here is my problem:
Context: kerberos authentication for two kinds of webapps, one using Apache mod_auth_kerb and the other using SPNEGO (GSSAPI) for Tomcat. I use mod_jk for connecting Tomcat to Apache.
Problem: kerberos headers from client Tomcat seem to be modified by Apache, which leads to authentication failures (Mechanism level: Checksum failed).
Question: How can I configure/disable mod_auth_kerb (or mod_jk) for SPNEGO webapps and keep it working for the others? Is there any other solution?
Thank you!
mod_auth_gss_krb5 might be of useful. Its available in this link http://modgssapache.sourceforge.net/
Related
I researched about any plugin/module WSGI for Oracle WebLogic 12c that allows me run a python flask app, with no success.
The reason for why i need to run from WebLogic 12c, it's because i need to use the SSL certfied living there.
Researching, i found many web server (Apache, Gunicorn, etc) can act as proxy of WebLogic, here is an example, where Nginx receive all the requests with SSL and then passed them to WebLogic:
https://medium.com/#Dracontis/nginx-as-proxy-for-weblogic-with-ssl-c7e1076e2c0c
So, i wonder if there is a manner to invert this order? I mean, WebLogic receive all the requests (safely because of SSL certified) and then pass them to any web server with the WSGI standard.
Thanks in advance.
I didn't find a sort of solution that accomplished the topic above. However, in case someone needs implements this topology here is what i did:
I've installed an Oracle HTTP Server (OHS) and creating a wallet for the SSL certified, in certain way in which the OHS can receive the requests secure, then inside the OHS with specific setting achieve forward the request to the Apache running with the module WSGI.
We are currently running a PHP application on apache httpd with mod_auth_kerb for SSO. We'd like to scale it to multiple hosts and make it highly available while we are at it.
Generally, HAproxy seems to be the recommended tool for this task, so i'll refer to this for the rest of the post - am open to alternatives here though. I haven't been able to find a way to combine HAproxy with Kerberos-based SSO - this seems to only be available for comercial load balancers (F5 for example).
We do not need the actual Kerberos ticket on the Webservers, it's literally just for authentication - is there a way to have HAproxy authenticate users via Kerberos and just pass the sAMAccountName as Header to the webservers? Alternatively full passthrough would work aswell of course.
The setup:
Ubuntu 16.04
JIRA Software 7.03 (on port 8080)
Confluence 6.03 (on port 8090)
NGINX 1.10.0 as a reverse proxy to...
Apache 2.4.18
The problem: Whenever I try to embed a JIRA issue into a Confluence page via the built-in JIRA Issue/Filter macro, the issue is successfully located and its status is successfully listed. However, the link from the Confluence page to the actual issue in JIRA points to localhost:8080.
As per the suggestion in Incorrect Links in JIRA Issues Macro (cause #1), I tried enabling ProxyPreserveHost in Apache, with no discernible effect.
Question 1: Am I even digging in the right direction, or is there some other likely cause for the issue that I'm missing?
Question 2: If the issue really is likely due to a configuration mismatch between Confluence and the web server, where should I start digging, given that I'm using NGINX as a reverse proxy?
I'm very hazy on the specifics of configuring web servers. Do I need to verify my settings in both NGINX and Apache, or just Apache (NGINX is set to pass through pretty much everything non-static)? Do I just follow the instructions for Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http)?
I haven't done this yet because I'm worried my lack of understanding will cause something to explosively decompress.
Thanks in advance!
Since you redirect to localhost:8080 and 8080 is JIRA's default port, I believe that you need to check following and most likely it's related to misconfiguration of the proxy:
Configuration of JIRA Base URL - Is it configured properly?
Do you have proxyPort and proxyName in the connector of server.xml?
What you are seeing when you navigate to Application Link configuration of JIRA and Confluence? Is is showing any errors?
I have to configure SVN server. I am evaluating two approaches
With Apache.
Without Apache as a OS(Windows) service.
If I go with Apache, I will have browser level access too, which I consider an added advantage.
What approach should I take ?
You want apache - your flexibility and options for logging, authentication and authorization are way richer.
I'm looking for the best approach to achieve SPNEGO/Kerberos login for a spring-security application on Tomcat and Windows. Candidates i've looked at:
Spring Security Kerberos Extension
Waffle
Apache httpd fronting with mod_auth_kerb module
Apache httpd with mod_auth_sspi module
I wasn't super-impressed by Waffle and mod_auth_sspi only seems to support NTLMv1 so that is out. I do see a value in fronting with an Apache httpd so that seems like a good approach. How well does that play with spring-security though, I wonder. Who has done this? Which is the best/most stable approach?
Don't do any overhead. Use the Spring SEC Extension. That one works quite well on our environment for more than a year. Though it has the potention for some improvement.