Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign in via HTTP-Auth doesn't do anything #12

Open
mallorn opened this issue Feb 22, 2012 · 10 comments
Open

Sign in via HTTP-Auth doesn't do anything #12

mallorn opened this issue Feb 22, 2012 · 10 comments

Comments

@mallorn
Copy link

mallorn commented Feb 22, 2012

Hi,

I'm running Redmine 1.3.1 with the latest http_auth (0.3.0-dev). I am also running Apache 2.2.15 with mod_ssl and mod_proxy; you need to authenticate to Apache using BASIC AUTH, then your connection is proxied through to the
webrick server using /redmine as the URI. The user's login is set in the environment variable REMOTE_USER_LHS.

http_auth is configured to use REMOTE_USER_LHS as the variable and the login name is used fro local user lookup.

When I configure http_auth in Redmine I get a link to a blank page with a URI of

/redmine/httpauth-login

Am I misunderstanding how this is supposed to work or missing any key information?

Thanks for any advice,

Chris
@kevinfoote
Copy link

In your httpd.conf file you need to protect that location with whatever you are using to authenticate.
I am using a sso module but what ever you are using should work fine.

<Location ~ "/httpauth-*">
AuthType basic
Require valid-user

Other apache directives might have to be included with your particular Authn/z choice..

@mallorn
Copy link
Author

mallorn commented Feb 23, 2012

Hi Kevin,

I wonder if I'm SOL. I'm using mod_auth_kerb which sets the AuthType to KerberosV5.

So although it's using HTTP BASIC AUTH as described in RFC 1945, is http_auth not recognizing it properly because of the AuthType? Here's the Apache section:

 Redirect /redmine https://secure.example.com/redmine/
 ProxyPass /redmine/ http://localhost:3000/
 ProxyPassReverse /redmine/ http://localhost:3000/
 <Location /redmine/>
     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
     RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
     AuthType KerberosV5
     AuthName "Secure (SSL) Kerberos Login"
     KrbAuthRealm EXAMPLE.COM
     require valid-user
</Location>

I was hoping that it would essentially see that $REMOTE_USER_LHS was set and would just login with that user, but I'm a Perl guy (not Ruby), so it's going to take me a while to figure out what's going on in the code. :)

My main goal is to make webrick unavailable to the outside world via iptables and force all access through Apache to minimize security risks. Right now you can log in through Apache and then log in again to Redmine, but we'd like to remove locally-stored passwords entirely from the Web server to tighten up security further. Using the Apache authentication only would allow us to do that.

Thanks for the reply!

@kevinfoote
Copy link

Chris.. sorry my formatting example was messed up .. before

No you should be good.. substitute your auth mechanics for the AuthType line.. I was just giving an example ..

Mine is not Basic .. I use my local auth type which is a separate SSO product..

I could envision yours looking like

<Location ~ "/httpauth-*">
 AuthType KerberosV5
 Require valid-user
</Location>

@mallorn
Copy link
Author

mallorn commented Feb 23, 2012

Hi Kevin,

Mine has a path of /redmine/httpauth-login, so it's covered under that AuthType section above.

Unfortunately, it doesn't seem to make a difference. For giggles' sake I added your configuration file changes too, but I get the same results. Does the path have to be /httpauth* (and not proxied?)

@kevinfoote
Copy link

Do something like this ..honestly I don't know the kerb module though..

 <Location /redmine/>
     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
     RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
     AuthType KerberosV5
     AuthName "Secure (SSL) Kerberos Login"
     KrbAuthRealm EXAMPLE.COM
     ## require valid-user
</Location>

<Location ~ "/redmine/httpauth-*">
 AuthType KerberosV5
 Require valid-user
</Location>

@mallorn
Copy link
Author

mallorn commented Feb 23, 2012

Hi Kevin,

Still no difference with those changes.

I'll try messing around with the code over the weekend to see if I can add some kind of logging to http_auth to track what's going on.

I appreciate the input (and any new ideas you come up with)!

@AdamLantos
Copy link
Owner

Hi,

I didn't have the time to check the plugin against redmine-1.3. The plugin itself does not care which actual authentication method you are using, it just looks up the configured variable from the CGI/HTTP environment, and logs the user in if this information is there. The white page would suggest that something crashed. Are there any suspicious entries in apache or webrick logs?

Also the plugin was not yet checked against latest redmine releases, so I would expect some major API changes there :(

regards,
Adam

@mallorn
Copy link
Author

mallorn commented Mar 8, 2012

Hi Adam,

Thanks for you reply!

Unfortunately, no, there are no errors in any of the logs for Apache or webrick.

I haven't had time to play with the source and try tracking this down yet, but I plan to. Since I'm the only one using Redmine at this point having me log in twice isn't a big deal, so it's been low priority. :)

I appreciate that you confirmed what the plugin does for me; it will help with my debugging. Who knows; I could be losing all of the environment variables in my proxy or webrick could fail to pick them up for all I know.

Thanks,

Chris

@mallorn
Copy link
Author

mallorn commented Mar 8, 2012

Adding to my comment... It looks like the loss of environment variables is the problem. REMOTE_USER isn't set when it gets to webrick.

I turned on debugging and added this to http_auth_patch.rb:

  remote_username = remote_user
  if logger && logger.info
    logger.info request.headers
  end

It logs some things, but REMOTE_USER is empty.

I'll keep messing around. Experienced perl programmer here, but I've only been using ruby for all of one hour. :D But as far as I can tell, this is an Apache failing.

EDIT: changed it to display all headers.

@mallorn
Copy link
Author

mallorn commented Mar 8, 2012

Success! This appears to be a known issue; one has to explicitly set the header, such as:

  Redirect /redmine https://secure.example.com/redmine/
  ProxyPass /redmine/ http://localhost:3000/
  ProxyPassReverse /redmine/ http://localhost:3000/
  <Location /redmine/>
      RewriteEngine On
      RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
      RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
      RequestHeader add REMOTE_USER %{REMOTE_USER_LHS}e
      AuthType KerberosV5
      AuthName "Secure (SSL) Kerberos Login"
      KrbAuthRealm EXAMPLE.COM
      require valid-user
 </Location>

Note the RequestHeader add line; that creates an environment variable named HTTP_REMOTE_USER which you can then configure http_auth to use as the server environment variable for authentication.

Sorry to have taken everyone's time! Hopefully this process will help someone else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kevinfoote @AdamLantos @mallorn