You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Keith Lawson <Ke...@sjhc.london.on.ca> on 2014/03/03 23:40:29 UTC
[users@httpd] mod_rewrite redirect to login page
Hello,
I'm attempting to set up a site with a mixture of mod_auth_kerb and an in house mod_perl2 auth handler we wrot. Basically what I need to do is when you hit the root of the site if "REMOTE_USER" isn't populated and you're on the LAN redirect to a page under mod_auth_kerb that sets a ticket and if you're outside our LAN redirect to a page where our users can manually log in. My rewrite rule never seems to see "REMOTE_USER" as populated even though I'm using "LA-U:REMOTE_USER" so the rewrite rule keeps kicking in and redirecting over to the mod_auth_kerb page which redirects back to Apache. I've searched google and the lists here and I can't seem to solve the problem. Here's my current configuration:
<Location /kltest>
AuthType Site::SSO
AuthName sso
PerlAuthenHandler Site::SSO->authenticate
PerlAuthzHandler Site::SSO->authorize
require valid-user
</Location>
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 5
# Redirect to pass through authentication if internal
#
RewriteCond %{REMOTE_ADDR} ^10\..*$
RewriteCond %{LA-U:REMOTE_USER} !(.+)
RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
# Redirect to manual authentication if external
#
RewriteCond %{LA-U:REMOTE_USER} !(.+)
RewriteCond %{REMOTE_ADDR} !^10\..*$
RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
"Site::SSO" is our in house Apache2::AuthCookie auth handler, the ticket for this is set once you authenticate to one of the pages on "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite rules but mod_rewrite never sees anything in "REMOTE_USER". What am I missing?
Thanks,
Keith.
--------------------------------------------------------------------------------
This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.
Re: [users@httpd] mod_rewrite redirect to login page
Posted by Rich Bowen <rb...@rcbowen.com>.
On 03/04/2014 03:12 PM, Keith Lawson wrote:
>> >I suspect that you might be able to do the same thing with
>> >
>> >ErrorDocument 403https://sso.lhsc.on.ca/signauto/in
>> >
>> >and avoid the convolutions of mod_rewrite here. Assuming your in-house
>> >mod_perl auth handler returns a 403 on auth failure.
> Actually that's how Apache2::Authcookie works. So with a single login page it redirects to a form that you configure. My challenge here is that I need to redirect to different authentication pages depending on the IP the request comes from.
>
> I ended up solving the problem by implementing it in the authz handler but unless I'm reading the documentation incorrectly it should be possible with mod_rewrite too.
It probably should, but LA-U is a finicky beast.
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite redirect to login page
Posted by Keith Lawson <Ke...@sjhc.london.on.ca>.
>>> On 2014/03/04 at 10:44 AM, in message <53...@rcbowen.com>, Rich
Bowen <rb...@rcbowen.com> wrote:
> On 03/03/2014 05:40 PM, Keith Lawson wrote:
>> Hello,
>> # Redirect to pass through authentication if internal
>> #
>> RewriteCond %{REMOTE_ADDR} ^10\..*$
>> RewriteCond %{LA-U:REMOTE_USER} !(.+)
>> RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
>> # Redirect to manual authentication if external
>> #
>> RewriteCond %{LA-U:REMOTE_USER} !(.+)
>> RewriteCond %{REMOTE_ADDR} !^10\..*$
>> RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
>> "Site::SSO" is our in house Apache2::AuthCookie auth handler, the
>> ticket for this is set once you authenticate to one of the pages on
>> "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite
>> rules but mod_rewrite never sees anything in "REMOTE_USER". What am I
>> missing?
>>
>
> I suspect that you might be able to do the same thing with
>
> ErrorDocument 403 https://sso.lhsc.on.ca/signauto/in
>
> and avoid the convolutions of mod_rewrite here. Assuming your in-house
> mod_perl auth handler returns a 403 on auth failure.
Actually that's how Apache2::Authcookie works. So with a single login page it redirects to a form that you configure. My challenge here is that I need to redirect to different authentication pages depending on the IP the request comes from.
I ended up solving the problem by implementing it in the authz handler but unless I'm reading the documentation incorrectly it should be possible with mod_rewrite too.
>
> --Rich
>
>
> --
> Rich Bowen - rbowen@rcbowen.com - @rbowen
> http://apachecon.com/ - @apachecon
--------------------------------------------------------------------------------
This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite redirect to login page
Posted by Rich Bowen <rb...@rcbowen.com>.
On 03/03/2014 05:40 PM, Keith Lawson wrote:
> Hello,
> # Redirect to pass through authentication if internal
> #
> RewriteCond %{REMOTE_ADDR} ^10\..*$
> RewriteCond %{LA-U:REMOTE_USER} !(.+)
> RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/signauto/in [NS]
> # Redirect to manual authentication if external
> #
> RewriteCond %{LA-U:REMOTE_USER} !(.+)
> RewriteCond %{REMOTE_ADDR} !^10\..*$
> RewriteRule ^/kltest/env$ https://sso.lhsc.on.ca/sign/in [NS]
> "Site::SSO" is our in house Apache2::AuthCookie auth handler, the
> ticket for this is set once you authenticate to one of the pages on
> "sso.lhsc.on.ca" and "REMOTE_USER" is set if I remove the rewrite
> rules but mod_rewrite never sees anything in "REMOTE_USER". What am I
> missing?
>
I suspect that you might be able to do the same thing with
ErrorDocument 403 https://sso.lhsc.on.ca/signauto/in
and avoid the convolutions of mod_rewrite here. Assuming your in-house
mod_perl auth handler returns a 403 on auth failure.
--Rich
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon