Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: [Patch] Allow use behind mod_proxy (Gavin Carr)
2. Re: [Patch] Allow use behind mod_proxy (Gavin Carr)
3. Re: [Patch] Allow use behind mod_proxy (Charlie Brady)
4. Re: [Patch] Allow use behind mod_proxy (Charlie Brady)
5. Why is Secret server-wise rather than per directory?
(Charlie Brady)
----------------------------------------------------------------------
Message: 1
Date: Mon, 6 Nov 2006 20:25:26 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] [Patch] Allow use behind mod_proxy
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Charlie,
On Fri, Nov 03, 2006 at 12:11:37PM -0500, Charlie Brady wrote:
> Use X-Forwarded-Host header in preference to Host header, if available.
>
> This is only part of the puzzle I'm dealing with, as auto-determination of
> default AuthDomain doesn't work as-is, and I have to hard code it in
> configuration, but this is a start.
>
> Without this patch, the redirect back URL isn't accessible to the original
> requester.
No, mod_auth_tkt shouldn't need to know about being proxied. The
redirect should get rewritten by a ProxyPassReverse on the way back
through. Is that not working for you?
Cheers,
Gavin
------------------------------
Message: 2
Date: Mon, 6 Nov 2006 20:32:40 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] [Patch] Allow use behind mod_proxy
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Sat, Nov 04, 2006 at 02:09:09PM -0500, Charlie Brady wrote:
> On Fri, 3 Nov 2006, Charlie Brady wrote:
> > Use X-Forwarded-Host header in preference to Host header, if available.
> >
> > This is only part of the puzzle I'm dealing with, as auto-determination of
> > default AuthDomain doesn't work as-is, and I have to hard code it in
> > configuration, but this is a start.
>
> And here's the patch for that issue - use TKTAuthDomain if configured, but
> otherwise fall back to X-Forwarded-Host header if available, otherwise use
> Host header. I can't think why 'hostname' would be a better choice than
> the host in the request header.
It's like this because we don't want to trust HTTP headers if we can
avoid it (and yes, there are some inconsistencies there). The
conservative choice is to force the admin to define the domain
explicitly.
If you do want to it dynamically you should look at mod_rpaf:
http://stderr.net/apache/rpaf/
which plays nicely with mod_auth_tkt, and gets you to specify the
hosts from which you'll accept the X-Forwarded_host header. (And
I've got an old spec file for it somewhere if you want it.)
Cheers,
Gavin
------------------------------
Message: 3
Date: Mon, 6 Nov 2006 10:14:35 -0500 (EST)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] [Patch] Allow use behind mod_proxy
To: Gavin Carr <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 6 Nov 2006, Gavin Carr wrote:
> On Fri, Nov 03, 2006 at 12:11:37PM -0500, Charlie Brady wrote:
>> Use X-Forwarded-Host header in preference to Host header, if available.
...
> No, mod_auth_tkt shouldn't need to know about being proxied. The
> redirect should get rewritten by a ProxyPassReverse on the way back
> through. Is that not working for you?
No - the redirect URL is OK but the back URL isn't rewritten:
[EMAIL PROTECTED] ~]# tcpflow -i lo -c
tcpflow[3570]: listening on lo
127.000.000.001.32769-127.000.000.001.00980: GET /server-manager/ HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: auth_probe=1
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
127.000.000.001.00980-127.000.000.001.32769: HTTP/1.1 307 Temporary
Redirect
Date: Mon, 06 Nov 2006 15:10:10 GMT
Server: Apache
Location:
/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f
Content-Length: 292
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>307 Temporary Redirect</title>
</head><body>
<h1>Temporary Redirect</h1>
<p>The document has moved <a
href="/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f">here</a>.</p>
</body></html>
...
It also doesn't work if I have an absolute LoginURL:
GET /server-manager/ HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: auth_probe=1
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
127.000.000.001.00980-127.000.000.001.32771: HTTP/1.1 307 Temporary
Redirect
Date: Mon, 06 Nov 2006 15:13:59 GMT
Server: Apache
Location:
https://192.168.240.129/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>307 Temporary Redirect</title>
</head><body>
<h1>Temporary Redirect</h1>
<p>The document has moved <a
href="https://192.168.240.129/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f";>here</a>.</p>
</body></html>
------------------------------
Message: 4
Date: Mon, 6 Nov 2006 11:43:44 -0500 (EST)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] [Patch] Allow use behind mod_proxy
To: Gavin Carr <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 6 Nov 2006, Gavin Carr wrote:
> On Sat, Nov 04, 2006 at 02:09:09PM -0500, Charlie Brady wrote:
>> On Fri, 3 Nov 2006, Charlie Brady wrote:
>>> Use X-Forwarded-Host header in preference to Host header, if available.
