Apache Reverse Proxy with Frontend and Backend Authentication - apache

Here's the outcome I am trying to achieve:
Client browser (Chrome in my case) hits the Apache HTTPd server (server1) on 50070. The client browser has no access to Kerberos KDC and carries no Kerberos/GSS auth data.
Apache HTTPd has access to KDC and is configured to require Kerberos authentication, but with a password fallback (i.e. KrbMethodK5Passwd is On, so it accepts "Authorization: Basic" in HTTP headers).
Client browser prompts user for login and password thanks to the fallback option (as there's no Kerberos ticket offered by client). Apache HTTPd validates supplied login and password against Kerberos, and obtains the correct user principal Kerberos ticket and keeps that in memory (it also saves it to /tmp, thanks to KrbSaveCredentials option).
Apache HTTPd reverse-proxies to a backend server (server2), which also listens on port 50070. The backend server is running Jetty, which accepts Kerberos only, without any password/Basic authentication fallback - if there's no Kerberos ticket, there's no entry. Apache HTTPd sends the user principal Kerberos ticket obtained from KDC using login+pass to server2.
In my current configuration, points 1, 2 & 3 work successfully - i.e. the client to server1 authentication works correctly and I can see Apache saving the user principal ticket on server1 for a brief moment.
However, I'm having difficulty forcing Apache HTTPd to use the obtained user Kerberos ticket to authenticate with server2. Basically no authentication detail is sent at all to server2.
Here's my configuration:
<VirtualHost 1.2.3.4:50070>
ServerAlias server1.example.com:50070
ServerAlias server1:50070
ProxyPreserveHost Off
ProxyRequests Off
ProxyPass / http://server2.example.com:50070/ retry=0
ProxyPassReverse / http://server2.example.com:50070/ retry=0
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel debug
<Location />
Options None
AuthType Kerberos
AuthName "NameNode"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user
</Location>
</VirtualHost>
I have also tried using SetEnv proxy-chain-auth offered by mod_proxy_http, which I suppose works as designed, it does indeed send the exact content of "Authorization: Basic ..." header that client came to server1 with, onward to server2, but server2 does not support anything but Kerberos (i.e. "Authorization: Negotiate"), and complains about unknown auth method in its logs.
Is there a way to force Apache HTTPd to use the Kerberos ticket obtained from KDC, using the login and password provided by client browser, to then authenticate using Negotiate method (with ticket) with the target server2 I'm reverse proxying to?

Related

mod_auth_openidc with Apache2.4 reverse proxy

I'm trying to setup SSO with OpenID for Centreon web app.
Here is the architecture :
Apache 2.4 (windows) with mod_auth_openidc 2.3.9
Centreon 2.8.17
I want only one vhost to authenticate through SSO so I added all the openidc conf to the vhost.conf file :
<VirtualHost *:80>
ServerName myserver.com
<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://openid.com/fss/.well-known/openid-configuration
OIDCClientID MY-Centreon
OIDCClientSecret abcdefghijklmnop
OIDCProviderTokenEndpointAuth client_secret_post
OIDCRedirectURI https://myserver.com/ssoredirect
OIDCScope "openid profile"
OIDCCryptoPassphrase mypassphrase
OIDCAuthNHeader MY_HEADER
OIDCRemoteUserClaim sub
OIDCClaimPrefix myprefix_
ProxyPreserveHost on
ProxyPass / http://10.10.10.10/
ProxyPassReverse / http://10.10.10.10/
</VirtualHost>
On Centreon the only thing we have to do is to give the name of the HTTP Header that contains the user login (see documentation) :
CENTREON SSO CONF
When I go to https://myserver.com it redirects me to the SSO login page. From here i'm able to identify and I'm redirected to Centreon but not logged in so it redirects me to the Centreon login page.
In the centreon login.log I have :
[WEB] No contact found with this login : ''
It shows that Centreon does not receive anything in the "MY_HEADER" header, thus SSO authentication is not working.
Additional information: (don't know if it can be useful) :
My Apache reverse proxy is listening on http (80) behind a load balancer that listens on HTTPS (443) and transfers it to the server on HTTP (80)
My question :
I'm not sure about the header name that contains the username. In the above config, can somebody confirm that Centreon should receive a header "MY_HEADER" containing the username?
Thanks
If you have this message, it means that the user maybe doesn't exist into "Configuration > Users > Contacts / Users".
Maybe you need to connect your LDAP server and enable "Auto Import" user to import missing users automatically.
Also long time ago there was a bug where you had to fill any email address in the filed 'SSO blacklist client addresses' otherwise it will send this error [WEB] No contact found with this login : '', you can try this.

