I am using Trac 0.12.3 in a multi project setup with subversion and am using AccountManagerPlugin from the trunk. The default index page enlists all the project directories and clicking on any of them takes me to the trac page for that project. When I try to login, I am successfully authenticated, however, coming to another project needs me to log in again. I wanted to use single sign on and followed the steps mentioned at http://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration#SingleSignOn
It always asks me to sign in for every project.
My apache config:
<VirtualHost *:80>
ServerName trac.myproject.com
ServerAdmin your#email.com
DocumentRoot /trac
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
<Location /svn>
DAV svn
SVNParentPath /svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svnauth
Require valid-user
AuthzSVNAccessFile /etc/svnaccess
</Location>
<LocationMatch "/.+">
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir /trac/
PythonOption TracUriRoot /
#AuthType Basic
#AuthName "Trac"
#AuthUserFile /etc/svnauth
#Require valid-user
</LocationMatch>
</VirtualHost>
Trac.ini file, from which all the other project specific trac.ini files are inherited:
[trac]
trac_auth = /trac/cookie
trac_auth_session = /trac/session
#I have also tried setting it as trac_auth_cookie = /trac/cookie
[header_logo]
alt = Logo
height = -1
link = /
src = http://projects.hostgeyser.com/templates/frost/images/logo%20250%20x%2089_new.png
width = -1
[components]
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = disabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.http.httpauthstore = disabled
acct_mgr.notification.* = enabled
acct_mgr.pwhash.htdigesthashmethod = disabled
acct_mgr.pwhash.htpasswdhashmethod = disabled
acct_mgr.svnserve.* = enabled
acct_mgr.svnserve.svnservepasswordstore = disabled
acct_mgr.web_ui.* = enabled
trac.web.auth.loginmodule = disabled
acct_mgr.http.httpauthstore = enabled
[account-manager]
password_store = HtPasswdStore
htpasswd_hash_type = md5
htpasswd_file = /etc/svnauth
You can't mix authentication as you do here:
Apache config by AuthType Basic
AccountManager LoginModule (enabled by acct_mgr.web_ui.* = enabled)
Decide for only one of these. If you want SSO from AcctMgr, then stick to auth_cookie_path = <all-env-common-basepath>. The wiki page TracIni has all valid configuration keys for your Trac application, what is Trac environment-specific, depending on enabled components and installed Trac plugins.
Double-tricky. I just tapped into the same gaffes. Documentation (as well as hasienda's answer) speak of a "base-path", which easily let's one think about the file-system (and something like the session files used by PHP sessions). That's mistake number one: It's the URL path to the trac parent environment. So if your trac projects are using something like http://www.example.org/trac/<project>, your setting must be auth_cookie_path = /trac.
Second trap: Old cookies remaining in the browser. Though I finally adjusted my auth_cookie_path as described above, I was still unable to authenticate. There was an old trac_auth cookie from one project sitting in my jar. After I removed that one, it started working like a charm!
Related
I want to protect one of my virtual hosts with shibboleth and others with cleartrust, but as soon as I enable cleartrust I can access the shibboleth protected virtual hosts without being authorized.
This is my shibboleth virtual host:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
My cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
My cleartrust webagent.conf, by default I disable cleartrust, because I want shibboleth to be used by default instead.
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want.
Have anyone else had a similar issue and knows how to fix this? Thanks in advance! :)
After reading through the Access Manager documentation I found that if cleartrust agent is disabled, it also ignores all other potential authentication modules loaded into Apache by default. In order for Access Manager to pass the authentication to other modules, you must specify a list of authentication realms for which the Access Manager Agent allows requests to be evaluated by other modules.
I achieved this by adding this to my webagent.conf file: cleartrust.agent.apache.pass_realms=*
Final result:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>
I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!
I sorta have a HTTP config working for Apache 2.2 that allows WebDav. At least I can use the WinSCP client to attach with the DAV account listed below.
But I also have much older clunkier clients that may only work for anonymous access. And they are not working.
Windows 7 (Map drive), it pops up the credentials but does not log in.
FalconView (probably only understands anonymous login
Any idea what I am doing wrong here with the anon access? I am a novice at HTTPD.conf
(the environment variable ${EGPL_JobsPath} resolves to a windows path:
E.g. F:\Jobs
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_JobsPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
Require valid-user
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require user me
</LimitExcept>
AuthType Basic
AuthName DAV
AuthUserFile conf/users.passwords
</Directory>
The only way I could get this to work, is to turn off all Authentication and leave the webdav folder open to the world. I would still like to hear from people with better ideas:
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_LibrarianPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
</Directory>
I created a debian repository using dpkg-scanpackeges for binary packages and connected it with a site which is using apache2 directory listing. It worked fine. After that, I set a digest authentication for the site. I added the following line to the /etc/apt/sources.list file.
deb http://username:password#subdomain.domain.com ./
I can reach the site with browser using this notation, however, when I try to run sudo apt-get update I am getting "401 Unauthorized" error. Is there any way to make apt-get update command be able to authenticate?
