Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: TKTAuthIgnoreIP (Kamaludeen Mohamed Rafi)
2. Re: TKTAuthIgnoreIP (Michael Peters)
3. Re: TKTAuthIgnoreIP (Peter Karman)
4. patch to check X-Forwarded-For IP address (Peter Karman)
5. Re: Multiple domains (Peter Karman)
6. patch to check X-Forwarded-For IP address (Peter Karman)
7. Re: Multiple domains (Armenio Pinto)
----------------------------------------------------------------------
Message: 1
Date: Mon, 29 Sep 2008 15:48:54 +0800
From: Kamaludeen Mohamed Rafi <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthIgnoreIP
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hi,
We are using mod_auth_tkt module for our web-based application running on
Apache server. We are experiencing a problem of IP address mismatch when
the end-user HTTP request goes through several proxy servers.
We wonder whether the validation of ticket can be done without checking the
IP address encoded in the ticket? Not sure the option "TKTAuthIgnoreIP on"
will disable that. If it is, should we use a specific IP address in the
ticket or must it be left empty?
We also need to know whether the shared secret can be more than one entry
in the conf file?
Thank you
With Best Regards
Rafi
Singapore Polytechnic
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Mon, 29 Sep 2008 09:10:04 -0400
From: Michael Peters <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthIgnoreIP
To: Kamaludeen Mohamed Rafi <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8; format=flowed
Kamaludeen Mohamed Rafi wrote:
> We wonder whether the validation of ticket can be done without checking
> the IP address encoded in the ticket? Not sure the option
> "TKTAuthIgnoreIP on" will disable that.
Yes, that's just what IgnoreIP is for.
> If it is, should we use a
> specific IP address in the ticket or must it be left empty?
Apache::AuthTkt (the Perl module for mod_auth_tkt) just uses "0.0.0.0". I don't
know if it has to be that value or if it just makes sure there's something in
that space. But that's
what we use by virture of apache::AuthTkt so I know it works.
> We also need to know whether the shared secret can be more than one
> entry in the conf file?
No, the secret is server wide I believe. You can't have separate secrets for
different virtual hosts
(at least as far as I've tried).
--
Michael Peters
Plus Three, LP
------------------------------
Message: 3
Date: Mon, 29 Sep 2008 08:50:46 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthIgnoreIP
To: Kamaludeen Mohamed Rafi <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
Kamaludeen Mohamed Rafi wrote on 09/29/2008 02:48 AM:
>
> Hi,
>
> We are using mod_auth_tkt module for our web-based application running on
> Apache server. We are experiencing a problem of IP address mismatch when
> the end-user HTTP request goes through several proxy servers.
>
I actually sent a patch that addresses this issue to the ML last week.
Haven't seen it come through though yet.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 4
Date: Thu, 25 Sep 2008 13:08:18 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] patch to check X-Forwarded-For IP address
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
Took me awhile to figure out that running the auth on the backend server
in a reverse proxy set up was not working because it wasn't getting the
IP address to check from the right place. This seems to fix the issue.
Note that it does not address the case where there are multiple proxies
involved.
=== modified file 'src/mod_auth_tkt.c'
--- src/mod_auth_tkt.c 2007-06-21 10:37:22 +0000
+++ src/mod_auth_tkt.c 2008-09-25 16:36:12 +0000
@@ -717,7 +717,12 @@
unsigned char *buf2 = apr_palloc(r->pool, MD5_DIGEST_SZ +
strlen(secret));
int len = 0;
char *digest;
- char *remote_ip = conf->ignore_ip > 0 ? "0.0.0.0" :
r->connection->remote_ip;
+ char *remote_ip;
+ /* prefer remote_ip from forwarded-for header, falling back to
connection ip
+ TODO: Select the most recent upstream IP (last in the list).
