Artifactory behind Apache using basic auth and anonymous browsing - apache

I'm trying to run Artifactory behind an Apache proxy with basic auth. I've done this for a few other webapps (Jira, Jenkins, AnthillOS), but am having a problem with Artifactory. The Apache config proxies /artifactory to the stand-alone Artifactory server, and defines basic auth for the /artifactory path:
<Location "/artifactory">
AuthUserFile /prod/data/apachePasswords
AuthName "My Realm"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Location>
Anonymous browsing is activated in Artifactory.
When I attempt access via a web browser, I first receive the authentication dialog from Apache. After successfully entering those credentials, I'm given another authentication dialog, this one for the "Artifactory Realm". After entering credentials for an Artifactory acccount, I'm re-presented the first authentication dialog and the cycle continues.
I'd like to get just the first dialog, then go directly to Artifactory for anonymous browsing. If I disable the authentication in Apache, I can anonymously browse Artifactory, but when I enable basic auth in Apache, I get two separate circular authentication dialogs. Any ideas how I can kill that second dialog?

I ran into the same problem this week. The login for the "Artifactory Realm" is the same as the default login for the Artifactory (admin/password). When you login to the "Artifactory Realm" it will log you into the Artifactory gui. I'm using Artifactory 2.6.5

I had the same issue and fixed it by unsetting the authorization header in the Apache proxy. It looks like the Artifactory is getting upset by this authorization header (from the first dialog) and requires a "good" Artifactory password in the second dialog. Here is my config:
<Location / >
AuthType basic
AuthName "Apache authenticate"
AuthUserFile /var/www/repo.domain.com/.htpasswd
AuthGroupFile /dev/null
Require valid-user
RequestHeader unset Authorization
ProxyPass http://repo.company.local:8081/artifactory/repo/
ProxyPassReverse http://repo.company.local:8081/artifactory/repo/
</Location>
To use the unset header feature mod_headers must be enabled.

Related

Custom front end for web server authentication (alternative to Apache)

I'm running an Apache web server with a basic authentication, like as follows:
AuthType Basic
AuthName "Authentication required"
AuthUserFile "/usr/local/apache2/conf/.htpasswd"
Require valid-user
Actually the Authentication/Authorization configuration is a little more complex because I'm querying an LDAP server.
I would like to be able to use a custom web page instead of the traditional pop-up that comes with the 401 that Apache sends to the web browser.
Two questions:
Is Apache capable of doing so? (AFAIK, no);
Which alternative product would be a good option given that I'm running everything inside Docker containers and it has to be able to do LDAP Authentication/Authorization.
You can add custom 401 error page as described in Apache documentation here.
But you should consider using your structure in Location (or some other) structure
ErrorDocument 401 /error/error401.html
<Location />
AuthType Basic
AuthName "Authentication required"
AuthUserFile "/usr/local/apache2/conf/.htpasswd"
Require valid-user
</Location>

BasicAuth with "ldap file" providers doesn't work for users in file

I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.

Apache basic auth with SetEnvIf bug

I have a problem with apache 2.4 .htaccess configuration. My config example:
SetEnvIf Request_URI ^(?i).*/admin(/.*)?$ require_auth=true
AuthType Basic
AuthName "Secure area"
AuthUserFile /xxx/.admin_htpasswd
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The idea is to ask a password for requests to urls which contains "/admin" string. So if I go to www.mysite.com/admin the password is required and if I go to www.mysite.com/news the password is not required.
But there is a strange bug! If I start making multiple fast refreshes on url www.mysite.com/news (F5, F5, F5, F5, F5...) the basic auth window pops out and asks the password :( Why it is happening so?
The problem is resolved. mod_evasive after IP address block doesn't show 403 Forbidden but runs basic auth if it is configured in .htaccess file.

what is key role of redirection HTTP to HTTPS in basic authentication?

I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this
why does basic authentication type store password in
.htpasswd file so
not necessary to store database?
how to redirect request HTTP to https before entering in
password
prompt?
.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code
<VirtualHost 112.192.12.16>
DocumentRoot C:/Apache24/htdocs/enovis53
ServerName test.example.com
ErrorLog logs/enovis-inc.com-error_log
CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>
my .htaccess file code
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance
why does basic authentication type store password in .htpasswd file so not necessary to store database?
This is determined by AuthBasicProvider
Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file
The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.
So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...
how to redirect request HTTP to https before entering in password prompt?
Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If
<If "%{HTTPS} == 'on'">
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
</If>
But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!
Unrelated, but note the security warning from AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

Apache + Perl + NTLM/LDAP == Single signon?

We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
NTLM Winbind
I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>
More info about the module.
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b