You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joost de Heer <sa...@xs4all.nl> on 2006/01/06 11:42:02 UTC
[users@httpd] Double authentication for a website?
I have a reverse proxy which needs double authentication: First the
reverse proxy itself has an authentication, and then the machine that is
reverse proxied to has authentication.
Software used:
- Apache 2.2.0 on Linux (Red Hat Enterprise Linux AS release 3 (Taroon
Update 6), running kernel 2.4.21-37.ELsmp)
- mod_auth_xradius 0.4.6
Despite mod_auth_xradius being used, I have the feeling that this is an
Apache issue and not a radius issue.
I have configured the server as follows (and if you ask 'why ExtFilter'?
mod_proxy_html crashed on this server):
ExtFilterDefine revproxy cmd="/bin/sed s/http:..172.28.0.1[56]//g"
mode=output outtype=text/html
<VirtualHost 145.7.1.73:443>
SSLEngine on
ServerName xxx.yyy.zzz
SSLCertificateFile conf/ssl/xxx.yyy.zzz.cer
SSLCertificateKeyFile conf/ssl/xxx.yyy.zzz.key
SSLCertificateChainFile conf/ssl/ca.cer
ProxyPass /balancer !
ProxyPass / balancer://webmailcluster/
ProxyPassReverse / http://172.28.0.15
ProxyPassReverse / http://172.28.0.16
<Location />
ProxyPassReverse /
SetOutputFilter revproxy
AuthName "Token authenticatie verplicht"
AuthType basic
AuthXRadiusAddServer 172.28.0.8 XXXXXX
AuthXRadiusTimeout 5
AuthXRadiusRetries 2
Require valid-user
</Location>
<Proxy balancer://webmailcluster>
BalancerMember http://172.28.0.15
BalancerMember http://172.28.0.16
</Proxy>
</VirtualHost>
However, this results in a 500 internal server error and the following
error is logged:
[Thu Jan 05 10:10:15 2006] [crit] [client IPaddress] configuration error:
couldn't check access. No groups file?: /
When I add 'Satisfy any', everything works, but then the radius
authentication is skipped.
- Why is Apache complaining about a groupfile, while I never configured
anything needing a groupfile?
- Is this situation an unsupported scenario, or am I doing something wrong?
If any more information is needed, let me know.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Double authentication for a website?
Posted by "Neil A. Hillard" <hi...@whl.co.uk>.
Joost,
Joost de Heer wrote:
> I have a reverse proxy which needs double authentication: First the
> reverse proxy itself has an authentication, and then the machine that
> is reverse proxied to has authentication.
We're using a similar setup and using the following in our
configuration. For users who need to be in a specific group (munged to
protect the innocent):
<Location /secure>
AuthType Basic
AuthName "Unauthorised access prohibited"
AuthXRadiusAddServer "192.168.1.1:1645" "secret"
AuthXRadiusTimeout 2
AuthXRadiusRetries 2
AuthUserFile /dev/null
AuthGroupFile /etc/httpd/conf/groups.conf
AuthAuthoritative Off
require group access
Satisfy any
</Location>
And for any valid member:
<Location /secure>
AuthType Basic
AuthName "Unauthorised access prohibited"
AuthXRadiusAddServer "192.168.1.1:1645" "secret"
AuthXRadiusTimeout 2
AuthXRadiusRetries 2
AuthUserFile /dev/null
AuthGroupFile /etc/httpd/conf/groups.conf
AuthAuthoritative Off
require valid-user
Satisfy any
</Location>
There's a group file specified for both as that chunk of configuration
is actually included from a separate file. You should be able to
specify /dev/null for the group file.
You will not, however, be able to perform basic authentication on both
the accelerator _and_ the backend server. Because they both share the
same headers it'll never work (unless the usernames and passwords are
the same and you forward them from the accelerator).
HTH,
Neil.
--
Neil Hillard hillardn@whl.co.uk
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org