FAQ
Hi,

We use Apache as an authenticating proxy server to allow off-site
students to access IP-restricted ejournal sites. They provide their
university credentials which are validated by a RADIUS server. (We have
mod_auth_radius + Apache 2.0.63.) Callers configure their Web browsers
to use a Proxy Auto-Configuration File. This works fine and has done so
for many years.

However, there is a concern that the username and password are
transmitted in the clear from, typically, the student's home computer to
the university's proxy server. We'd like to send these encrypted.

I have tried using an ssl-enabled authenticating proxy server but this
confuses the browser as it attempts to talk http to an https server.
I have looked at secure tunnelling and also wondered whether or not this
could be solved using cookies. I can't see my way to make any progress
on this problem. Can anyone comment or advise on the core issue of how
one may transmit authenticating information in a secure manner.

Thanks very much.

Roy Pearce
Enterprise Systems Support Team
Computing Systems
University of Birmingham
UK

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Nils Jeppe at Apr 15, 2008 at 12:16 pm

    On 15.04.2008, at 13:22, Roy Pearce wrote:
    I have tried using an ssl-enabled authenticating proxy server but
    this confuses the browser as it attempts to talk http to an https
    server.

    Mh, why is this? I don't have experience with mod_auth_radius, but I'd
    expect it to work similarily to all the other mod_auth_* modules, that
    is, internally in Apache and not exposed to the user. So it shouldn't
    be the cause...

    For the proxy I assume you use the normal ProxyPass / ProxyPass
    reverse combination?



    Best wishes
    Nils


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Roy Pearce at Apr 15, 2008 at 2:19 pm
    Hi Nils,

    Thanks for your reply.

    Our proxy server is a forward proxy server, not a reverse one so I
    haven't used the ProxyPass and ProxyPassReverse directives.

    I replicated the (forward) proxy server, added SSL and changed the port
    to 443. The browser was configured to use this
    authenticating proxy server. The browser appears not to like talking to
    an SSL-enabled proxy server. Doing this was a stab in the dark!
    A guess, if you like and it's possibly a forlorn hope.

    Are there other ways to transmit the credentials in an encrypted manner
    rather than in plain text?

    Regards,

    Roy

    Nils Jeppe wrote:
    On 15.04.2008, at 13:22, Roy Pearce wrote:
    I have tried using an ssl-enabled authenticating proxy server but
    this confuses the browser as it attempts to talk http to an https
    server.

    Mh, why is this? I don't have experience with mod_auth_radius, but I'd
    expect it to work similarily to all the other mod_auth_* modules, that
    is, internally in Apache and not exposed to the user. So it shouldn't
    be the cause...

    For the proxy I assume you use the normal ProxyPass / ProxyPass
    reverse combination?



    Best wishes
    Nils


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server
    Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Nick Kew at Apr 15, 2008 at 2:44 pm

    On Tue, 15 Apr 2008 15:19:01 +0100 Roy Pearce wrote:

    The browser appears not to like talking to
    an SSL-enabled proxy server.
    Sounds to me like a browser misconfiguration.
    Are there other ways to transmit the credentials in an encrypted
    manner rather than in plain text?
    HTTP digest authentication.

    --
    Nick Kew

    Application Development with Apache - the Apache Modules Book
    http://www.apachetutor.org/

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Roy Pearce at Apr 17, 2008 at 2:29 pm
    Hi Nick,

    Thanks for your comments.

    Nick Kew wrote:
    On Tue, 15 Apr 2008 15:19:01 +0100
    Roy Pearce wrote:

    The browser appears not to like talking to
    an SSL-enabled proxy server.
    Sounds to me like a browser misconfiguration.
    All I changed was the port number to point to a secure authenticating
    proxy server.

    It appears that FF assumes the proxy server is talking HTTP when I would
    like it to talk HTTPS.
    There doesn't appear to be any way to define the protocol when
    configuring a proxy server.
    (Of course, if this was to work, then all of the traffic would be
    encrypted - which would be overkill!)
    Are there other ways to transmit the credentials in an encrypted
    manner rather than in plain text?
    HTTP digest authentication.
    We can't use Digest as the password file is not on the same machine. We
    use mod_auth_radius to connect to a RADIUS server (on another machine)
    to check credentials against the ADF database.

    Regards,

    Roy Pearce
    Computing Systems
    University of Birmingham
    UK

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Nick Kew at Apr 17, 2008 at 3:15 pm

    On Thu, 17 Apr 2008 15:28:19 +0100 Roy Pearce wrote:
    Sounds to me like a browser misconfiguration.
    All I changed was the port number to point to a secure authenticating
    proxy server.

    It appears that FF assumes the proxy server is talking HTTP when I
    would like it to talk HTTPS.
    Sorry, I'm no expert on firefox. Did you try its "about:"?
    I expect there's a plugin for it, it it really isn't builtin.
    HTTP digest authentication.
    We can't use Digest as the password file is not on the same machine.
    We use mod_auth_radius to connect to a RADIUS server (on another
    machine) to check credentials against the ADF database.
    One of the changes in 2.2 over earlier versions is that the HTTP
    authentication method (Basic/Digest/Homebrew) is decoupled from
    the backend lookup (radius, in your case). So that's no longer
    an issue, assuming the radius authentication module has been
    updated to use the new framework.

