[users@httpd] mod_cgi not passing headers for authentication

[Roderick <hr...@gmail.com>]

Dear Sirs,

running a CGI script, in which I myself implement basic
authentication, I miss necessary headers:

REMOTE_USER
AUTH_TYPE
HTTP_AUTHORIZATION

According to https://tools.ietf.org/html/rfc3875 the first MUST be passed.

Is there a way to get these headers?

I get the last putting in the config file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

But I also need the first header. How to get apache to work like
standard httpd?

If possible, I want to keep apaches authentication of static pages.

Thanks
Rodrigo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Will Fatherley <we...@gmail.com>]

Is there a possibility that you can configure a vhost that forwards to the
vhost that you are running cgi in?  In that case, you'll get an
http-forwarded-for header with the address you want.  This of course is a
hack, and may not be appropriate

On Tue, Mar 10, 2020 at 10:53 AM Yann Ylavic <yl...@gmail.com> wrote:

> On Tue, Mar 10, 2020 at 2:46 AM Roderick <hr...@gmail.com> wrote:
> >
> > Excuse me the question: does httpd obtain REMOTE_USER by parsing
> > the AUTHORIZATION header?
>
> Yes, that's where it's available for basic auth, so mod_auth_basic
> will do this:
> https://github.com/winlibs/apache/blob/master/2.4.x/modules/aaa/mod_auth_basic.c#L139
> (i.e. anything up to the first ':' after base64 decoding).
>
> > The same with AUTH_TYPE?
>
> Same, set to "basic" by mod_auth_basic when doing auth by itself.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] mod_cgi not passing headers for authentication

[Yann Ylavic <yl...@gmail.com>]

On Tue, Mar 10, 2020 at 2:46 AM Roderick <hr...@gmail.com> wrote:
>
> Excuse me the question: does httpd obtain REMOTE_USER by parsing
> the AUTHORIZATION header?

Yes, that's where it's available for basic auth, so mod_auth_basic
will do this: https://github.com/winlibs/apache/blob/master/2.4.x/modules/aaa/mod_auth_basic.c#L139
(i.e. anything up to the first ':' after base64 decoding).

> The same with AUTH_TYPE?

Same, set to "basic" by mod_auth_basic when doing auth by itself.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Roderick <hr...@gmail.com>]

On Tue, 3 Mar 2020, Yann Ylavic wrote:

>> With this I get HTTP_AUTHORIZATION, but Unfortunately not REMOTE_USER.
>
> Sure, if httpd isn't doing auth it will not care about REMOTE_USER nor
> parse the Authorization header.

Excuse me the question: does httpd obtain REMOTE_USER by parsing 
the AUTHORIZATION header? The same with AUTH_TYPE?

Thanks
Rod.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Yann Ylavic <yl...@gmail.com>]

Sorry I meant: https://tools.ietf.org/html/rfc2617#section-2 here:

>
> User names never have ':', per
> https://tools.ietf.org/html/rfc2617#section-3.2.2 :
>
>       user-pass   = userid ":" password
>       userid      = *<TEXT excluding ":">
>       password    = *TEXT

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Yann Ylavic <yl...@gmail.com>]

On Tue, Mar 3, 2020 at 12:12 AM Roderick <hr...@gmail.com> wrote:
>
> Thanks, Yann!
>
> With this I get HTTP_AUTHORIZATION, but Unfortunately not REMOTE_USER.

Sure, if httpd isn't doing auth it will not care about REMOTE_USER nor
parse the Authorization header.

>
> If user names do not have ":", I can get the username.

User names never have ':', per
https://tools.ietf.org/html/rfc2617#section-3.2.2 :

      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

Nothing special in httpd when it does auth, REMOTE_USER is extracted
from the Authorization header (HTTP_AUTHORIZATION) as "everything
before the first ':'". Your CGI has to do the same thing if it's
responsible for the auth.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Roderick <hr...@gmail.com>]

Thanks, Yann!