...
> It's like this because we don't want to trust HTTP headers if we can
> avoid it (and yes, there are some inconsistencies there).
I'd like some help in understanding what the threat model is here. If a
malicious client sends a bogus X-Forwarded-Host header, we might give them
a signed cookie containing a domain not of our choosing, and might send
them a redirect to domain not of our choosing. What does that cost us?
> The conservative choice is to force the admin to define the domain
> explicitly.
True, but there are complications with multiple virtual domains.
> If you do want to it dynamically you should look at mod_rpaf:
>
> http://stderr.net/apache/rpaf/
>
> which plays nicely with mod_auth_tkt, and gets you to specify the
> hosts from which you'll accept the X-Forwarded_host header.
> (And I've got an old spec file for it somewhere if you want it.)
Thanks, but it didn't take me long to make one. I made mod_rpaf installed
now, and it's working for me - but only sometimes.
Here's my "login required redirect":
GET /server-manager/ HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: auth_probe=1
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
127.000.000.001.00980-127.000.000.001.32783: HTTP/1.1 307 Temporary
Redirect
Date: Mon, 06 Nov 2006 16:33:03 GMT
Server: Apache
Location:
/server-common/cgi-bin/login?back=http%3a%2f%2f192.168.240.129%2fserver-manager%2f
Content-Length: 292
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>307 Temporary Redirect</title>
</head><body>
<h1>Temporary Redirect</h1>
<p>The document has moved <a
href="/server-common/cgi-bin/login?back=http%3a%2f%2f192.168.240.129%2fserver-manager%2f">here</a>.</p>
</body></html>
But things go awry when I logout - I don't see what is different with the
post-logout request which causes a different redirect to be sent - do
you?
GET /server-common/cgi-bin/logout HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://192.168.240.129/server-manager/header.htm
Cookie: auth_probe=1;
auth_tkt=ZWI1YmIzOTE5NjUxYTVmMzQwZGU1YzgwNjhjNWQ4NzQ0NTRmNjNjNmFkbWluITExNjI4MzA3OTA6MTkyLjE2OC4yNDAuMQ%3D%3D
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
127.000.000.001.00980-127.000.000.001.32785: HTTP/1.1 200 OK
Date: Mon, 06 Nov 2006 16:37:20 GMT
Server: Apache
Set-Cookie: auth_tkt=; domain=192.168.240.129; path=/; expires=Mon,
06-Nov-2006 15:37:21 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
17c
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
.PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; lang="en-US"
xml:lang="en-US"><head><title>Untitled Document</title>
<meta http-equiv="refresh"
content="0;URL=https://192.168.240.129/server-manager/"; />
</head><body>
127.000.000.001.00980-127.000.000.001.32785: 0
127.000.000.001.32785-127.000.000.001.00980: GET /server-manager/ HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: auth_probe=1
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
127.000.000.001.00980-127.000.000.001.32785: HTTP/1.1 307 Temporary
Redirect
Date: Mon, 06 Nov 2006 16:37:21 GMT
Server: Apache
Location:
/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f
Content-Length: 292
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>307 Temporary Redirect</title>
</head><body>
<h1>Temporary Redirect</h1>
<p>The document has moved <a
href="/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f">here</a>.</p>
</body></html>
127.000.000.001.32785-127.000.000.001.00980: GET
/server-common/cgi-bin/login?back=http%3a%2f%2f127.0.0.1%3a980%2fserver-manager%2f
HTTP/1.1
Host: 127.0.0.1:980
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7)
Gecko/20060915 CentOS/1.5.0.7-0.1.el4.centos4 Firefox/1.5.0.7 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: auth_probe=1
Max-Forwards: 10
X-Forwarded-For: 192.168.240.1
X-Forwarded-Host: 192.168.240.129
X-Forwarded-Server: mycompany.local
------------------------------
Message: 5
Date: Mon, 6 Nov 2006 11:53:47 -0500 (EST)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Why is Secret server-wise rather than per
directory?
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
It's either an arbitrary restriction, or I'm missing something.
---
Charlie
------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 6, Issue 5
**********************************************
