Phil, Thanks again for your replies. I am now using "Location" block and it's working fine.
Not sure what the problem was in the past. Incidentally, I never did get any true "debug" output from mod_auth_cas. I do get error output when there are errors. Maybe mod_auth_cas just doesn't provide debug output. Lars On 6/19/2009 6:20 PM, Phil Ames wrote: > Hi Lars, > From what I can tell, if you have the AuthType directive in a > "Directory" block, it will probably not work in the case where you are > reverse proxying because Apache won't treat those as directories. The > directive should definitely be applied in a "Location" block, and I > believe I have done this in the past with success. However, it looks > like your original configuration had the config defined in a Location > block and it was not working. > > In your latest tests, what is returning the certificate error message (I > am assuming your browser)? What certificate is presented, the one for > your front end server, your back end server, or your CAS server (e.g. > were you redirected)? I am not sure how relevant that information is, > but it will help obtain a clearer picture of what you are seeing. > > -Phil > > On Fri, Jun 19, 2009 at 5:41 PM, Lars Huttar <[email protected] > <mailto:[email protected]>> wrote: > > OK, I think we're getting somewhere. > > When I try the test you described below, in the <Directory "/"> block, I > get basic authentication challenge if I go to the bare "/" url > (http://mydomain/); but no challenge if I go to the subfolder that is > being proxied and which I'm trying to protect (/arcgis/services and > similar). > > So, maybe the Proxy settings are preventing the Auth settings from > taking effect? > > If I then go back to using the AuthType CAS and related settings, > without the AuthType basic settings, and go to http://mydomain/, then I > don't get the CAS authentication because I only applied that to my > /arcgis/ folder. But if I change the mod_auth_cas settings to apply to > "/", then I get something different: I get "There is a problem with this > website's security certificate." So maybe that's progress. However, I do > want CAS to apply only to the URLs that I'm reverse-proxying. > > > Again, the Proxy-related settings in httpd.conf are: > > <IfModule mod_proxy.c> > ProxyRequests Off > > <Proxy *> > Order deny,allow > Allow from all > </Proxy> > > ProxyPass /gaz http://middleware.alexandria.ucsb.edu/gaz > ProxyPassReverse /gaz http://middleware.alexandria.ucsb.edu/gaz > > # Rules for reverse proxy for ArcGIS Server > # ProxyRequests Off > > ProxyPass /arcgis/services http://rome2:8399/arcgis/services > ProxyPassReverse /arcgis/services http://rome2:8399/arcgis/services > > ProxyPass /arcgis/rest http://rome2:8399/arcgis/rest > ProxyPassReverse /arcgis/rest http://rome2:8399/arcgis/rest > > ProxyPass /arcgis/sdk/rest http://rome2:8399/arcgis/sdk/rest > ProxyPassReverse /arcgis/sdk/rest http://rome2:8399/arcgis/sdk/rest > > ProxyPass /arcgis/tokens http://rome2/arcgis/tokens > ProxyPassReverse /arcgis/tokens http://rome2/arcgis/tokens > > ProxyPass /arcgis/server/proxyoutput/ > http://rome2:8399/arcgis/server/proxyoutput/ > ProxyPassReverse /arcgis/server/proxyoutput/ > http://rome2:8399/arcgis/server/proxyoutput/ > > ProxyPass /arcgis/server/proxyjobs/ > http://rome2:8399/arcgis/server/proxyjobs/ > ProxyPassReverse /arcgis/server/proxyjobs/ > http://rome2:8399/arcgis/server/proxyjobs/ > > ProxyPass /arcgis/server/proxycache/ > http://rome2:8399/arcgis/server/proxycache/ > ProxyPassReverse /arcgis/server/proxycache/ > http://rome2:8399/arcgis/server/proxycache/ > > > > > > On 6/19/2009 3:40 PM, Phil Ames wrote: > > Hi Lars, > > Some instructions are here: > > > > http://httpd.apache.org/docs/2.2/howto/auth.html > > > > A simple example might look something like this in your > > Location/Directory block: > > > > AuthType Basic > > AuthName "Test" > > AuthBasicProvider file > > AuthUserFile /usr/local/apache/passwd/passwords > > Require valid-user > > > > Then, from the command line run: > > > > htpasswd -c /usr/local/apache/passwd/passwords test > > > > where 'test' is the username you will be creating (you will be > prompted > > for a password). Then, restart Apache and try to hit that protected > > resource and use the username/password you created. If you are not > > prompted for authentication, then I think there might be some > directive > > in an Apache scope overriding the directives that you have set. > It does > > sound like your configuration is being processed though, as you > said you > > received startup errors when Apache could not start properly due to > > invalid settings, which is why this is a bit of a mystery to me. > > > > -Phil > > > > On Fri, Jun 19, 2009 at 3:59 PM, Lars Huttar <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hi Phil, > > I have not tried any other AuthType directives. I'm pretty new > to httpd > > authentication. > > > > I could try "AuthType Basic", but I wouldn't quickly know how > to set up > > the other required details so that a test should work. E.g. an > > authentication-provider module and an authorization module, a > user file > > and group file... > > Is there a quick & well-packaged test I could run? > > > > Lars > > > > > > On 6/19/2009 2:34 PM, Phil Ames wrote: > > > Hi Lars, > > > Are you able to get any other AuthType directives to work on > that > > > location (e.g. AuthType Basic)? Is it just AuthType CAS that is > > > failing? > > > > > > Thanks, > > > > > > -Phil > > > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
