You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Scott Harris <sc...@harrisnet.id.au> on 2013/10/01 23:48:07 UTC
Ats as forward with user auth
Hi,
Looking at using ats as a forward proxy and require user auth to active
directory with SSO. Can this be done?
Scott
Re: Ats as forward with user auth
Posted by "Harris, Scott" <Sc...@sensis.com.au>.
When I get active directory working I will document and send it through so it can be added also.
Scott
Sent from Samsung Mobile
-------- Original message --------
From: Leif Hedstrom <zw...@apache.org>
Date:
To: users@trafficserver.apache.org
Subject: Re: Ats as forward with user auth
On Oct 2, 2013, at 3:34 AM, Luca Rea <lu...@contactlab.com> wrote:
>
>
> ATS - Plugin.config:
> authproxy.so --auth-transform=redirect --auth-host=127.0.0.1 --auth-port=80
>
We should document this in Wiki or Sphinx docs (or both). I personally like the Wiki as a sandbox to work / collaborate with everyone, and then move as appropriate. But I'm ok either way, docs like this obviously belong in the official docs long term.
Note that you need to request Karma to write to the Confluence, this was changed recently. I'm currently not sure how this process works (I just got back from vacation).
Miles: Do you know how this works now? How do people get karma to write to the Confluence?
-- Leif
Re: Ats as forward with user auth
Posted by Leif Hedstrom <zw...@apache.org>.
On Oct 2, 2013, at 3:34 AM, Luca Rea <lu...@contactlab.com> wrote:
>
>
> ATS - Plugin.config:
> authproxy.so --auth-transform=redirect --auth-host=127.0.0.1 --auth-port=80
>
We should document this in Wiki or Sphinx docs (or both). I personally like the Wiki as a sandbox to work / collaborate with everyone, and then move as appropriate. But I'm ok either way, docs like this obviously belong in the official docs long term.
Note that you need to request Karma to write to the Confluence, this was changed recently. I'm currently not sure how this process works (I just got back from vacation).
Miles: Do you know how this works now? How do people get karma to write to the Confluence?
-- Leif
RE: Ats as forward with user auth
Posted by Luca Rea <lu...@contactlab.com>.
You're welcome
RE: Ats as forward with user auth
Posted by Scott Harris <sc...@harrisnet.id.au>.
Thanks for that, will run it up tomorrow.
On 02/10/2013 7:35 PM, "Luca Rea" <lu...@contactlab.com> wrote:
>
>
> ATS - Plugin.config:
> authproxy.so --auth-transform=redirect --auth-host=127.0.0.1 --auth-port=80
>
>
>
> Apache with postgreSQL:
>
> DBDriver pgsql
> DBDParams "dbname=apacheauth host=127.0.0.1 port=5432 user=<user>
> password=<password>"
>
> DBDMin 4
> DBDKeep 8
> DBDMax 20
> DBDExptime 300
>
> <LocationMatch "^/+$">
>
> #Apache continue looking for local page but it must return back 200 on
> authentication succeded (ATS expect it!) -> rewrite all
> RewriteEngine on
> RewriteRule ^ /.noindex.html
>
> # core authentication and mod_auth_basic configuration
> # for mod_authn_dbd
> AuthType Digest
> AuthName "My Proxy"
> AuthDigestDomain /
> AuthDigestProvider dbd
>
> # core authorization configuration
> Require valid-user
>
> # mod_authn_dbd SQL query to authenticate a user and realm
> AuthDBDUserRealmQuery \
> "SELECT password FROM authn WHERE username = %s AND realm = %s"
>
> Options -Indexes
> ErrorDocument 403 /.noindex.html
> </LocationMatch>
>
> <Directory /usr/share/httpd/noindex>
> AllowOverride None
> Require all granted
> </Directory>
>
> Alias /.noindex.html /usr/share/httpd/noindex/index.html
>
RE: Ats as forward with user auth
Posted by Luca Rea <lu...@contactlab.com>.
ATS - Plugin.config:
authproxy.so --auth-transform=redirect --auth-host=127.0.0.1 --auth-port=80
Apache with postgreSQL:
DBDriver pgsql
DBDParams "dbname=apacheauth host=127.0.0.1 port=5432 user=<user> password=<password>"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<LocationMatch "^/+$">
#Apache continue looking for local page but it must return back 200 on authentication succeded (ATS expect it!) -> rewrite all
RewriteEngine on
RewriteRule ^ /.noindex.html
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Digest
AuthName "My Proxy"
AuthDigestDomain /
AuthDigestProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user and realm
AuthDBDUserRealmQuery \
"SELECT password FROM authn WHERE username = %s AND realm = %s"
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
RE: Ats as forward with user auth
Posted by Scott Harris <sc...@harrisnet.id.au>.
Thanks I will give it a try. I guess when you say with apache I just set up
a basic apache web server with an auth page using mod_auth_ldap module etc
and point the ats plugin at it?
On 02/10/2013 5:14 PM, "Luca Rea" <lu...@contactlab.com> wrote:
> Hi Scott,
> Some days ago I have tested the authentication plugin of ATS in forward
> mode with Apache and postgreSQL so I suppose it can work with ldap or
> anything else too, on my experience it works but soon takes off available
> connections on db, adding a middle layer with lua and memcache to store
> authenticated users and ban the failed ones for n consecutives retries
> should be a solution to avoid resource expensive lookups over database (or
> other auth mechianism).
> I hope that helps.
>
RE: Ats as forward with user auth
Posted by Luca Rea <lu...@contactlab.com>.
Hi Scott,
Some days ago I have tested the authentication plugin of ATS in forward mode with Apache and postgreSQL so I suppose it can work with ldap or anything else too, on my experience it works but soon takes off available connections on db, adding a middle layer with lua and memcache to store authenticated users and ban the failed ones for n consecutives retries should be a solution to avoid resource expensive lookups over database (or other auth mechianism).
I hope that helps.