Apache interacting with Tomcat through mod_auth_openidc

I need to connect an Apache webserver on port 8079 with a Tomcat instance on port 8080 through mod_auth_openidc module (for a specific login). The purpose is to carry on the user identification through OpenID Connect to the webapp hosted on Tomcat with no need of further login request.
I configure OIDC according the OIDC server request (e.g. Google) and registered the client, I also enabled mod_jk. I'm not able to reach last mile. I also considered to use the PROXY/REVERSEPROXY within the virtualhost section on http.config apache file. So far this is not correcting redirecting as supposed..
Can someone provide help?
You can use the following configuration to proxy a path protected by mod_auth_openidc to a backend server like Tomcat:
<Location "/">
AuthType openid-connect
Require valid-user
ProxyPass http://tomcat:8080/
ProxyPassReverse http://localhost:8080/
</Location>
The solution you own provided isn't enough when the backend needs to have access to user information for authorization or data isolation.
I found a more complete way to archive it.
<Location "/tomcat">
AuthType openid-connect
Require valid-user
RequestHeader set Authorization "Bearer %{OIDC_access_token}e"
ProxyPass "http://tomcat:8080"
ProxyPassReverse "http://tomcat:8080"
</Location>

How to login into Web App with kerberos/AD but still allow access to non AD users

I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.

Configure Kerberos SSO on Moodle: KRB5KDC_ERR_PREAUTH_REQUIRED

I'm trying to set up kerberos SSO in Moodle but I'm getting a error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25):
1) I've configured kerberos on Apache: installed kerberos, configured via /etc/krb5.cnf, and tested via kinit command getting right kerberos tickets. WORKS
2) I've created a virtual host in Apache with a folder with kerberos authentication for testing: create a keytab file, tested authentication through kerberos works in the testing virtual site. I get the LDAP REMOTE_USER info and passes the authentication, also kerberos traffic is generated (fetched kerberos traffic with wireshark). WORKS
3) Configured virtual host to use kerberos to authenticate to moodle: as shown in moodle documentation.
Moodle Kerberos SSO documentation
4) Configured moodle's LDAP auth plugin: login with an LDAP user works fine. WORKS
5) Configured NTLM options in moodle's ldap plugin: I've tested and it does generate kerberos authentication network traffic (fetched kerberos with wireshark). But I'm getting a KRB5KDC_ERR_PREAUTH_REQUIRED (25).
Moodle LDAP configuration (NTLM section):
Enable = yes
Subnetwork = 192.168.0.0/16
Authentication type = kerberos
Username format = (none)
My virtual host configuration for both sites (test folder and moodle folder) is:
<VirtualHost *:80>
# General
ServerAdmin myemail#domain.com
DocumentRoot /home/moodle/moodle
ServerName mymoodle.es
LogLevel debug
ErrorLog logs/testing-error.log
CustomLog logs/testing.log combined
<Location /krb_testing>
## Redes para las que se ofrece SSO
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES
KrbAuthRealms MYREALM.DOMAIN.ES
Krb5KeyTab /etc/krb5.keytab
## Sin require valid-user no se produce la negociacion
require valid-user
</Location>
<Directory /home/moodle/moodle/auth/ldap/>
<Files ntlmsso_magic.php>
AuthName "Moodle"
AuthType Kerberos
KrbAuthRealms MYREALM.DOMAIN.ES
KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES
Krb5KeyTab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthoritative on
require valid-user
</Files>
</Directory>
</VirtualHost>
Apache version: Apache/2.2.15 (CentOS)
Moodle version: 2.4.7
Today i`ve the similar situation when i was configure SSO (Kerberos). I solved the issue when i set - KrbServiceName HTTP
you should replace KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES by KrbServiceName HTTP and then SSO will be work correct.

Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user

Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).
However, what I would like to do is be able to use Apache to handle the authentication so that:
I don't have to give out single password to everyone
I can have multiple usernames and passwords using Apache's BasicAuth
For internal users, I don't have to prompt for a password
EDIT: Second part about richer authentication has been moved to new question
Here's more or less what I have now:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://192.168.1.253:8080/endpoint
ProxyPassReverse / http://192.168.1.253:8080/endpoint
# The endpoint has a mandatory password that I want to avoid requiring users to type
# I.e. something like this would be nice (but does not work)
# ProxyPass / http://username:password#192.168.1.253:8080/endpoint
# ProxyPassReverse / http://username:password#192.168.1.253:8080/endpoint
# Also need to be able to require a password to access proxy for people outside local subnet
# However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint
# Ideas?
</VirtualHost>
Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)
Enable the mod_headers module if not already done.
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:
SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest
http://en.wikipedia.org/wiki/Basic_access_authentication
http://httpd.apache.org/docs/2.0/mod/mod_headers.html
http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
EXAMPLE
# ALL remote users ALWAYS authenticate against reverse proxy's
# /www/conf/passwords database
#
<Directory /var/web/pages/secure>
AuthBasicProvider /www/conf/passwords
AuthType Basic
AuthName "Protected Area"
Require valid-user
</Directory>
# reverse proxy authenticates against master server as:
# Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:password#camarafeliz3.compufiber.com and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S
<Location /camarafeliz1/ >
# usuario admin password 123456
ProxyPass http://192.168.0.39/
ProxyPassReverse http://192.168.0.39/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
# usuario admin password 123456
ProxyPass http://192.168.0.99/
ProxyPassReverse http://192.168.0.99/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
and the iphone 4s stopped complaining about security because of user and password in the link.