nginx: not ask password for localnet + satisfy any cause 403 - authentication

I try to solve problem similar to described here:
Nginx authentication except those on local network
I protect all my site with ldap auth,
but I want one "location" to make available without
auth for localnet, so I have config like this:
server {
auth_ldap "LDAP Authentication";
auth_ldap_servers auth1;
location /for_localnet/ {
satisfy any;
allow 192.168.0.0/16;
deny all;
#I try with and without lines bellow
auth_ldap "LDAP Authentication";
auth_ldap_servers auth1;
}
}
It works as expected for "localnet(192.168.x.x)", but for
access from internet it shows error 403, if I open http://site/for_localnet/.
So I have to open "http://site" it ask password, and after that I can open
http://site/for_localnet/, so question how to force nginx to ask password
when I open "http://site/for_localnet/" from internet?

The problem was in bug in nginx 1.4.6 (default for Ubuntu 14.04.2 LTS).
It is described here: http://trac.nginx.org/nginx/ticket/285

Related

Zabbix HTTP authentication with Keycloak-proxy

I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy.
My setup is the following:
Nginx is the entry point: it handles the "virtual host", forwarding the requests to keycloak-proxy.
Keyclock-proxy is configured with client_id, client_secret, etc. to authenticate the users to Keycloak;
Zabbix dashboard on Apache, default setup: I enable the HTTP authentication.
I've created a test user both in Keycloak and Zabbix.
The authentication flow is ok: I'm redirected to KeyCloak, I do the authentication, but I always get "Login name or password is incorrect." from Zabbix UI.
What am I doing wrong?
Has anyone tried to use OIDC authentication with Zabbix?
I'm using Zabbix 4.0, KeyCloak 4.4, Keycloak-proxy 2.3.0.
keycloak-proxy configuration:
client-id: zabbix-client
client-secret: <secret>
discovery-url: http://keycloak.my.domain:8080/auth/realms/myrealm
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true
encryption_key: <secret>
listen: 127.0.0.1:10080
redirection-url: http://testbed-zabbix.my.domain
upstream-url: http://a.b.c.d:80/zabbix
secure-cookie: false
enable-authorization-header: true
resources:
- uri: /*
roles:
- zabbix
Zabbix expects PHP_AUTH_USER (or REMOTE_USER or AUTH_USER) header with the username, but keycloak-proxy doesn't provide it. Let's use email as a username (you can use any claim from the access token in theory). Add email to the request header in the keycloak-proxy config:
add-claims:
- email
And create PHP_AUTH_USER variable from email header in the Zabbix Apache config:
SetEnvIfNoCase X-Auth-Email "(.*)" PHP_AUTH_USER=$1
Note: Conf syntax can be incorrect because it is off the top of my head - it may need some tweaks.
BTW: there is a (hackish) user patch available - https://support.zabbix.com/browse/ZBXNEXT-4640, but keycloak-gatekeeper is a better solution
For the record: keycloak-proxy = keycloak-gatekeeper (the project was renamed and migrated to keycloak org recently)

Opencart Filters requesting http and hanging site up

I have an issue with my OpenCart install. I am currently using 2.0.3.1 on a dedicated server running Plesk.
I installed a Let's Encrypt SSL certificate. The website is running great and I have no issues with OpenCart requesting unsecure pages except when I click on a filter in the category page. It just hangs.
This is the error I get via Chrome developer tools. I apologize for having to blur out the domain. It's for a customer and i can't release it.
Here is my catalog config.php:
// HTTP
define('HTTP_SERVER', 'http://www.xxxxx.com/');
// HTTPS
define('HTTPS_SERVER', 'https://www.xxxxx.com/');
// DIR
define('DIR_APPLICATION', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/catalog/');
define('DIR_SYSTEM', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/');
define('DIR_LANGUAGE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/catalog/language/');
define('DIR_TEMPLATE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/catalog/view/theme/');
define('DIR_CONFIG', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/config/');
define('DIR_IMAGE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/image/');
define('DIR_CACHE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/cache/');
define('DIR_DOWNLOAD', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/download/');
define('DIR_UPLOAD', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/upload/');
define('DIR_MODIFICATION', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/modification/');
define('DIR_LOGS', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/logs/');
// DB
define('DB_DRIVER', 'mysql');
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'xxx');
define('DB_PASSWORD', 'xxx');
define('DB_DATABASE', 'xxx');
define('DB_PORT', '3306');
define('DB_PREFIX', 'oc_');
Here is the admin config.php:
// HTTP
define('HTTP_SERVER', 'http://www.xxxxx.com/admin/');
define('HTTP_CATALOG', 'http://www.xxxxx.com/');
// HTTPS
define('HTTPS_SERVER', 'https://www.xxxxx.com/admin/');
define('HTTPS_CATALOG', 'https://www.xxxxx.com/');
// DIR
define('DIR_APPLICATION', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/admin/');
define('DIR_SYSTEM', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/');
define('DIR_LANGUAGE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/admin/language/');
define('DIR_TEMPLATE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/admin/view/template/');
define('DIR_CONFIG', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/config/');
define('DIR_IMAGE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/image/');
define('DIR_CACHE', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/cache/');
define('DIR_DOWNLOAD', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/download/');
define('DIR_UPLOAD', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/upload/');
define('DIR_LOGS', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/logs/');
define('DIR_MODIFICATION', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/system/modification/');
define('DIR_CATALOG', '/var/www/vhosts/xxxxx.com/httpdocs/xxxxx/catalog/');
// DB
define('DB_DRIVER', 'mysql');
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'xxx');
define('DB_PASSWORD', 'xxx');
define('DB_DATABASE', 'xxx');
define('DB_PORT', '3306');
define('DB_PREFIX', 'oc_');
I do not have an htaccess file setup, with the Plesk install I haven't needed it.
Change your HTTP_SERVER for admin
define('HTTP_SERVER', 'https://www.xxxxx.com/admin/');
There's no reason to serve anything from admin with http.
It should be fixed in this commit: Category links (canonical, prev, next) points to https if it is enabled

