I want to use mod_auth_openidc for authentication only, by using what is set in REMOTE_USER.
Currently, I have this:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
</Location>
The user accesses an url hosted by the app that logs them in. When logged in, there's additional info on every page, and access is allowed to some urls that otherwise return 401.
Now I want to add OIDC to this, so I tried adding the following:
OIDCRedirectURI https://<hostname>/oidc/redirect_uri
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
</Location>
Accessing "/oidc" successfully redirects to the provider, then redirects back to /oidc, which doesn't exist in the app, so apache goes 404.
If I go anywhere else, no REMOTE_USER is set and so the user is not authenticated. (I have a debug-page that dumps headers and environment variables and other sundry for this.)
I found this question: Optional or anonymous authentication with mod_auth_openidc, which mentions OIDCUnAuthAction, but it is unclear how to use it.
If I change the first location-block to:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
OIDCUnAuthAction pass
</Location>
.. then the user is no longer redirected.
If I in addition add OIDCUnAuthAction auth to the second Location-block, the redirect is back and the user is back to being redirected to /oidc and not being authenticated anywhere else.
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
OIDCUnAuthAction auth
</Location>
If I keep the last version of the /oidc-block and change the first block to
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
OIDCUnAuthAction pass
</Location>
.. that doesn't change anything.
If I do force login everywhere, with
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
</Location>
then accessing any page redirects me to the provider, which redirects me to where I came from. On the debug-page I see that there are lots of claims headers, but REMOTE_USER is either not set, or set in such a way that it cannot be dumped (it's not visible to the app), so the user is not authenticated.
If I use OIDCAuthNHeader Foo it turns up together with the other http headers, prefixed with HTTP_, but then the app can't find it since it isn't named REMOTE_USER...
I'm at my wits end. How is this supposed to work? Can it work at all?
Related
I should be able to intercept the request using apache modules and after that I should be able to forward that request to application server.
I wrote one module in apache web server, that module will intercept the requests and sending the response.
When I try only with apache module using following configuration it is working fine.
<Location "/test.html">
SetHandler my_module
</Location>
When I try only with ProxyPass configuration as below in that case also it is working fine.
<Location "/test.html">
ProxyPass "http://192.168.124.1:8080/test/myservlet"
</Location>
But, if I want both functionalities in that case it is not working. i.e initially I should be able to intercept the request and after that I should be able to forward that request to application server.
Can someone please suggest me the approach for this?.
You should return DECLINED from your ap_hook_handler() function, or use a different "hook" such as "ap_hook_fixups" which allows more than 1 module to take action.
Lets assume I have project on .NET and is required to develop frontend for some additional module on ReactJS. According to requirements, I can login only on backend side (it has it's own UI) and frontend on React should be a standalone application. I can authorize on frontend side with backend API by passing cookies (that I get after login on backend) in Header.
I have placed source code to /var/www/project so there is such structure:
/var/www/project/backend - .NET serves to 127.0.0.1:5000
/var/www/project/frontend - I have generated a static build from ReactJS to /var/www/project/frontend/index.html
My Apache configuration:
<VirtualHost *:80>
ServerName project.com
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain.project.com
DocumentRoot /var/www/project/frontend/
<Directory "/">
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Backend works and I can access it at project.com. Frontend works also on subdomain.project.com. But I need backend to path cookie (e.g. http://prntscr.com/lgfikx) to frontend (where currently is http://prntscr.com/lgfjlx)
I have tried ProxyPassReverseCookiePath, ProxyPassReverseCookieDomain, Set-Cookie, but failed. Probably I have just used it wrong, but I have not found anywhere a working example. Answers on similar questions have not worked for me.
My final goal is to authorize frontend so I could talk to backend API. Can somebody tell me the best or just any working solution of how to do it?
If you can see the correct cookie in the WebDev tools, it's most likely that you set the cookie to HttpOnly and didn't make it available to JavaScript in the first place.
If your backend is aware of the domain name used (the cookies it sets should say .project.com in the Domain column of your web developer tools and not 127.0.0.1 or localhost), your frontend app should be able to access the cookies as well.
You only need the ProxyPassReverseCookieDomain if your backend server is using a different domain name than the one the reverse proxy uses. (i.e.: backend lives at domain.com, but you're accessing it through a reverse proxy at project.com)
I have password protected my webpage in Linux Mint by using mod_auth_form in apache2 with the configuration in /etc/apache2/apache2.conf:
<Directory "/var/www/html">
AuthFormProvider file
AuthType form
AuthName "Reserved Area"
Session On
SessionCookieName session path=/
require valid-user
AuthFormLoginRequiredLocation "http://localhost/login.php"
# This is the login page
ErrorDocument 401 /login.php
# This is the file containing users login data
AuthUserFile /var/www/html/users/users
</Directory>
When an unauthorized user tries to access something on the webpage he will be redirected to the login page "login.php", however he won't have access to this page either so I tried adding:
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
But the problem remains and it just tries to redirect to the login page infinitely. What would enable a user to access only the login page but not anything else on the site?
I found that if I replaced
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
with
<Directory /var/www/html/login>
Options Indexes
AllowOverride None
Require all granted
</Directory>
and added a folder /var/www/html/login where I placed everything that had to do with the login page it started working. I never figured out why Location didn't work to give access to the login.php file.
I also removed the line
AuthFormLoginRequiredLocation "http://localhost/login.php
as it wasn't needed.
The line:
ErrorDocument 401 /login.php
was also changed to:
ErrorDocument 401 /login/login.php
I tried to protect my application (the test environment) to hide it from curious with a htpasswd. Here is my architecture:
[AngularJS] -> [Apache Proxy] -> [Service]
The aim is to block people who has no password.
I tried first to add a htpasswd on my Apache Proxy at the highest level:
<Location "/">
AuthUserFile /etc/apache2/passwords
AuthName "Forbidden"
AuthType Basic
require valid-user
</Location>
Problem: the prompt was fired at each time a request was made (don't know why).
I tried after to reduce the scope:
<Location "/modules/user/">
AuthUserFile /etc/apache2/passwords
AuthName "Forbidden"
AuthType Basic
require valid-user
</Location>
It works because the call to this route is made at each request. Fine.
But now I created a new route : /modules/user/account. I fell in the first problem I have but worse: a prompt is always displayed, and never accepted. Apache in the logs says:
[Mon Nov 23 11:51:55.510434 2015] [authz_core:debug] [pid 3043:tid 139650316363520] mod_authz_core.c(809): [client 164.177.43.41:55888] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://test.mysite.com/
htpasswd is maybe the wrong way to protect my application, what should I do?
Thanks
I have a vps(Plesk, ubuntu) with one ip. I create a domain.com on the IP and several subdomains like jenkins.domain.com and blog.domain.com .
Now i wanted to redirect jenkins.domain.com to port 1122 and use this for example. But unfortunately all subdomains redirect then to domain.com:1122. What i want at the End is :
jenkins.domain.com redirect to domain.com:1122 without changing the url.
roundcube.domain.com redirect to domain.com:8844 without changing the url.
Is that possible?
I got it like just adding this config to the vhost.conf my subdomain(i.e jenkins) or into web server settings in Plesk.
ProxyPass / http://localhost:1122/
ProxyPassReverse / http://localhost:1122/
ProxyRequests Off
ProxyPreserveHost On
<Proxy http://localhost:1122/*>
Order deny,allow
Allow from all
</Proxy>
If all subdomains redirect it means that you have set wildcard virtual host. You have to create or modify two virtual host for every subdomain.