This is the configuration file for apache.
<VirtualHost *:80>
ServerName subdomain.domain.com
DocumentRoot /var/www/archive
<Directory /var/www/archive >
Options Indexes FollowSymLinks Multiviews
Order allow,deny
Allow from all
AuthType Digest
AuthName "Restricted Access"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/passwd/archive
Require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I've been researching this topic for a while.
It still not being possible to enable digest authentication for debian apt repositories, despite David Purdy reported this as a bug.
This is important for me, because we have a private repository and want to avoid the sending of the credentials as plain text.
What do you think about writing together a paper about this topic?
I'm using Mercurial 1.7 and Apache 2.2.3. I'm trying to use the hgwebdir.cgi script to authenticate and serve my repositories, which are located at /var/lib/mercurial-server/repos.
Although the authentication works, the webpage does not show any of the repositories.
This is my /var/www/cgi-hg/hgwebdir.cgi:
config = "/var/lib/mercurial-server/repos/"
import sys; sys.path.insert(0, "/usr/lib64/python2.4/")
import cgitb; cgitb.enable()
from mercurial import demandimport; demandimport.enable()
from mercurial.hgweb import hgweb, wsgicgi
application = hgweb(config)
wsgicgi.launch(application)
This is my /var/www/cgi-hg/hgwebdir.config:
[collections]
/var/lib/mercurial-server/repos=/var/lib/mercurial-server/repos
[web]
allow_push = *
style = gitweb
push_ssl = False
This is my /etc/httpd/conf/httpd.conf (parts where changes were made):
DocumentRoot "/var/www/cgi-hg"
<Directory />
Options ExecCGI FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/cgi-hg">
Options ExecCGI Indexes FollowSymLinks
AllowOverride None
</Directory>
DirectoryIndes index.html index.html.var hgwebdir.cgi
ScriptAlias /hg "/var/www/cgi-hg/hgwebdir.cgi"
<Location /hg>
AuthType Basic
AuthName "Login Required"
AuthUserFile /usr/local/etc/users
Require valid-user
</Location>
Using config = "/var/lib/mercurial-server/repos/" and config = "/var/hg/hgwebdir.config" in hgwebdir.cgi gives me the empty repository page. Even though there is NO hgwebdir.config in /var/hg/.
Using config = "/var/www/cgi-hg/hgwebdir.config" gives me a page showing OSError. Part of the page shows:
/var/www/cgi-hg/hgwebdir.cgi
(highlighted) 22 application = hgweb(config)
application undefined, hgweb = <function hgweb>, config = '/var/www/cgi-hg/hgwebdir.config'
/usr/lib64/python2.4/site-packages/mercurial/hgweb/__init__.py in hgweb(config='/var/www/cgi-hg/hgwebdir.config', name=None, baseui=None)
(highlighted) 26 return hgwebdir_mod.hgwebdir(config, baseui=baseui)
...
I also noticed that whenever I restart my httpd, I get the 2 messages:
Starting httpd: [date time] [warn] The ScriptAlias directive in /etc/httpd/conf/httpd.conf at line 570 will probably never match because it overlaps an earlier ScriptAliasMatch.
httpd: Could not reliably determine the server's fully qualified domain name, using <IP address> for ServerName
There is no ScriptAliasMatch in my httpd.conf.
When I point my browser to /hg, I'm asked to authenticate, then I either get the empty repository page, or the Python errors, depending on which config I use in the hgwebdir.cgi.
If I use "hg serve --webdir-conf /var/www/cgi-hg/hgwebdir.config", all my repositories show up correctly.
I'm very new to apache, so I'm sure I've gotten something wrong. Please advise.
Thank you.
I don't know about the ScriptAlias warning, but I think line of your /var/www/cgi-hg/hgwebdir.cgi file should be changed from the current:
config = "/var/lib/mercurial-server/repos/"
to
config = "/var/www/cgi-hg/hgwebdir.config"
When you're serving a single repo it's the path to that repo, and when you're serving multiple files it's the path to the hgweb configuration file.
You can make sure that it's reading your hgwebdir.config file by changing the style to something very noticable like coal (which is dark gray). If you don't see that change then it's just running with defaults.
Once you get things going you should lock down that Apache config a bit too. One's DocumentRoot is usually soemthing other than the directory containing the CGIs (you don't want people trolling around the areas outside of /hg) and similarly you shouldn't have ExecCGI option enabled for the whole files system (Directory /) as a general rule.
First, though, make sure it's actually reading your hgwebdir.config file and then work on that.