I have to change the Authorization header after mod_auth_basic has verified the credentials.
Is this possible?
You would need to write a (small) Apache module. No general purpose directive can edit headers at that stage of processing. If you use 2.4, you could implement it in Lua and run it via mod_lua.
You probably wan to run during the "fixups" hook.
Related
I'm extremely new to Lua as well as nginx.we're trying to set up authentication.
I'm trying to write a script that could be injected in my NGINX which would actually listen to a an endpoint.
My api would give give me a token. I would receive this token and check if it exists in my YAML file or probably JSON file .
based on the privilege mentioned in the file, I would like to redirect it the respective url with necessary permissions.
Any help would be highly appreciated.
First of all, nginx on its own has no Lua integration whatsoever; so if you just have an nginx server, you can't script it in Lua at all.
What you probably mean is openresty, aka. the lua-nginx-module, which lets you run Lua code in nginx to handle requests programatically.
Assuming that you have a working nginx + lua-nginx-module installed and running, what you're looking for is the rewrite_by_lua directive, which lets you redirect the client to a different address based on their request.
(Realistically, you'd likely want to use rewrite_by_lua_block or rewrite_by_lua_file instead)
Within the Lua block, you can make API calls, execute some logic, etc. and then redirect to some URI internally with ngx.exec or send an actual redirect to the client with ngx.redirect.
If you want to read in a JSON or YAML file, you should do so in the init_by_lua so the file gets loaded only once and then stays in memory. The lua-cjson module comes with nginx, so you can just use that to parse your json data into a Lua table.
I need to set a cookie based on a response header (as opposed to a request header). The response header is set by a SOAP call to a backend - and is out of apaches control.
I've looked into SetEnvIf, but it states that it investigate request headers only. mod_rewrite's {HTTP:parm} construct also seems to apply to request headers only.
Request coming in
Response header is generated by backend
Apache investigates respond header FooBar
Apache add Set-Cookie if the respond header FooBar value matches "string"
Any ideas out there?
It looks like this can be done with mod_headers, but unfortunately only with Apache 2.4, since expressions were only added in 2.4. You would do something like:
Header set Set-Cookie "cookie-contents-here" "expr=%{resp:Content-Type} =~ m|application/pdf|"
If you can't upgrade to 2.4, you might consider putting Varnish Cache in front of your Apache install. It's a powerful HTTP processor and can easily handle modifying the response for you. You could also implement caching with it and increase the performance of your site, but it can just be used as a pass-through HTTP processor if you don't want to do that. Perhaps there's a simpler solution but that would work.
Another option could be to put a layer in between Apache and your back-end, such as a PHP script, that handles passing the call to the back-end and modifying the headers on the way back out. Probably not great for performance though; upgrading Apache or implementing Varnish Cache would be better.
If you're using a separate back-end out of Apache's control, then you might take Apache out of the loop completely and go straight from Varnish Cache to your back-end.
Hope the ideas help.
I have an apache that already uses Shibboleth SP for authentication and am now trying to configure it to use mod_authnz_ldap for authorization. I'm not positive this would work, but would I'd like to do is, get the user's ID (which shibboleth sets at env variable and header) and provide it to a ldap-filter, some thing like
Require ldap-filter &(uid=${ENV_UID})(department=marketing)
IE, the current user would only be authorized if he/she is in marketing.
Unfortunately the IDP can't expose this data (otherwise I would just use Shibboleth to do authorization). Does anyone have experience with using environment variables or header values in mod_authnz_ldap? Or any apache mods for that matter? Is it possible?
Thanks for your time.
According the Apache Documentation for mod_authnz_ldap, the use of expressions in LDAP require directives is available as of version 2.4.8.
Make sure you're running the latest Apache, if you are, try increasing the logging levels and double check some settings.
Edit: I tested the new functionality on 2.4.18, and there appears to be a regression in the new feature. I opened a bug report accordingly.
How can one make URL's on their site non-browsable?
Example:
http://mydomain.com/files/file1.txt
If a user hits it directly, don't allow it.
If I call it inside an href on MY site then it would work.
Would one url-rewrite t accomplish this?
or how?
Apache, CentOS 5.5
You can check the Referer header.
Note that not all browsers send Referer headers, so you'll be completely locking out some users.
Also note that the Referer header is trivially spoofable.
Alternatively, and more securely, you can protect the files with a server-side script.
Change your links to point to a server-side script and include a randomly-generated one-time passcode in the querystring.
The server-side script should verify the one-time passcode (use a database), then send the file to the client.
Depending on your application, you can also use an ordinary password-based authentication system. (if you have user accounts)
I'm using HTTP Basic Authentication with AJAX requests. Firefox 3 is a whiner and always displays a dialog box for failed credentials -- even though I don't want one.
This question summarizes some of the browser and JS issues; you'll notice it's unresolved on the client side. Luckily, I have at least some freedom to change the server -- I can modify my .htaccess file.
Basically, whenever Firefox sees the WWW-Authenticate header, it tries to authenticate again. Can I suppress that header only for AJAX requests by modifying my .htaccess file? If so, how? I can pass a custom header in my XHR request if necessary.
Here's what it looks like currently:
AuthType Basic
AuthUserFile /www/private/.htpasswd
AuthName "Private Collection"
require valid-user
I faced a similar problem that I solved through a proxy written in nodejs.
Perhaps this can help you: Write proxy/wrapper class for own service in jersey