You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Keith Lawson <Ke...@sjhc.london.on.ca> on 2014/03/03 23:40:29 UTC

[users@httpd] mod_rewrite redirect to login page

Hello, 
 
I'm attempting to set up a site with a mixture of mod_auth_kerb and an in house mod_perl2 auth handler we wrot. Basically what I need to do is when you hit the root of the site if "REMOTE_USER" isn't populated and you're on the LAN redirect to a page under mod_auth_kerb that sets a ticket and if you're outside our LAN redirect to a page where our users can manually log in. My rewrite rule never seems to see "REMOTE_USER" as populated even though I'm using "LA-U:REMOTE_USER" so the rewrite rule keeps kicking in and redirecting over to the mod_auth_kerb page which redirects back to Apache. I've searched google and the lists here and I can't seem to solve the problem. Here's my current configuration: 
 
   <Location /kltest>
	  AuthType Site::SSO
	  AuthName sso
	  PerlAuthenHandler  Site::SSO->authenticate
	  PerlAuthzHandler   Site::SSO->authorize
	  require valid-user
   </Location>
 
   RewriteEngine On
   RewriteLog /var/log/apache2/rewrite.log
   RewriteLogLevel 5
 
   # Redirect to pass through authentication if internal
   #
   RewriteCond %{REMOTE_ADDR} ^10\..*$
   RewriteCond %{LA-U:REMOTE_USER} !(.+)
   RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
 
   # Redirect to manual authentication if external
   #
   RewriteCond %{LA-U:REMOTE_USER} !(.+)
   RewriteCond %{REMOTE_ADDR}	  !^10\..*$
   RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
 
 
"Site::SSO" is our in house Apache2::AuthCookie auth handler, the ticket for this is set once you authenticate to one of the pages on "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite rules but mod_rewrite never sees anything in "REMOTE_USER". What am I missing? 
 
Thanks, 
Keith.

 --------------------------------------------------------------------------------
This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.

Re: [users@httpd] mod_rewrite redirect to login page

Posted by Rich Bowen <rb...@rcbowen.com>.
On 03/04/2014 03:12 PM, Keith Lawson wrote:
>> >I suspect that you might be able to do the same thing with
>> >
>> >ErrorDocument 403https://sso.lhsc.on.ca/signauto/in  
>> >
>> >and avoid the convolutions of mod_rewrite here. Assuming your in-house
>> >mod_perl auth handler returns a 403 on auth failure.
> Actually that's how Apache2::Authcookie works. So with a single login page it redirects to a form that you configure. My challenge here is that I need to redirect to different authentication pages depending on the IP the request comes from.
>
> I ended up solving the problem by implementing it in the authz handler but unless I'm reading the documentation incorrectly it should be possible with mod_rewrite too.

It probably should, but LA-U is a finicky beast.

-- 
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite redirect to login page

Posted by Keith Lawson <Ke...@sjhc.london.on.ca>.

>>> On 2014/03/04 at 10:44 AM, in message <53...@rcbowen.com>, Rich
Bowen <rb...@rcbowen.com> wrote:

> On 03/03/2014 05:40 PM, Keith Lawson wrote:
>> Hello,
>>    # Redirect to pass through authentication if internal
>>    #
>>    RewriteCond %{REMOTE_ADDR} ^10\..*$
>>    RewriteCond %{LA-U:REMOTE_USER} !(.+)
>>    RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
>>    # Redirect to manual authentication if external
>>    #
>>    RewriteCond %{LA-U:REMOTE_USER} !(.+)
>>    RewriteCond %{REMOTE_ADDR}      !^10\..*$
>>    RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
>> "Site::SSO" is our in house Apache2::AuthCookie auth handler, the 
>> ticket for this is set once you authenticate to one of the pages on 
>> "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite 
>> rules but mod_rewrite never sees anything in "REMOTE_USER". What am I 
>> missing?
>>
> 
> I suspect that you might be able to do the same thing with
> 
> ErrorDocument 403  https://sso.lhsc.on.ca/signauto/in 
> 
> and avoid the convolutions of mod_rewrite here. Assuming your in-house 
> mod_perl auth handler returns a 403 on auth failure.

Actually that's how Apache2::Authcookie works. So with a single login page it redirects to a form that you configure. My challenge here is that I need to redirect to different authentication pages depending on the IP the request comes from. 

I ended up solving the problem by implementing it in the authz handler but unless I'm reading the documentation incorrectly it should be possible with mod_rewrite too.

> 
> --Rich
> 
> 
> -- 
> Rich Bowen - rbowen@rcbowen.com - @rbowen
> http://apachecon.com/ - @apachecon

 --------------------------------------------------------------------------------
This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite redirect to login page

Posted by Rich Bowen <rb...@rcbowen.com>.
On 03/03/2014 05:40 PM, Keith Lawson wrote:
> Hello,
>    # Redirect to pass through authentication if internal
>    #
>    RewriteCond %{REMOTE_ADDR} ^10\..*$
>    RewriteCond %{LA-U:REMOTE_USER} !(.+)
>    RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
>    # Redirect to manual authentication if external
>    #
>    RewriteCond %{LA-U:REMOTE_USER} !(.+)
>    RewriteCond %{REMOTE_ADDR}      !^10\..*$
>    RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
> "Site::SSO" is our in house Apache2::AuthCookie auth handler, the 
> ticket for this is set once you authenticate to one of the pages on 
> "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite 
> rules but mod_rewrite never sees anything in "REMOTE_USER". What am I 
> missing?
>

I suspect that you might be able to do the same thing with

ErrorDocument 403  https://sso.lhsc.on.ca/signauto/in

and avoid the convolutions of mod_rewrite here. Assuming your in-house 
mod_perl auth handler returns a 403 on auth failure.

--Rich


-- 
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon