[us...@httpd] Protocol transistion between Basic Auth anh Kerberos.
Hi, I want to use Apapche as reverse proxy against MS SharePoint with negotiate (Kerberos) enabled from Internet. I can't set the client to support Windows Integrated secuity, so Apache need to be able to translate basic authentication into a Kerberos ticket on behalf of the user. (This is possible in MS ISA server) Is it possible with Apache web server? Thanks, Dag Efjestad - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] REMOTE_USER and PROXY request
Thanks Tom, I think I got it now. It was about the + sign. If I did match against "RewriteCond %{LA-U:REMOTE_USER} (.*)" - the condition was true even if the REMOTE_USER was empty. The result was that the proxy request was done before there was a value. As our log shows the REMOTE_USER is filled out in the third run. Thanks for all help, Cheers Dag -Opprinnelig melding- Fra: Tom Evans [mailto:tevans...@googlemail.com] Sendt: 28. mai 2009 15:23 Til: users@httpd.apache.org Emne: RE: [us...@httpd] REMOTE_USER and PROXY request On Thu, 2009-05-28 at 13:58 +0200, Efjestad, Dag wrote: > No, when I do this the value in RewriteCond is null. > > From logfile: > lookahead: path=/kongsberg/ var=REMOTE_USER -> val= > RewriteCond: input='' pattern='(.*)' => matched > > -Opprinnelig melding- > Fra: Tom Evans [mailto:tevans...@googlemail.com] > Sendt: 28. mai 2009 11:49 > Til: users@httpd.apache.org > Emne: Re: [us...@httpd] REMOTE_USER and PROXY request > > On Thu, 2009-05-28 at 10:52 +0200, Efjestad, Dag wrote: > > Hi. > > > > I can't get access to the REMOTE_USER value when I do a proxy request. The > > value is empty. > > RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 > > [P,L] > > > > For rewrite against directory URL's I get the value. > > RewriteRule ^/kongsberg(.*) /kongsberg/%{LA-U:REMOTE_USER}$1 [L] > > > > and for redirect it works: > > RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 > > [R,L] > > > > > > I also tried this syntaks with same result - no value in REMOTE_USER env. > > var.: > >RewriteCond %{LA-U:REMOTE_USER} (.+) > >RewriteRule . - [E=RU:%1] > > > >ProxyRequestsOff > >ProxyPassInterpolateEnv On > >ProxyPass/kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate > >ProxyPassReverse /kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate > > > > > > I also noticed that I can see the username value in the access logfile but > > not in the rewrite logfile. > > > > Suggestions anyone? > > > > > > Kind regards, Dag > > > > Does this not work? > > RewriteCond %{LA-U:REMOTE_USER} (.+) > RewriteRule /kongsberg/ http://aeoas02/kongsberg/%1/ [P] > > Cheers > > Tom > > >From my testing, that config works fine: ServerName ssoauth DocumentRoot /usr/local/www/ssoauth/htdocs Order allow,deny Allow from all KeepAlive Off RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule /kongsberg/ http://ssoauth:8081/kongsberg/%1/ [P] RewriteLog /var/log/rwrite.log RewriteLogLevel 5 Include auth/ldap_group_it.conf The log then shows this: (cat /var/log/rwrite.log | sed 's:.*] ::') (2) init rewrite engine with requested uri /kongsberg/ (3) applying pattern '/kongsberg/' to uri '/kongsberg/' (2) init rewrite engine with requested uri /kongsberg/ (3) applying pattern '/kongsberg/' to uri '/kongsberg/' (4) RewriteCond: input='' pattern='(.+)' => not-matched (1) pass through /kongsberg/ (2) init rewrite engine with requested uri /kongsberg/index.html (3) applying pattern '/kongsberg/' to uri '/kongsberg/index.html' (2) init rewrite engine with requested uri /kongsberg/index.html (3) applying pattern '/kongsberg/' to uri '/kongsberg/index.html' (4) RewriteCond: input='' pattern='(.+)' => not-matched (1) pass through /kongsberg/index.html (5) lookahead: path=/kongsberg/index.html var=REMOTE_USER -> val=tevans (4) RewriteCond: input='tevans' pattern='(.+)' => matched (2) rewrite '/kongsberg/index.html' -> 'http://ssoauth:8081/kongsberg/tevans/' (2) forcing proxy-throughput with http://ssoauth:8081/kongsberg/tevans/ (1) go-ahead with proxy request proxy:http://ssoauth:8081/kongsberg/tevans/ [OK] (5) lookahead: path=/kongsberg/ var=REMOTE_USER -> val=tevans (4) RewriteCond: input='tevans' pattern='(.+)' => matched (2) rewrite '/kongsberg/' -> 'http://ssoauth:8081/kongsberg/tevans/' (2) forcing proxy-throughput with http://ssoauth:8081/kongsberg/tevans/ (1) go-ahead with proxy request proxy:http://ssoauth:8081/kongsberg/tevans/ [OK] This log is for just one request. Are you sure you that you are authenticated using apache auth modules? REMOTE_USER would be empty if you are not authenticated. Cheers Tom - The official User-To-User support forum of the Apache HTTP Serv
RE: [us...@httpd] REMOTE_USER and PROXY request
No, when I do this the value in RewriteCond is null. >From logfile: lookahead: path=/kongsberg/ var=REMOTE_USER -> val= RewriteCond: input='' pattern='(.*)' => matched -Opprinnelig melding- Fra: Tom Evans [mailto:tevans...@googlemail.com] Sendt: 28. mai 2009 11:49 Til: users@httpd.apache.org Emne: Re: [us...@httpd] REMOTE_USER and PROXY request On Thu, 2009-05-28 at 10:52 +0200, Efjestad, Dag wrote: > Hi. > > I can't get access to the REMOTE_USER value when I do a proxy request. The > value is empty. > RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 > [P,L] > > For rewrite against directory URL's I get the value. > RewriteRule ^/kongsberg(.*) /kongsberg/%{LA-U:REMOTE_USER}$1 [L] > > and for redirect it works: > RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 > [R,L] > > > I also tried this syntaks with same result - no value in REMOTE_USER env. > var.: >RewriteCond %{LA-U:REMOTE_USER} (.+) >RewriteRule . - [E=RU:%1] > >ProxyRequestsOff >ProxyPassInterpolateEnv On >ProxyPass/kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate >ProxyPassReverse /kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate > > > I also noticed that I can see the username value in the access logfile but > not in the rewrite logfile. > > Suggestions anyone? > > > Kind regards, Dag > Does this not work? RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule /kongsberg/ http://aeoas02/kongsberg/%1/ [P] Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] REMOTE_USER and PROXY request
Hi. I can't get access to the REMOTE_USER value when I do a proxy request. The value is empty. RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 [P,L] For rewrite against directory URL's I get the value. RewriteRule ^/kongsberg(.*) /kongsberg/%{LA-U:REMOTE_USER}$1 [L] and for redirect it works: RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 [R,L] I also tried this syntaks with same result - no value in REMOTE_USER env. var.: RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] ProxyRequestsOff ProxyPassInterpolateEnv On ProxyPass/kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate ProxyPassReverse /kongsberg/ http://aeoas02/kongsberg/${RU}/ interpolate I also noticed that I can see the username value in the access logfile but not in the rewrite logfile. Suggestions anyone? Kind regards, Dag
RE: [us...@httpd] Userid and reverse proxy
Yes I tried LA-U without any luck :-( -Opprinnelig melding- Fra: Stefano Sasso [mailto:stesa...@gmail.com] Sendt: 27. mai 2009 21:20 Til: users@httpd.apache.org Emne: Re: [us...@httpd] Userid and reverse proxy 2009/5/27 Efjestad, Dag : > I tried several options but no value in remote_user. did you try with LA-U? from apache mod_rewrite docs: For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates). bye, -- Stefano Sasso stesa...@gmail.com http://www.gnustile.net/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Userid and reverse proxy
Thanks but I tried that. The problem is that the value of REMOTE_USER has no value. I use apache version 2.2 Here are the configuration: AuthType basic AuthName "LOS" AuthUserFile conf/LOSbasicauth.sec Require user u1 u2 u3 RewriteCond %{REMOTE_HOST} (.*) RewriteRule ^/kongsberg/(.*) http://aeoas02/LOS/kongsberg/%1/$1 [QSA,P,L] In the access_log I get: IPADDRESS - u1 [27/May/2009:16:03:25 +0200] "GET /kongsberg/ HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; MS-RTC LM 8)" In the rewrite log I get: IPADDRESS - - applying pattern '^/kongsberg/(.*)' to uri '/kongsberg/' IPADDRESS - - RewriteCond: input='' pattern='(.*)' => matched IPADDRESS - - rewrite '/kongsberg/' -> 'http://krsoastest01/test/kongsberg//' IPADDRESS - - forcing proxy-throughput with http://aeoas02/kongsberg// I can't see the username in the rewrite log. I tried several options but no value in remote_user. Tnx, Dag -Opprinnelig melding- Fra: Stefano Sasso [mailto:stesa...@gmail.com] Sendt: 27. mai 2009 13:14 Til: users@httpd.apache.org Emne: Re: [us...@httpd] Userid and reverse proxy 2009/5/27 Efjestad, Dag : > > AuthType basic > AuthName "Requierd users" > AuthUserFile conf/basicauth.sec > Require user user1 user2 user3 > > ProxyRequests Off > ProxyPass /kongsberg/ http://aeoas02/kongsberg/%AuthenticatedUserId% > ProxyPassReverse /kongsberg/ http://aeoas02/kongsberg/%AuthenticatedUserId% > > > The variabel %AuthenticatedUserId% should contain user1, user2 or user3. > > Anyone know a way of solving this problem? you can try with mod_rewrite and [P]: RewriteEngine On RewriteRule ^/kongsberg(.*) http://aeoas02/kongsberg/%{LA-U:REMOTE_USER}$1 [P,L] bye, -- Stefano Sasso stesa...@gmail.com http://www.gnustile.net/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Userid and reverse proxy
