Re: Reverse proxy
Henry B. Hotz <hotz <at> jpl.nasa.gov>
2012-04-23 19:34:37 GMT
The basic issue is that the client/browser needs to get a service ticket based on the DNS name of the server
it's trying to connect to. That ticket, and its encapsulation in the Negotiate header, needs to be
acceptable to the end server that processes it. Arranging that gets difficult once you get something more
complex than the simple client/server connection.
On Apr 20, 2012, at 1:40 AM, Jody Gilbert wrote:
> Hi,
>
> Thanks for the tips, sadly this won’t work for us.
> After spending yet more time looking at this I’ve finally admitted I can’t get it to work, so for now we
have decided to use Apache with mod_security as a reverse proxy and web application firewall, we will let
the back end servers handle the authentication.
> I’m also talking to the business about using basic authentication which has the obvious drawback of no SSO.
>
> I’ll keep digging though, as I’d really like Apache to enforce of authentication as well.
>
> Regards,
> Jody
>
>
> From: Brandon Kirsch [mailto:brandonkirsch <at> gmail.com]
> Sent: 18 April 2012 15:31
> To: Jody Gilbert
> Cc: modauthkerb-help <at> lists.sourceforge.net
> Subject: Re: [modauthkerb] Reverse proxy
>
> Hi Jody,
> We suffered a terrible headache when we tried to reverse proxy other Kerberos-enabled websites. The
Negotiate header does get screwed up and confuses mod_auth_kerb in the process. I think you have two options:
>
> 1) Try disabling Kerberos behind the reverse proxy. Perhaps you can go the "trusted header" route where
your back-end IIS servers are configured to trust a specific HTTP header that contains the username of the
authenticated user. We do this quite effectively for one of our back-end services. Here are a few choice
lines on how to grab & parse the current Kerberos username and then how to stuff that value into an HTTP
header during reverse proxy:
>
> # look-ahead to REMOTE_USER value (eventually populated by kerb), parse base username, set to auth_user
environment variable
>
> RewriteCond %{LA-U:REMOTE_USER} ^([^ <at> ]*)
> Rewriterule ^ - [E=auth_user:%1]
>
>
> # Reverse proxy to server hpeibi1:8080, which is configured to trust and accept username values in an HTTP
request header named "TRUSTED_AUTH", stuff in auth_user environment variable
>
> ProxyPass /ibi_apps http://hpeibi1:8080/ibi_apps
> <Proxy http://hpeibi1:8080/*>
> RequestHeader set TRUSTED_AUTH %{auth_user}e
> </Proxy>
>
>
> 2) Some time ago (perhaps last three months or so?) a developer at Redhat submitted a new patch that I
believe currently sits in the "-latest" repository. He sent a message to this list and talked about how he
had just added some form of delegation to mod_auth_kerb. Perhaps he has added what you need in order to do
delegation, but I'm not still sure how you could prevent the two Negotiate headers from whacking each other.
>
>
> Ultimately, we went the trusted header route for services that support it. We have one service that
requires Kerberos / Negotiate, and we absolutely could not figure out a way to reverse proxy it with
mod_auth_kerb.
>
> If you find a solution to this problem, please be sure to update us on the list!
>
> Thanks,
> Brandon
>
>
>
>
> On Wed, Apr 18, 2012 at 10:13 AM, Jody Gilbert <Jody.Gilbert <at> go-dove.com> wrote:
> Hi All,
>
> Apologies if this has been covered before, I have been searching in vain for a few days and just cannot find
the answer!
>
> I’ve configured Apache to act as a reverse proxy for some of our internal applications, which works a treat.
> I’d like to use mod_auth_kerb to authentication the users before proxying the request to the internal
servers, however when I try this the authentication fails and it appears the issue is the internal servers
are also using Kerberos to authenticate the user and the negotiate header gets screwed.
>
> Is it possible to use mod_auth_kerb to authenticate the users before proxying the request, ideally
we’d like it to delegate the authentication details to the internal servers to avoid multiple logins.
>
> We are running Apache 2.2.2 on Debian 6 for the proxy server.
>
> Here is our config:
>
> <Location />
> AuthType kerberos
> AuthName "Kerberos Login"
> KrbAuthRealms REALM1.COM SUB.REALM1.COM
> KrbMethodK5Passwd On
> Krb5KeyTab /etc/apache2/http.keytab
> KrbServiceName HTTP/www.realm1.com
> KrbSaveCredentials On
> Require valid-user
> </Location>
>
> Our internal servers are running IIS6.
> We are authenticating against a Windows 2003 AD.
>
> I’ve tried following the steps in this article to get this working:
>
> http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/
>
> Any help would be much appreciated!
>
> Jody
> Jody Gilbert
> Head of IT
>
> GoIndustry DoveBid
>
> St Andrew's House
> 18-20 St Andrew Street
> London
> EC4A 3AG
> United Kingdom
>
> Phone: +44 20 7098 3715
> Mobile: +44 7775 826806
> Fax: +44 20 7098 3795
> Skype: jody.godove
> Jody.Gilbert <at> go-dove.com
> www.go-dove.com
>
>
> Follow us on twitter at twitter.com/Go_Dove
> Follow us on LinkedIn at linkedin.com/company/goindustry-dovebid
>
> GoIndustry DoveBid is proud to have been awarded:
> ACQ Magazine 'Asset Appraiser of the Year' 2008, 2009 & 2010.
> PepsiCo Supplier of the Year Award for 2009.
> Procter and Gamble Supplier of Excellence Award 2009 & 2010.
> Intercontinental Finance Magazine 'Asset Valuation and Appraisal Firm of the Year' 2010.
> Finance Monthly Magazine 'Asset Appraiser Firm of the Year' 2010.
> This electronic message transmission contains information that may be confidential or privileged.
> The information is intended to be for the use of the individual or entity named above.
> If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited.
> If you have received this electronic transmission in error, please notify me by telephone or by
electronic mail immediately.
> This electronic message has been sent from one of the following companies:
> GoIndustry-DoveBid plc, registered in England and Wales under no.5381812 GoIndustry Operations
Limited, registered in England and Wales under no. 3853780 GoIndustry (UK) Limited, registered in
England and Wales under no. 4092016 GoIndustry Trading Limited, registered in England and Wales under
no. 3930034. Registered office: St. Andrew’s House, 18-20 St. Andrew Street, London EC4A 3AG. VAT
registration number: GB 872 7481 89
>
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2_______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
RSS Feed