with shibboleth and others with cleartrust, but as soon as I enable cleartrust I can access the shibboleth protected virtual hosts without being authorized.
This is my shibboleth virtual host:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
My cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
My cleartrust webagent.conf, by default I disable cleartrust, because I want shibboleth to be used by default instead.
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want.
Have anyone else had a similar issue and knows how to fix this? Thanks in advance! :)
After reading through the Access Manager documentation I found that if cleartrust agent is disabled, it also ignores all other potential authentication modules loaded into Apache by default. In order for Access Manager to pass the authentication to other modules, you must specify a list of authentication realms for which the Access Manager Agent allows requests to be evaluated by other modules.
I achieved this by adding this to my webagent.conf file: cleartrust.agent.apache.pass_realms=*
Final result:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>
Behaviour:
1) I access the site, enter the userID/password that's required for the site
2) The site starts to load, but when the request is made to the WMS layers being served from the GeoServer ->
3) I get a second login-prompt that only accepts users(in this case the admin user) for the GeoServer.
Obviously,
Point 3 shouldn't be happening because i can access the WMS-requests "standalone" without logging in, so I think that the Geoserver is correctly configured.
The apache-config is as follows:
<VirtualHost *:80>
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
</VirtualHost>
Any ideas why the site asks for the second login-prompt, regarding the geoserver?
This may be similar to an issue my team has had. If you add the same username and password combination as your apache user to your geoserver setup then it should stop prompting for the login.
Geoserver users.xml can be found in /data/security/usergroup/default/users.xml
Or i think you can do it through the geoserver backend.
I created a debian repository using dpkg-scanpackeges for binary packages and connected it with a site which is using apache2 directory listing. It worked fine. After that, I set a digest authentication for the site. I added the following line to the /etc/apt/sources.list file.
deb http://username:password#subdomain.domain.com ./
I can reach the site with browser using this notation, however, when I try to run sudo apt-get update I am getting "401 Unauthorized" error. Is there any way to make apt-get update command be able to authenticate?
This is the configuration file for apache.
<VirtualHost *:80>
ServerName subdomain.domain.com
DocumentRoot /var/www/archive
<Directory /var/www/archive >
Options Indexes FollowSymLinks Multiviews
Order allow,deny
Allow from all
AuthType Digest
AuthName "Restricted Access"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/passwd/archive
Require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I've been researching this topic for a while.
It still not being possible to enable digest authentication for debian apt repositories, despite David Purdy reported this as a bug.
This is important for me, because we have a private repository and want to avoid the sending of the credentials as plain text.
What do you think about writing together a paper about this topic?
We have an Apache web server that receive user requests. It only allows https connections JkHTTPSIndicator HTTPS. But now we have a new requirement, which will allow a particular url pattern like /myurl on http via Apache. That is, we want Apache to only accept http if a particular url pattern is thrown at it.
You can use a Location block to restrict/allow access
http://httpd.apache.org/docs/2.2/sections.html
I'm not quite sure if this is what you want, but you could block the root location:
<Location />
Deny from all
</Location>
And then add a location to allow
<Location /myurl>
Allow from all
</Location>
The above suggestion did not work for me with Apache 2.2.15. I had to do something different although still along the lines suggested above:
<VirtualHost *:80>
...
<Location / >
Require all denied
</Location>
<Location /my-dir>
Require all granted
</Location>
</VirtualHost>