Re: [users@httpd] Client certificate auth behind f5 loadbalancer
On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin wrote: > in my understanding authentication using client certificates is just a > cryptographic validation of a public/private keypair over a already > established ssl-secured channel. > For example, it is possible to use a official certificate for the ssl > channel and my own ca for client certificate validation. It's part of the handshake, which can be later scrutinized by the application layer. However, there is no standard way to share the the client certificate authenticated by a proxy with a backend origin server, and no way at all that mod_ssl is willing to receive (that I am aware of) -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi, in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. Meanwhile i tried to find the suitable RFC to get details about this problem - probably http://tools.ietf.org/html/rfc5246#page-55 might be the right one. Does anybody have the suitable background knowhow of the RFC and mod_ssl to help me to find out source of the problem? Regards Marc Am 25.06.2014 21:15, schrieb Jens-U. Mozdzen: > Hi Marc, > > Zitat von Marc Schöchlin : >> Hello apache-users, >> >> i'm trying to implement client certificate authentication behind a f5 >> loadbalancer. >> >> My loadbalancer terminates ssl, and dispatches the decrypted >> communication via network address translation to the backend apache >> server. >> The client certificate auth should be performed at the webserver. >> >> Unfortunately the "SSLVerifyClient" directive is ignored and access is >> always granted. >> It seems that without enabled ssl transport encryption, the logic for >> "SSLVerifyClient" is deactivated. >> >> >> Any hints? > > yes, your web server is only seeing the plain HTTP traffic - all the > SSL "stuff" got stripped at the load balancer. > > You're so to speak asking to look at the post stamp of a letter, while > you only received the content because your mail service already > unpacked everything and dumped the envelope... > > Regards, > Jens > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi Marc, Zitat von Marc Schöchlin : Hello apache-users, i'm trying to implement client certificate authentication behind a f5 loadbalancer. My loadbalancer terminates ssl, and dispatches the decrypted communication via network address translation to the backend apache server. The client certificate auth should be performed at the webserver. Unfortunately the "SSLVerifyClient" directive is ignored and access is always granted. It seems that without enabled ssl transport encryption, the logic for "SSLVerifyClient" is deactivated. Any hints? yes, your web server is only seeing the plain HTTP traffic - all the SSL "stuff" got stripped at the load balancer. You're so to speak asking to look at the post stamp of a letter, while you only received the content because your mail service already unpacked everything and dumped the envelope... Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
On Wed, Jun 25, 2014 at 3:08 PM, Marc Schöchlin wrote: > [Browser with client cert]-->[Loadbalancer with SSL > termination]>[Apache 2.2.11] What certificate would Apache have access to if the LB communicates to it with HTTP? -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Client certificate auth behind f5 loadbalancer
Hello apache-users, i'm trying to implement client certificate authentication behind a f5 loadbalancer. My loadbalancer terminates ssl, and dispatches the decrypted communication via network address translation to the backend apache server. The client certificate auth should be performed at the webserver. Unfortunately the "SSLVerifyClient" directive is ignored and access is always granted. It seems that without enabled ssl transport encryption, the logic for "SSLVerifyClient" is deactivated. Any hints? Setup Overview: [Browser with client cert]-->[Loadbalancer with SSL termination]>[Apache 2.2.11] Apache Configuration: --- DocumentRoot "/data/etc/htdocs" ServerName fooo-bar-test.f.de CustomLog "|/usr/sbin/rotatelogs -l /data/logs/access-guisel-test.f.de.%Y-%m-%d.log 86400" combined_foobar_withdomain ErrorLog "|/usr/sbin/rotatelogs -l /data/logs/error-guisel-test.f.de.%Y-%m-%d.log 86400" SSLCACertificateFile /datashare/etc/ca/keys/ca.crt # SSLCARevocationFile /datashare/etc/ca/keys/ca.crl SSLVerifyClient require SSLVerifyDepth 10 SSLRequire%{SSL_CLIENT_S_DN_O} eq "Foobar" Satisfy all --- Regards Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] MaxClients exceeded error message
