Well, I have a basic Apache to LDAP bridge or authorization server that has
no content, and then I have an application server that hosts all the
content.  The idea is that since the app server is unsecured, we can pass
the traffic through ATS to authenticate and then get content from the app
server.
Here is some further detail showing what succeeds and what fails.

ATS remap.config - top line is the auth server map
----------
# LDAP Auth Server (really basic LDAP config and a rewrite all, see below)
    map         http://auth.ops.point808.com/
http://auth.ops.point808.com/
# Application server (hosts the content to load)
    map         https://app.point808.com/app/
http://private.ops.point808.com:8002/app/ \
                @plugin=authproxy.so @pparam=--auth-transform=redirect
@pparam=--auth-host=auth.ops.point808.com @pparam=--auth-port=80
    reverse_map http://private.ops.point808.com:8002/app/
https://app.point808.com/app/
----------

Auth server (apache2) - just uses ldap plugin and rewrites all requests to
index.html so it will give a 200 OK as long as ldap checks out.
----------
<VirtualHost *:80>
  ServerName auth.ops.point808.com
  ServerAdmin xxx
  DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <Location "/">
    Include "/etc/apache2/ldap.conf"
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !=/index.html
    RewriteRule ^ /index.html [PT]
    Options -Indexes
    ErrorDocument 403 /index.html
    AllowOverride None
  </Location>
</VirtualHost>
----------

And for logs - I snipped them down to show a success and fail example on
each.  I put them on pastebin so I don't have a 10-page email.
Includes ATS debug with authproxy|http_hdrs, auth server access log, and
Chrome dev tools headers.

http://pastebin.com/PLjKDeqt


On Thu, Oct 13, 2016 at 12:25 AM, James Peach <jpe...@apache.org> wrote:

>
> > On Oct 12, 2016, at 9:19 PM, Josh North <josh.no...@point808.com> wrote:
> >
> > That helps. Through some more troubleshooting, I removed the authproxy
> line from the reverse map and it is mostly working. The remaining error I
> have is in one application that uses a json PUT. The app work until the
> user uses that function, and ATS returns a 500 method not allowed.
>
> It comes from ATS itself? I don’t see authproxy doing that, so must be
> something else. The --auth-transform=redirect is designed for the case
> where you have a separate service that can tell whether a request should be
> allowed. If you are doing the auth redirect to the upstream service, maybe
> —auth-transform=head is a better choice?
>
> > Going directly to the source server works though.
> >
> > I'm wondering if it has anything to do with every single request getting
> forwarded to the http auth server first.
> >
> > Thank you for the tip on debug flags, I will continue to play with that
> and see what I can find.
> >
> > On Oct 12, 2016, James Peach <jpe...@apache.org> wrote:
> >
> > On Sep 30, 2016, at 10:08 AM, Josh North <josh.no...@point808.com>
> wrote:
> >
> > Hello,
> >
> > I am using ATS as a reverse proxy. I have been requested to set up
> > some URL's to use LDAP authentication with a directory server. I
> > found the authproxy plugin and configured it, and it successfully
> > authenticates/denies, but then returns a 404(or if I add an internal
> > map to the auth server, the browser tries to take me there). I feel I
> > am missing a very basic concept so I apologize.
> >
> > Here is my expectation based on how I have remap.config set up:
> > 1. Browser requests https://test.point808.com/
> > 2. ATS uses auth.internal.point808.com to authenticate if the request
> > is allowed
> > 3. If not allowed, just fail however it wants to, don;t care
> > 4. if allowed, reverse proxy to privateserver.internal.point808.com
> >
> > Instead, at step 4, after a successful user/pass, I just get a
> > redirect to auth.internal.point808.com, which fails because that
> > server is not publicly available and does not have the content that
> > privateserver has.
> >
> > remap.config
> > --------------------------
> > # LDAP Auth Server
> > map http://auth.internal.point808.com/ http://auth.internal.point808.
> com/
> >
> > # Private Server
> > map https://test.point808.com/
> > http://privateserver.internal.point808.com/ @plugin=authproxy.so
> > @pparam=--auth-transform=redirect
> > @pparam=--auth-host=auth.internal.point808.com @pparam=--auth-port=80
> >
> > This looks reasonable.
> >
> > reverse_map http://privateserver.internal.point808.com/
> > https://test.point808.com/ @plugin=authproxy.so
> > @pparam=--auth-transform=redirect
> > @pparam=--auth-host=auth.internal.point808.com @pparam=--auth-port=80
> >
> > reverse_map is used to rewrite response headers, so it is might not be
> what you want. If it is what you want, I’m not sure that you want to attach
> the authproxy plugin to it.
> >
> > Generally, authproxy will need a map to use for the auth server, so
> maybe something like this:
> >
> > map http://privateserver.internal.point808.com/ \
> > http://privateserver.internal.point808.com/ \
> > @internal
> >
> > If you need to debug authproxy itself, try traffic_server -T
> ‘authproxy|http_hdrs’.
> >
> > J
> >
>
>

Reply via email to