+ */
+ remote_ip = (char *) apr_table_get(r->headers_in, "X-Forwarded-For");
+ if (!remote_ip) remote_ip = conf->ignore_ip > 0 ? "0.0.0.0" :
r->connection->remote_ip;
unsigned long ip;
struct in_addr ia;
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 5
Date: Fri, 19 Sep 2008 09:30:28 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Multiple domains
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
Armenio Pinto wrote on 09/19/2008 05:24 AM:
> Here is my scenario: httpd acting as a reverse proxy to make several
> intranet services available through the Internet. Each service is
> implemented as a IP based vhost so, for example, service1 public
> address is service1.mycompany.com. The respective vhost then
> redirects the traffic to the service (intranet) IP address.
>
> My next step is to deal with the authentication. So, every time a
> client browses for the first time to the main page
> (http://www.mycompany.com) or any of the service pages
> (http://service1.mycompany.com, ...) I want it to bounce to a login
> page. IF the login is successfull, the next requests will be
> automatically authorized (until a timeout or explicit logout occurs).
>
>
> My question is: is it possible to implement this with mod_auth_tkt?
> Can anyone, please, provide me a brief example? The typical service
> vhost definition in my httpd configuration files is:
yes, it is possible.
In my case, I have several different subdomains, some internal, some
external, some proxied, some not. The trick I have found is to be sure
that in your login script you set the cookie domain to .mycompany.com
(note the leading .) so that is sent for all subdomains. (I may be wrong
about needing that, but afaict, I needed it.)
For proxying, I tend to use mod_rewrite instead of mod_proxy directly.
It Just Works a little more reliably. Here's an example:
backend url: http://back.mycompany.com/
frontend url: https://www.mycompany.com/back
vhost file for www.mycompany.com:
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName www.mycompany.com:443
# I keep my TKTAuthSecret token in one file
# and then include it in any httpd.conf I need
# the /path/to is kept in sync on many machines
# with a rsync script.
Include /path/to/mod_auth_tkt.conf
# all requests for /back/* must be authenticated
<Location /back>
AuthType Basic
require valid?user
TKTAuthLoginURL https://www.mycompany.com/login
TKTAuthDomain .mycompany.com
TKTAuthTimeout 8h
</Location>
RewriteEngine on
RewriteRule ^/back/?$ http://back.mycompany.com/ [P,L]
RewriteRule ^/back/(.+)$ http://back.mycompany.com/$1 [P,L]
ProxyPassReverse /back/ http://back.mycompany.com/
# nicer login url
ScriptAlias /login "/path/to/www.mycompany.com/cgi-bin/login.cgi"
# other stuff here
</VirtualHost>
Per the mod_auth_tkt docs, you just need the AuthType section as above
for every Location you wish to protect. In my case, I tend to have a
single public-facing subdomain and proxy through it to anything I want
to make public. Then for any subdomains I make available internally
only, I just put the proper AuthType config in that server's config file.
Many ways to do this; this is just how I do it.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 6
Date: Thu, 25 Sep 2008 13:08:18 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] patch to check X-Forwarded-For IP address
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
Took me awhile to figure out that running the auth on the backend server
in a reverse proxy set up was not working because it wasn't getting the
IP address to check from the right place. This seems to fix the issue.
Note that it does not address the case where there are multiple proxies
involved.
=== modified file 'src/mod_auth_tkt.c'
--- src/mod_auth_tkt.c 2007-06-21 10:37:22 +0000
+++ src/mod_auth_tkt.c 2008-09-25 16:36:12 +0000
@@ -717,7 +717,12 @@
unsigned char *buf2 = apr_palloc(r->pool, MD5_DIGEST_SZ +
strlen(secret));
int len = 0;
char *digest;
- char *remote_ip = conf->ignore_ip > 0 ? "0.0.0.0" :
r->connection->remote_ip;
+ char *remote_ip;
+ /* prefer remote_ip from forwarded-for header, falling back to
connection ip
+ TODO: Select the most recent upstream IP (last in the list).
