Apache Config - Exclude Location from Authentication - apache

I have a web application that is being protected by a Shibboleth authentication module. My current config is as below
<Location /MyApp>
AuthType shibboleth
ShibUseHeaders On
ShibRequestSetting requireSession 1
require shibboleth
</Location>
The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL
Method 1
<Location /MyApp/Login.html>
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
Method 2
<Location /MyApp/Login.html>
AuthType shibboleth
ShibRequestSetting requireSession 0
require shibboleth
</Location>
I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication
Thanks

My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file
<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>

When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:
<LocationMatch "^(?!/server-status)">
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
<RequireAll>
Require ssl
Require user valid_user_name
</RequireAll>
</LocationMatch>
Analyzing:
<LocationMatch "regex"> is equivalent to <Location ~ "regex">.
The regex used, is pcre (perl compatible regular expressions).
^(?!/server-status) means:
^: "starts with"
(?!): "negative look ahead (instead of positive (?=))"

Related

Use one mod_auth_openidc in Apache for two applications

I currently have an app running on apache and using the mod_auth_openidc. I now want to add a second application under a different URL. I assume I need to add a second "Location" to my httpd.conf e.g:
<Location /application_ONE.html>
AuthType openid-connect
Require valid-user
</Location>
#new application
<Location /application_TWO.html>
AuthType openid-connect
Require valid-user
</Location>
How can I add a second "OIDCRedirectURI" to the mod_auth_openid? Is it possible to do this?
I have been looking online but can seem to find anything. I may have found a source saying that it was not possible but wanted to confirm.

how to implement a multisite kerberos authentication using omd/thruk

Hi I'm trying to create an omd (www.omdistro) multisite configuration which allows Single Sign On, I'm trying to do this using kerberos.
I have already configured system apache to use kerberos authentication on some directory and it seems to work, I tried to apply same kerberos settings to apache :
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
into directory object :
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine_auth_name>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine_realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
But :
in system apache configuration this produces a kerberos authentication
in omd apache not and thruk prompts me login form
Is there a way to disable the login form in thruk ?
I found a method that for now it works, I still have to try if I can play with users' permissions to limit what they can see.
For now, mine configuration, allows to everybody has a kerberos principal and performed on one site the authentication, to open all other sites.
First of all I disabled thruk cookie authentication that for some reason conflicts with kerberos one and shows you login form.
After that I loaded kerberos authentication module like described in my question, after that I discovered that there is a site.conf file in ${SITE_HOME}/etc/apache/conf.d/ that reading comments it is the one to modify globally site behavior, so I put in there the configurations about kerberos :
Omd site name is lab4
<Location "/lab4">
# put your extra site configs here
Options Indexes FollowSymLinks MultiViews
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine-realm>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine-realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
</Location>
I still have to test if I can use this configuration as a start to get a full functional user's access rules or not, I hope it could be useful.