Jeff, I think you have misunderstood the problem. The problem is that I different web pages for different users. /dag -Opprinnelig melding- Fra: Jeff Shearer [mailto:j...@shearer-family.org] Sendt: 27. mai 2009 09:07 Til: users@httpd.apache.org Emne: Re: [us...@httpd] Userid and reverse proxy Try using a group rather than a list of users. See http://httpd.apache.org/docs/2.2/howto/auth.html#lettingmorethanonepersonin for a discussion. Efjestad, Dag wrote: > Hi > > I want to do something like this: > > > AuthType basic > AuthName "Requierd users" > AuthUserFile conf/basicauth.sec > Require user user1 user2 user3 > > ProxyRequestsOff > ProxyPass/kongsberg/ > http://aeoas02/kongsberg/%AuthenticatedUserId% > ProxyPassReverse /kongsberg/ > http://aeoas02/kongsberg/%AuthenticatedUserId% > > > The variabel %AuthenticatedUserId% should contain user1, user2 or user3. > > Anyone know a way of solving this problem? > > Best Regards > Dag Efjestad, Norway > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Userid and reverse proxy
Hi I want to do something like this: AuthType basic AuthName "Requierd users" AuthUserFile conf/basicauth.sec Require user user1 user2 user3 ProxyRequestsOff ProxyPass/kongsberg/ http://aeoas02/kongsberg/%AuthenticatedUserId% ProxyPassReverse /kongsberg/ http://aeoas02/kongsberg/%AuthenticatedUserId% The variabel %AuthenticatedUserId% should contain user1, user2 or user3. Anyone know a way of solving this problem? Best Regards Dag Efjestad, Norway - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[EMAIL PROTECTED] RE: Problem with disk_cache on Windows 2003
-Opprinnelig melding- Fra: Efjestad, Dag [mailto:[EMAIL PROTECTED] Sendt: 14. juli 2008 08:12 Til: users@httpd.apache.org Emne: [EMAIL PROTECTED] Problem with disk_cache on Windows 2003 Hello I'm trying to get mod_cache and mod_disk_cache to work correctly. Problem summary is that disk cache is not working properly - sending empty data to the client for some content like the css file. I use Apache as a reverse proxy. I get a lot of this messages in the log file: [Sun Jul 13 14:09:38 2008] [warn] (OS 5)Access is denied. : disk_cache: rename tempfile to datafile failed: c:/webcache/los/aptmpx1asW8 -> c:/webcache/los/Ra/N6/fS/iBGQrEATWPwwO4iA.data [Sun Jul 13 14:10:04 2008] [warn] (OS 5)Access is denied. : disk_cache: rename tempfile to datafile failed: c:/webcache/los/aptmpaeiuxe -> c:/webcache/los/O7/ub/HS/Hp2X7mMoCK1NgpAA.data I am running Apache/2.2.8 (Win32) on a Windows 2003 server. The security settings on c:\webcache directory is everyone="full access". Apache Cache configuration is: ExpiresActive on ExpiresDefault "now plus 5 minutes" CacheRoot c:/webcache/los CacheEnable disk / CacheDefaultExpire 300 CacheMaxExpire 300 CacheIgnoreHeaders Set-Cookie CacheIgnoreCacheControl On CacheIgnoreNoLastMod On CacheStoreNoStore On CacheStorePrivate On Have I done some error in the configuration or is it something I missed? Thanks in advance. Dag - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Problem with disk_cache on Windows 2003
Hello I'm trying to get mod_cache and mod_disk_cache to work correctly. Problem summary is that disk cache is not working properly - sending empty data to the client for some content like the css file. I use Apache as a reverse proxy. I get a lot of this messages in the log file: [Sun Jul 13 14:09:38 2008] [warn] (OS 5)Access is denied. : disk_cache: rename tempfile to datafile failed: c:/webcache/los/aptmpx1asW8 -> c:/webcache/los/Ra/N6/fS/iBGQrEATWPwwO4iA.data [Sun Jul 13 14:10:04 2008] [warn] (OS 5)Access is denied. : disk_cache: rename tempfile to datafile failed: c:/webcache/los/aptmpaeiuxe -> c:/webcache/los/O7/ub/HS/Hp2X7mMoCK1NgpAA.data I am running Apache/2.2.8 (Win32) on a Windows 2003 server. The security settings on c:\webcache directory is everyone="full access". Apache Cache configuration is: ExpiresActive on ExpiresDefault "now plus 5 minutes" CacheRoot c:/webcache/los CacheEnable disk / CacheDefaultExpire 300 CacheMaxExpire 300 CacheIgnoreHeaders Set-Cookie CacheIgnoreCacheControl On CacheIgnoreNoLastMod On CacheStoreNoStore On CacheStorePrivate On Have I done some error in the configuration or is it something I missed? Thanks in advance. Dag - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]