FAQ
Hi,

I would like to do this architecture:
- a reverse proxy (based on apache 2.2.10-2.24.5) that do client
authentication with x509 certificate. The user access is validated by an
ldap server.
- a web server (based on apache 2.2.10-2.24.5) that run mod_dav with
specific user access filtering

I setup the reverse proxy with this configuration :

<Proxy balancer://webdavcluster>
BalancerMember http://192.168.129.18
BalancerMember http://192.168.129.19
</Proxy>
<VirtualHost _default_:443>

ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
CustomLog /var/log/apache2/ssl_request_log ssl_combined
SSLEngine On
SSLProxyEngine On
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCACertificateFile
/etc/apache2/ssl.crt/client-accepted-ca-chain.crt
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +FakeBasicAuth +ExportCertData
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

ServerName webdav
ServerAlias webdav
<Location />
AuthType Basic
AuthName "Intranet"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
AuthLDAPBindPassword X
Require valid-user
</location>
ProxyPass /balancer-manager !
ProxyPass / balancer://webdavcluster/
ProxyPassReverse / balancer://webdavcluster/
</VirtualHost>

On the web server, I configure :

<Directory "/srv/www/htdocs">
AllowOverride None
Order allow,deny
Allow from all
Options Indexes FollowSymLinks
AuthName "WEBDav server"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL
"ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
AuthLDAPBindPassword X
require valid-user
DAV On
</Directory>

On the webserver logs, I found this message : [Tue Feb 14 14:00:42 2012]
[error] [client 192.168.129.17] Encountered FakeBasicAuth spoof:
/XXXXXXXX

It looks like error due to FakeBasicAuth option used on the reverse
proxy but when I removed it on the reverse proxy, the reverse proxy
doesn't authenticate user with the ldap.

So my question is how to do user validation on the web server based on
information send by the reverse proxy or how to filter access to
specific directory ?

Thanks for your help
Francois-Xavier THORET

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorization.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, France Telecom - Orange shall not be liable if this message was modified, changed or falsified.
Thank you.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Igor Cicimov at Feb 15, 2012 at 3:22 am
    Why do you authenticate the user twice?

    On Wed, Feb 15, 2012 at 12:31 AM, wrote:

    Hi,

    I would like to do this architecture:
    - a reverse proxy (based on apache 2.2.10-2.24.5) that do client
    authentication with x509 certificate. The user access is validated by an
    ldap server.
    - a web server (based on apache 2.2.10-2.24.5) that run mod_dav with
    specific user access filtering

    I setup the reverse proxy with this configuration :

    <Proxy balancer://webdavcluster>
    BalancerMember http://192.168.129.18
    BalancerMember http://192.168.129.19
    </Proxy>
    <VirtualHost _default_:443>

    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log
    CustomLog /var/log/apache2/ssl_request_log ssl_combined
    SSLEngine On
    SSLProxyEngine On
    SSLCipherSuite
    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    SSLCACertificateFile
    /etc/apache2/ssl.crt/client-accepted-ca-chain.crt
    SSLVerifyClient require
    SSLVerifyDepth 3
    SSLOptions +FakeBasicAuth +ExportCertData
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    ServerName webdav
    ServerAlias webdav
    <Location />
    AuthType Basic
    AuthName "Intranet"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL
    "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
    AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
    AuthLDAPBindPassword X
    Require valid-user
    </location>
    ProxyPass /balancer-manager !
    ProxyPass / balancer://webdavcluster/
    ProxyPassReverse / balancer://webdavcluster/
    </VirtualHost>

    On the web server, I configure :

    <Directory "/srv/www/htdocs">
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes FollowSymLinks
    AuthName "WEBDav server"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL
    "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
    AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
    AuthLDAPBindPassword X
    require valid-user
    DAV On
    </Directory>

    On the webserver logs, I found this message : [Tue Feb 14 14:00:42 2012]
    [error] [client 192.168.129.17] Encountered FakeBasicAuth spoof:
    /XXXXXXXX

    It looks like error due to FakeBasicAuth option used on the reverse
    proxy but when I removed it on the reverse proxy, the reverse proxy
    doesn't authenticate user with the ldap.

    So my question is how to do user validation on the web server based on
    information send by the reverse proxy or how to filter access to
    specific directory ?