With this I get HTTP_AUTHORIZATION, but Unfortunately not REMOTE_USER.

If user names do not have ":", I can get the username.


> On Sun, Mar 1, 2020 at 7:33 PM Roderick <hr...@gmail.com> wrote:
> 
> [...] 
> You seem to want: https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Yann Ylavic <yl...@gmail.com>]

On Sun, Mar 1, 2020 at 7:33 PM Roderick <hr...@gmail.com> wrote:
>
> I do not want apache "doing basic auth". I want to do it in the
> cgi script myself, and as I understand RFC3875, the headers in
> question should be passed for that purpose.

You seem to want: https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Jonathon Koyle <li...@gmail.com>]

That standard states:


if the client request required authentication for external
access, then the server MUST set the value of this variable from the
'auth-scheme' token in the request Authorization header field.


However, you are configuring Apache to NOT authenticate and therefore
Apache CANNOT provide those headers.
It never asked for them, and has no knowledge of any authentication you are
requiring in the CGI script.
At this point, the 'authenticating server` is your CGI script.

Also, keep in mind it also provides this disclaimer:

   This document is not a candidate for any level of Internet Standard.
   The IETF disclaims any knowledge of the fitness of this document for
   any purpose, and in particular notes that it has not had IETF review
   for such things as security, congestion control or inappropriate
   interaction with deployed protocols.  The RFC Editor has chosen to
   publish this document at its discretion.  Readers of this document
   should exercise caution in evaluating its value for implementation
   and deployment.


On Sun, Mar 1, 2020 at 11:33 AM Roderick <hr...@gmail.com> wrote:

>
> I do not want apache "doing basic auth". I want to do it in the
> cgi script myself, and as I understand RFC3875, the headers in
> question should be passed for that purpose.
>
> Thanks anyway
> Rodrigo
>
>
> On Sun, 1 Mar 2020, Eric Covener wrote:
>
> > If Apache isn't doing basic auth, it can't supply REMOTE_USER to you,
> > because it hasn't authenticated anyone.  Similar for AUTH_TYPE -- the
> > server hasn't done any auth.
> > Authorization isn't passed by default intentionally as a typical CGI
> > has no business w/ the users credentials.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

-- 
Jonathon Koyle

Re: [users@httpd] mod_cgi not passing headers for authentication

[Roderick <hr...@gmail.com>]

I do not want apache "doing basic auth". I want to do it in the
cgi script myself, and as I understand RFC3875, the headers in
question should be passed for that purpose.

Thanks anyway
Rodrigo


On Sun, 1 Mar 2020, Eric Covener wrote:

> If Apache isn't doing basic auth, it can't supply REMOTE_USER to you,
> because it hasn't authenticated anyone.  Similar for AUTH_TYPE -- the
> server hasn't done any auth.
> Authorization isn't passed by default intentionally as a typical CGI
> has no business w/ the users credentials.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_cgi not passing headers for authentication

[Eric Covener <co...@gmail.com>]

On Sun, Mar 1, 2020 at 10:07 AM Roderick <hr...@gmail.com> wrote:
>
>
> Dear Sirs,
>
> running a CGI script, in which I myself implement basic
> authentication, I miss necessary headers:
>
> REMOTE_USER
> AUTH_TYPE
> HTTP_AUTHORIZATION
>
> According to https://tools.ietf.org/html/rfc3875 the first MUST be passed.
>
> Is there a way to get these headers?
>
> I get the last putting in the config file:
>
> SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
>
> But I also need the first header. How to get apache to work like
> standard httpd?
>
> If possible, I want to keep apaches authentication of static pages.

If Apache isn't doing basic auth, it can't supply REMOTE_USER to you,
because it hasn't authenticated anyone.  Similar for AUTH_TYPE -- the
server hasn't done any auth.
Authorization isn't passed by default intentionally as a typical CGI
has no business w/ the users credentials.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org