+ */
+ remote_ip = (char *) apr_table_get(r->headers_in, "X-Forwarded-For");
+ if (!remote_ip) remote_ip = conf->ignore_ip > 0 ? "0.0.0.0" :
r->connection->remote_ip;
unsigned long ip;
struct in_addr ia;
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 7
Date: Mon, 29 Sep 2008 16:17:34 +0100
From: "Armenio Pinto" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Multiple domains
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="utf-8"
Hi Peter,
Thank you for your response. I'll get my hands again on the proxy this week and
I'll try your approach! Thank you again, cheers,
Arm?nio Pinto
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Peter Karman
Sent: 19 September 2008 15:30
To: modauthtkt-users@lists.sourceforge.net
Subject: Re: [modauthtkt-users] Multiple domains
Armenio Pinto wrote on 09/19/2008 05:24 AM:
> Here is my scenario: httpd acting as a reverse proxy to make several
> intranet services available through the Internet. Each service is
> implemented as a IP based vhost so, for example, service1 public
> address is service1.mycompany.com. The respective vhost then
> redirects the traffic to the service (intranet) IP address.
>
> My next step is to deal with the authentication. So, every time a
> client browses for the first time to the main page
> (http://www.mycompany.com) or any of the service pages
> (http://service1.mycompany.com, ...) I want it to bounce to a login
> page. IF the login is successfull, the next requests will be
> automatically authorized (until a timeout or explicit logout occurs).
>
>
> My question is: is it possible to implement this with mod_auth_tkt?
> Can anyone, please, provide me a brief example? The typical service
> vhost definition in my httpd configuration files is:
yes, it is possible.
In my case, I have several different subdomains, some internal, some
external, some proxied, some not. The trick I have found is to be sure
that in your login script you set the cookie domain to .mycompany.com
(note the leading .) so that is sent for all subdomains. (I may be wrong
about needing that, but afaict, I needed it.)
For proxying, I tend to use mod_rewrite instead of mod_proxy directly.
It Just Works a little more reliably. Here's an example:
backend url: http://back.mycompany.com/
frontend url: https://www.mycompany.com/back
vhost file for www.mycompany.com:
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName www.mycompany.com:443
# I keep my TKTAuthSecret token in one file
# and then include it in any httpd.conf I need
# the /path/to is kept in sync on many machines
# with a rsync script.
Include /path/to/mod_auth_tkt.conf
# all requests for /back/* must be authenticated
<Location /back>
AuthType Basic
require valid?user
TKTAuthLoginURL https://www.mycompany.com/login
TKTAuthDomain .mycompany.com
TKTAuthTimeout 8h
</Location>
RewriteEngine on
RewriteRule ^/back/?$ http://back.mycompany.com/ [P,L]
RewriteRule ^/back/(.+)$ http://back.mycompany.com/$1 [P,L]
ProxyPassReverse /back/ http://back.mycompany.com/
# nicer login url
ScriptAlias /login "/path/to/www.mycompany.com/cgi-bin/login.cgi"
# other stuff here
</VirtualHost>
Per the mod_auth_tkt docs, you just need the AuthType section as above
for every Location you wish to protect. In my case, I tend to have a
single public-facing subdomain and proxy through it to anything I want
to make public. Then for any subdomains I make available internally
only, I just put the proper AuthType config in that server's config file.
Many ways to do this; this is just how I do it.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
DISCLAIMER: The information in this Internet E-mail or Fax is confidential and
is intended solely
for the addressee. Access, copying or re-use of information in it by anyone
else is unauthorised.
If you are not the intended recipient, please inform the [EMAIL PROTECTED] and
delete it from
your system. Any views or opinions presented are solely those of the author and
do not necessarily
represent those of Flybe or any of its affiliates. E-mails are susceptible to
alteration and their
integrity cannot be guaranteed. Flybe shall not be liable for this e-mail if
modified or falsified.
Flybe does not accept any liability for statements made, which are the senders
own and not
expressly made on behalf of Flybe.
Flybe is the trading name of Flybe Ltd,
Jack Walker House,
Exeter International Airport,
Exeter.
Devon,
EX5 2HL.
United Kingdom.
Registered in England.
Company Registration No. 2769768
All reasonable efforts have been made to check that this email and any
attachments are free of
computer viruses (or similar), but Flybe accepts no responsibility for any
damage, howsoever
arising, as a result of their transmission to the recipient's computer or
network.
------------------------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 20, Issue 1
***********************************************