On Wed, Jun 25, 2014 at 8:52 AM, Robin Becker wrote: > An apache 2.2 mpm prefork site which uses an external mod_fastcgi socket > to django was experiencing slowdowns during a busy period. > > The main symptom seemed to be a connection delay of up to 10 seconds. > > At the time I saw the machine was not heavily loaded in cpu or memory, but > there were a large number of apache processes; stupidly I didn't think to > count them. > > Later I looked for an error message related to MaxClients exceeded or > similar, but could not see any. > It only appears once per generation, so it might have been days before you noticed the symptom. (Generation: each fresh start or restart of the server is a generation. This can be viewed from mod_status.) > I have upped the MaxClients setting from 150 to 300 and in another busy > period don't see the slowdown although monitoring the apache process count > shows it can exceed the old limit. > > The django side of this is not especially fast and the single socket > connection seems like it might be a choke point, but my understanding is > that the django side of the fastcgi is also spawning children to handle the > requests. > > What are the effects of MaxClient limit being exceeded? delays in processing new connections depending on load and MaxClients and ListenBacklogs, some new connections might even get rejected > Should I have seen an error message if it was exceeded? once per generation --/-- It can be useful to log the response time in microseconds (%D in log format) in order to distinguish delays in the application (delay is reflected in value for %D) from delays before httpd starts processing it due to capacity tuning (delay not reflected in value for %D since it happened before processing started) > -- > Robin Becker > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
[users@httpd] MaxClients exceeded error message
An apache 2.2 mpm prefork site which uses an external mod_fastcgi socket to django was experiencing slowdowns during a busy period. The main symptom seemed to be a connection delay of up to 10 seconds. At the time I saw the machine was not heavily loaded in cpu or memory, but there were a large number of apache processes; stupidly I didn't think to count them. Later I looked for an error message related to MaxClients exceeded or similar, but could not see any. I have upped the MaxClients setting from 150 to 300 and in another busy period don't see the slowdown although monitoring the apache process count shows it can exceed the old limit. The django side of this is not especially fast and the single socket connection seems like it might be a choke point, but my understanding is that the django side of the fastcgi is also spawning children to handle the requests. What are the effects of MaxClient limit being exceeded? Should I have seen an error message if it was exceeded? -- Robin Becker - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Windows LDAP/AD authentication on apache2
On Wed, Jun 25, 2014 at 4:50 AM, Rahul R wrote: > I am not sure what I am missing here. Is there a way to get more info in the > logs? or a solution to fix this issue. In 2.4, there is LDAPLibraryDebug or of course LogLevel debug authnz_ldap:trace8 ldap:trace8 In 2.2, you just have LogLevel debug and a debug module called mod_ldap_debug https://github.com/covener/apache-modules/tree/master/mod_ldap_debug -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Windows LDAP/AD authentication on apache2
L0p98u uh l0lff g 0] 0g0lu0l On Jun 25, 2014 1:50 AM, "Rahul R" wrote: Greetings, I am trying to setup an apache with windows AD authentication. Below is my entry on the httpd.conf. # Using this to bind AuthType Basic AuthName "R's Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN "cn=s0934095,ou=Groups,ou=PROD,dc=Global,dc=ad,dc=bozz,dc=com" AuthLDAPBindPassword "abcd1234" AuthLDAPURL "ldap:// global.ad.sabre.com:389/ou=PROD,dc=global,dc=ad,dc=bozz,dc=com?sAMAccountName?sub?(objectClass=*) " Require valid-user I am getting the login form, but for some reason it's not getting authenticated. I see below error. user s0210764: authentication failure for "/index.html": Password Mismatch I am not sure what I am missing here. Is there a way to get more info in the logs? or a solution to fix this issue. -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921
[users@httpd] Windows LDAP/AD authentication on apache2
Greetings, I am trying to setup an apache with windows AD authentication. Below is my entry on the httpd.conf. # Using this to bind AuthType Basic AuthName "R's Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN "cn=s0934095,ou=Groups,ou=PROD,dc=Global,dc=ad,dc=bozz,dc=com" AuthLDAPBindPassword "abcd1234" AuthLDAPURL "ldap:// global.ad.sabre.com:389/ou=PROD,dc=global,dc=ad,dc=bozz,dc=com?sAMAccountName?sub?(objectClass=*) " Require valid-user I am getting the login form, but for some reason it's not getting authenticated. I see below error. user s0210764: authentication failure for "/index.html": Password Mismatch I am not sure what I am missing here. Is there a way to get more info in the logs? or a solution to fix this issue. -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921