    Thanks for your help
    Francois-Xavier THORET


    _________________________________________________________________________________________________________________________

    Ce message et ses pieces jointes peuvent contenir des informations
    confidentielles ou privilegiees et ne doivent donc
    pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
    recu ce message par erreur, veuillez le signaler
    a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
    electroniques etant susceptibles d'alteration,
    France Telecom - Orange decline toute responsabilite si ce message a ete
    altere, deforme ou falsifie. Merci

    This message and its attachments may contain confidential or privileged
    information that may be protected by law;
    they should not be distributed, used or copied without authorization.
    If you have received this email in error, please notify the sender and
    delete this message and its attachments.
    As emails may be altered, France Telecom - Orange shall not be liable if
    this message was modified, changed or falsified.
    Thank you.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Francois Thoret at Feb 16, 2012 at 12:39 pm
    Hi,

    I need to filter access so I apply authentication method. Can I do it by another way ?



    Francois-xavier



    De : Igor Cicimov
    Envoyé : mercredi 15 février 2012 04:21
    À : users@httpd.apache.org
    Objet : Re: [users@httpd] how to setup authentication on webserver behind a reverse proxy with x509 certificate



    Why do you authenticate the user twice?



    On Wed, Feb 15, 2012 at 12:31 AM, wrote:

    Hi,

    I would like to do this architecture:
    - a reverse proxy (based on apache 2.2.10-2.24.5) that do client
    authentication with x509 certificate. The user access is validated by an
    ldap server.
    - a web server (based on apache 2.2.10-2.24.5) that run mod_dav with
    specific user access filtering

    I setup the reverse proxy with this configuration :

    <Proxy balancer://webdavcluster>
    BalancerMember http://192.168.129.18
    BalancerMember http://192.168.129.19
    </Proxy>
    <VirtualHost _default_:443>

    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log
    CustomLog /var/log/apache2/ssl_request_log ssl_combined
    SSLEngine On
    SSLProxyEngine On
    SSLCipherSuite
    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    SSLCACertificateFile
    /etc/apache2/ssl.crt/client-accepted-ca-chain.crt
    SSLVerifyClient require
    SSLVerifyDepth 3
    SSLOptions +FakeBasicAuth +ExportCertData
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    ServerName webdav
    ServerAlias webdav
    <Location />
    AuthType Basic
    AuthName "Intranet"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL
    "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
    AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
    AuthLDAPBindPassword X
    Require valid-user
    </location>
    ProxyPass /balancer-manager !
    ProxyPass / balancer://webdavcluster/
    ProxyPassReverse / balancer://webdavcluster/
    </VirtualHost>

    On the web server, I configure :

    <Directory "/srv/www/htdocs">
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes FollowSymLinks
    AuthName "WEBDav server"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL
    "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"
    AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
    AuthLDAPBindPassword X
    require valid-user
    DAV On
    </Directory>

    On the webserver logs, I found this message : [Tue Feb 14 14:00:42 2012]
    [error] [client 192.168.129.17] Encountered FakeBasicAuth spoof:
    /XXXXXXXX

    It looks like error due to FakeBasicAuth option used on the reverse
    proxy but when I removed it on the reverse proxy, the reverse proxy
    doesn't authenticate user with the ldap.

    So my question is how to do user validation on the web server based on
    information send by the reverse proxy or how to filter access to
    specific directory ?

    Thanks for your help
    Francois-Xavier THORET

    _________________________________________________________________________________________________________________________

    Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
    pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
    a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
    France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci

    This message and its attachments may contain confidential or privileged information that may be protected by law;
    they should not be distributed, used or copied without authorization.
    If you have received this email in error, please notify the sender and delete this message and its attachments.
    As emails may be altered, France Telecom - Orange shall not be liable if this message was modified, changed or falsified.
    Thank you.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org




    _________________________________________________________________________________________________________________________

    Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
    pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
    a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
    France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci

    This message and its attachments may contain confidential or privileged information that may be protected by law;
    they should not be distributed, used or copied without authorization.
    If you have received this email in error, please notify the sender and delete this message and its attachments.
    As emails may be altered, France Telecom - Orange shall not be liable if this message was modified, changed or falsified.
    Thank you.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedFeb 14, '12 at 1:32p
activeFeb 16, '12 at 12:39p
posts3
users2
websitehttpd.apache.org
irc#httpd

2 users in discussion

Francois Thoret: 2 posts Igor Cicimov: 1 post

People

Translate

site design / logo © 2022 Grokbase