Apache2 - classification/authentication per location

I'm developing a client-server application with WebDAV functionality. Apache2 is used as webserver, a Windows Phone application as client. I'm working with classifications: TOPSECRET - SECRET - CONFIDENTIAL - PUBLIC.
TOPSECRET: SSL mutual authentication + password/username
SECRET: SSL mutual authentication
CONFIDENTIAL: password/username
PUBLIC: no authentication (but SSL is required)
So far, it's working with this configuration in Apache2: the user must choose at which level he wants to authenticate and he will be directed to the correct folder.
#For webdav configuration
Alias /public /home/bram/Desktop/webdav/public
Alias /confidential /home/bram/Desktop/webdav/confidential
Alias /secret /home/bram/Desktop/webdav/secret
Alias /topsecret /home/bram/Desktop/webdav/topsecret
<Location /public>
#no authentication required
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
</Location>
<Location /confidential>
#only username-password authentication
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
AuthType Digest
AuthName "DavCompany
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
#only strong/device authentication (mutual SSL)
DAV On
Satisfy Any
Allow from all
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
<Location /topsecret>
#Device + username-password authentication
DAV On
Satisfy Any
Allow from all
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
My problem: When authenticated in TOPSECRET, the user also has to see the folders SECRET, CONFIDENTIAL end PUBLIC. When authenticated in CONFIDENTIAL or SECRET, the user has to see the folder PUBLIC. I'm not familiar with Apache2.
Has anybody a suggestion to make this work?
This is a tough one. I'd have to experiment to find the answer, but I think you want to try to avoid mixing authorization mechanisms in Apache (you're using SSL's builtins, along with Apache's core mechanisms). You may, also, need this to be more hierarchical.
This perhaps isn't the complete answer, but it should be a starting point. Try setting your "base" permissions in the <VirtualHost> you're working with and vary the Locations within scope:
<VirtualHost *:443>
# other VirtualHost configurations
# ....
SSLVerifyClient optional
SSLVerifyDepth 3
Require ssl
Satisfy all
<Location /confidential>
AuthType digest
AuthName "DavCompany"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
Require ssl-verify-client
</Location>
<Location /topsecret>
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require ssl-verify-client
Require valid-user
</Location>
</VirtualHost>
I'm sure the above isn't perfect, but I think it is along the right lines for what you're trying to accomplish. I haven't run this through Apache, so it is possible there are mistakes above, but I believe it is roughly accurate.
The idea of what I've done above is to try to keep the overall authorization plan within the same scope. From there, the "tighter" scopes are applied for their specific locations. I do think there is a problem in that the user files are separate, and the AuthName are different for confidential and topsecret. I think, as it is, users with topsecret MAY NOT have access to confidential with their credentials if the AuthUserFile isn't the same.

How to protect part of a cakephp website for a stage deployment?

I have a cakephp project consisting of website URLs and a URL for an API, say:
http://myproject.com/controller1/someaction
http://myproject.com/controller2/someotheraction
http://myproject.com/api/controller1/someapiaction
For production deployment, the websites and API both handle authentication & authorization using cakephp's methods.
I would like to deploy the whole project on a staging server. There, the websites should be HTTP Auth protected, whilst the API should be unprotected (because I don't want to add auth to the API consumers). I do not want to change the project's sources or configuration and instead solve it via Apache configuration.
I tried several vhost configurations, basically following this scheme:
<LocationMatch "/api/.*">
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>
<Location />
Order allow,deny
Allow from all
AllowOverride all
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require group mytesters
</Location>
I also tried mixing Location & Directory directives, using Location or LocationMatch for both sections, negated regex for LocationMatch, separate vhosts for both sections, ... - none of this worked: Either the whole site was protected, or nothing.
Am I getting something really wrong, or is it just not possible (due to Apache or the the way cakephp handles rewrites)?
Try the following configuration:
<Directory /path/to/your/htdocs>
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require valid-user
AllowOverride AuthConfig
</Directory>
<Location "/api">
Satisfy any
</Location>

Allowing anonymous users in Trac (apache/mod_wsgi)

I have trac installed and running great using apache2 and mod_wsgi. However when ever a user tries to access even the front page they are greeted with a login. I've tried several things, but everything I try either disables the authentication all together or won't allow unauthenticated users to view the site. Here's the authentication section of my httpd.conf file:
<Location '/'>
AuthType Basic
AuthName "Trac"
AuthUserFile /home/trac/.htpasswd
Require valid-user
</Location>
I'm almost certain that the solution lies int the require line but I've exhausted my ow creativity. Any thoughts?
EDIT: The answer I selected works great. The link given doesn't have instructions on connecting the password file to the system.
My memory is hazy, but the only solution I found when I had this issue was switching to from Apache authentication to the AccountManagerPlugin.
You can specify when apache should ask about password.
In trac when you select Login it will open site: /trac_folder/login
So defining location for authentication should do the trick.
Check my trac.conf:
WSGIScriptAlias /trac /var/lib/trac/apache/trac.wsgi
## This is required if you plan to use HTTP authorization. Without it the
## user name won't be passed
WSGIPassAuthorization On
<Directory /trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
#AuthType Basic
#AuthName "TracHaselko"
#AuthUserFile /var/lib/trac/authfiles/htpasswd
#Require valid-user
</Directory>
<Location /trac/login>
AuthType Basic
AuthName "TracHaslo"
AuthUserFile /var/lib/trac/authfiles/htpasswd
Require valid-user
</Location>
In you file change:
<Location '/'>
to:
<Location '/login'>