Using Ansible on windows with domain user

I'm starting to learn Ansible but the documentation is not too helpful.
I have installed the control machine on RHEL and created the necessary hosts file and windows.yml.
But when trying to connect to the remote Windows server to get a pong back I get the following error:
[root#myd666 ansible_test]# ansible windows -i hosts -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
After Installing python-kerberos dependencies,
I now get this Error:
hostname | UNREACHABLE! => {
"changed": false,
"msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",
"unreachable": true
}
My windows.yml file contains:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_ssh_user: user#MYDOMAIN.NET
ansible_ssh_pass: password
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Am I doing anything wrong with the syntax of Domain\user? Maybe I forgot to install something on the Windows machine? I only ran the ConfigureRemotingForAnsible.ps1 script, and Python is not installed there.
This is my krb5.conf file:
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = hpeswlab.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
And I do get a token using Kinit:
kinit -C user#MYDOMAIN.NET
klist
Klist output:
Valid starting Expires Service principal
01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/MYDOMAIN.NET#MYDOMAIN.NET
renew until 02/01/2017 11:25:29
In windows.yml, please double-check and ensure that the ansible_ssh_user: user#MYDOMAIN.NET line does indeed have the realm MYDOMAIN.NET in upper case. Somewhere, the realm request to the KDC is being sent in lower case instead of upper case causing the 'KDC reply did not match expectations..' error.
In krb5.conf, case-sensitivity is also important. First I'll note that since the KDC name is the name of an IP host, so it needs to be specified as a fully-qualified host name, like in the example shown below. It assumes your KDC is named "dc1.mydomain.net". Next, the domain name should only be in lower case. On the other hand, Kerberos Realm names need be in upper case - if the realm name is incorrectly specified in lower case in this file that is another reason you may get this error message. Please modify your entire krb5.conf to look like that shown below (changing only "dc1" to the actual name) and it should work. Side note: You do not necessarily need the two dns_lookup_ lines in your krb5.conf, so please comment them out per the below. Those are fallback mechanisms only as per the MIT Kerberos Documentation and may actually cause issues in your simple use case. After modifying either configuration file, make sure to restart the Ansible engine before testing again.
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Please refer to this MIT reference for how to properly set up the krb5.conf: Sample krb5.conf File
In the Hosts file, check to ensure your IP to name mappings are correct. Per the RFCs, Kerberos requires a properly functioning DNS, and you are at risk of shortchanging that if your Hosts file has outdated entries in it.
Finally, though I wasn't able to tell which version of Ansible you were using, I did some research and found that "Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This could certainly be part of the problem. See: Ansible on Windows Documentation

Gerrit 2.11.4 LDAP configuration of accountBase and groupBase fields causing log-in failures

Can someone point me to documentation and/or describe what the LDAP configuration options mean for gerrit's configuration?
Ex: ou= and dc= etc.
I found these details on google's site about ldap configuration for accountBase and groupBase however it too lacks details about what the options/parameters are and what their values should be based on.
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
Luckily I blindly copied a co-worker's gerrit server configuration, he's using version 2.1.x. Initially I thought his options were different due to version differences, but then I tried adding his extra fields and my unique ldap account worked with the additional 'ou=' and additional 'dc=' parameters. Error, bad-config and good-config below.
Note: Our company has a single ldap server, but my co-worker's gerrit has a separate ldap log-in than mine. I didn't copy his log-in to get mine working, it was simply the accountBase and groupBase options that made the difference.
Error:
cat log/error_log | tail -n 1
[2015-12-16 17:21:24,144] INFO com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'cxxxxt\myaccount' failed to sign in: No such user: cxxxxt\myaccount
Bad config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#crcxxxxt.rxxxxxxxxxxxxxs.com
accountBase = DC=rxxxxxxxxxxxxxs,DC=com
groupBase = DC=rxxxxxxxxxxxxxs,DC=com
Good config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#cxxxxt.rxxxxxxxxxxxxxs.com
accountBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
groupBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
http://www.ldapman.org/articles/intro_to_ldap.html
This page describes ou= as organizational unit and dc= as domain components. I'll confirm these with my IT's LDAP configuration settings after the holidays.
Gerrit's site mentions what the separate row/options are but doesn't describe what the syntax of each line should be or what the options are for. For most configuration topics which aren't covered by gerrit's site, external links are provided. This was the only one I found missing for my chosen configuration.

Integrate http apache with kaazing gateway

I am running an app on http apache 2.4 through which I am trying to connect to a kaazing gateway. I have followed the
instructions that are found in kaazing site at "setup-guide.html#webserver_integrate" section, but the connection keeps failing: the Mozilla console prints:
TypeError: this._socket is undefined, 4146 XmppClient.js
I changed the <allow origin> with an *. I would like to ask whether I should make any changes on the configuration file of apache.
Finally, I managed it to work. I made a new install of kaazing gateway. In gateway-config.xml at the GATEWAY_HOME/conf/ I changed the value of the gateway.hostname with my internal ip and set the
*
at
<cross-site-constraint>
<allow-origin>*</allow-origin>
</cross-site-constraint>
in service with type: xmpp.proxy and this time worked! Also I changed '
*
with the
http://localhost:80
(http apache) and also worked. I don't know why didn 't it work before.
Thanks for trying to help!