    --
    Nick Kew

    Application Development with Apache - the Apache Modules Book
    http://www.apachetutor.org/

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Neil A. Hillard at Apr 17, 2008 at 3:34 pm
    Hi,

    Nick Kew wrote:
    On Thu, 17 Apr 2008 15:28:19 +0100
    Roy Pearce wrote:
    Sounds to me like a browser misconfiguration.
    All I changed was the port number to point to a secure authenticating
    proxy server.

    It appears that FF assumes the proxy server is talking HTTP when I
    would like it to talk HTTPS.
    Sorry, I'm no expert on firefox. Did you try its "about:"?
    I expect there's a plugin for it, it it really isn't builtin.
    HTTP digest authentication.
    We can't use Digest as the password file is not on the same machine.
    We use mod_auth_radius to connect to a RADIUS server (on another
    machine) to check credentials against the ADF database.
    One of the changes in 2.2 over earlier versions is that the HTTP
    authentication method (Basic/Digest/Homebrew) is decoupled from
    the backend lookup (radius, in your case). So that's no longer
    an issue, assuming the radius authentication module has been
    updated to use the new framework.
    We (as Nick knows) had major problems with mod_auth_radius so we
    commissioned mod_auth_xradius

    http://www.outoforder.cc/projects/apache/mod_auth_xradius/

    which should be fully compatible with Apache 2.2.

    HTH,


    Neil.

    --
    Neil Hillard neil.hillard@agustawestland.com
    AgustaWestland http://www.whl.co.uk/

    Disclaimer: This message does not necessarily reflect the
    views of Westland Helicopters Ltd.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Emmanuel E at Apr 18, 2008 at 4:13 am
    No FF will not communicate to a proxy using SSL. It will communicate
    using SSL to any webserver via proxy or directly, but not to a proxy
    using SSL. Its not forbidden, but its not explicitly defined anywhere.
    Similar to bug http://issues.apache.org/bugzilla/show_bug.cgi?id=29744

    Till Necko comes out I dont think it will be possible to tinker with the
    network code in mozilla.

    So that leaves us with NTLM, Digest or Radius. Hope you are able to get
    something to work.

    Neil A. Hillard wrote:
    Hi,

    Nick Kew wrote:
    On Thu, 17 Apr 2008 15:28:19 +0100
    Roy Pearce wrote:
    Sounds to me like a browser misconfiguration.
    All I changed was the port number to point to a secure
    authenticating proxy server.

    It appears that FF assumes the proxy server is talking HTTP when I
    would like it to talk HTTPS.
    Sorry, I'm no expert on firefox. Did you try its "about:"?
    I expect there's a plugin for it, it it really isn't builtin.
    HTTP digest authentication.
    We can't use Digest as the password file is not on the same machine.
    We use mod_auth_radius to connect to a RADIUS server (on another
    machine) to check credentials against the ADF database.
    One of the changes in 2.2 over earlier versions is that the HTTP
    authentication method (Basic/Digest/Homebrew) is decoupled from
    the backend lookup (radius, in your case). So that's no longer
    an issue, assuming the radius authentication module has been
    updated to use the new framework.
    We (as Nick knows) had major problems with mod_auth_radius so we
    commissioned mod_auth_xradius

    http://www.outoforder.cc/projects/apache/mod_auth_xradius/

    which should be fully compatible with Apache 2.2.

    HTH,


    Neil.
    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Emmanuel E at Apr 17, 2008 at 9:08 am
    Try using NTLM which provides some level of security or else try digest
    authentication using mod_auth_digest

    Roy Pearce wrote:
    Hi Nils,

    Thanks for your reply.

    Our proxy server is a forward proxy server, not a reverse one so I
    haven't used the ProxyPass and ProxyPassReverse directives.

    I replicated the (forward) proxy server, added SSL and changed the
    port to 443. The browser was configured to use this
    authenticating proxy server. The browser appears not to like talking
    to an SSL-enabled proxy server. Doing this was a stab in the dark!
    A guess, if you like and it's possibly a forlorn hope.

    Are there other ways to transmit the credentials in an encrypted
    manner rather than in plain text?

    Regards,

    Roy

    Nils Jeppe wrote:
    On 15.04.2008, at 13:22, Roy Pearce wrote:
    I have tried using an ssl-enabled authenticating proxy server but
    this confuses the browser as it attempts to talk http to an https
    server.

    Mh, why is this? I don't have experience with mod_auth_radius, but
    I'd expect it to work similarily to all the other mod_auth_* modules,
    that is, internally in Apache and not exposed to the user. So it
    shouldn't be the cause...

    For the proxy I assume you use the normal ProxyPass / ProxyPass
    reverse combination?



    Best wishes
    Nils


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server
    Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server
    Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedApr 15, '08 at 11:23a
activeApr 18, '08 at 4:13a
posts9
users5
websitehttpd.apache.org
irc#httpd

People

Translate

site design / logo © 2022 Grokbase