Re: [users@httpd] Public viewing when it should be private

2021-05-20 Thread Michael Wechner 

Hi Michael

I think it depends on your SSO app, more specifically what standards it 
supports.


For example you could use /mod_auth_kerb//and //mod_auth_gssapi

/https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html
https://wiki.centos.org/HowTos/HttpKerberosAuth

Another possibility might be to use JWT

https://www.miniorange.com/apache-adfs-single-sign-on(sso)

or

https://github.com/zmartzone/mod_auth_openidc

Also have a look at

https://httpd.apache.org/docs/trunk/howto/auth.html

I am not sure what other possibilities exist which work together with 
your SSO app, but it might be less effort to just move your 
documentation into your app servers.


HTH

Michael



Am 20.05.21 um 06:46 schrieb Michael D.:

Hello user group.

I maintain a website that authenticates users through an internal 
single-sign-on app.


I have a documentation page that is publically viewable but I only 
want it viewable after authentication. I've looked into .htaccess but 
I don't want a separate login process for users to view documentation. 
I want them to be able to login through our internal SSO and 
automatically have access to those documents that are currently stored 
on the web server.


Is this possible to do through Apache or should these static 
documentation pages be put on our app servers and then served up for 
authenticated users?


I'm not finding a way to avoid a second authentication process just to 
view documentation that is private info for only authorized users


(Fyi we have thousands of users that need access to this documentation.)

Re: [users@httpd] Reverse proxy issue with Chrome

2021-05-14 Thread Michael Wechner 
Does your Chrome console have some additional hints?

Thanks

Michael

Am Fr., 14. Mai 2021 um 14:44 Uhr schrieb Andreas Habel <
aha...@uni-bremen.de>:

> Hello,
>
> since Chrome and Chrome-based browsers recently were updated to Chrome
> 90 I am experiencing a 502 proxy error when I try to access my web
> servers with these browsers.
> Before the update to Chrome 90 things worked fine, and everything still
> works with Firefox.
>
> Here's my setup:
>
>  --> webserver1
>
> Internet --> router/firewall --> web server with reverse proxy -->
> webserver2
>
>--> webserver3
>
>
> When accessing any of the web servers that are behind the reverse proxy
> I get the following in the error.log of the web server that is
> configured as reverse proxy:
> [Fri May 14 11:50:20.555724 2021] [proxy_http:error] [pid 1466:tid
> 140450128164608] (20014)Internal error (specific information not
> available): [client 192.168.0.1:42450] AH01102: error reading status
> line from remote server 192.168.0.102:80
> [Fri May 14 11:50:20.555768 2021] [proxy:error] [pid 1466:tid
> 140450128164608] [client 192.168.0.1:42450] AH00898: Error reading from
> remote server returned by /
> [Fri May 14 11:50:20.563497 2021] [reqtimeout:info] [pid 1467:tid
> 140450442671872] [client 192.168.0.1:42452] AH01382: Request header read
> timeout
>
> other_vhosts_access.log on web server with reverse proxy:
> webserver1.com:443 192.168.0.1 - - [14/May/2021:11:50:00 +0200] "GET /
> HTTP/1.1" 502 4344 "-" "Mozilla/5.0 (X11; Linux x86_64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
> OPR/76.0.4017.123"
> webserver2.com:443 192.168.0.1 - - [14/May/2021:11:50:20 +0200] "-" 408
> 3681 "-" "-"
> webserver1.com:443 192.168.0.1 - - [14/May/2021:11:50:20 +0200] "GET
> /favicon.ico HTTP/1.1" 200 24 "https://webserver1.com/; "Mozilla/5.0
> (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/90.0.4430.93 Safari/537.36 OPR/76.0.4017.123"
>
> access.log on webserver1:
> 192.168.3.11 - - [14/May/2021:11:50:20 +0200] "-" 408 0 "-" "-"
>
> 192.168.0.1 = router/firewall
> 192.168.3.11 = web server with reverse proxy in DMZ
> 192.168.0.102 = wevserver1
>
> Here is the webserver1.conf in sites-enabled:
>
> 
> 
>   ServerName webserver1.com
>   SSLEngine On
>   SSLProxyEngine On
>   ProxyPreserveHost On
>   
>  Order deny,allow
>  Allow from all
>   
>   ProxyRequests Off
>   ProxyPreserveHost On
>   ProxyPass /zm/ http://192.168.0.102/zm/
>   ProxyPassReverse /zm/ http://192.168.0.102/zm/
>   ProxyPass / http://192.168.0.102/zm/
>   ProxyPassReverse / http://192.168.0.102/zm/
>
>   DocumentRoot /var/www/html
>   ProxyPass /.well-known !
>
>   Include /etc/letsencrypt/options-ssl-apache.conf
>   SSLCertificateFile /etc/letsencrypt/live/webserver1.com/fullchain.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/webserver1.com/privkey.pem
> 
> 
>
> Apache version on the web server with reverse proxy and on webserver1
> is: Apache/2.4.29 (Ubuntu) on Ubuntu 18.04.5
>
> I wonder if there is anything wrong in my config? Any help is highly
> appreciated.
>
> Best regards,
>
> Andreas
>
>

Re: [users@httpd] Apache Reverse Proxy and HTTPS.

2021-04-19 Thread Michael Wechner 

sure, happy to help! I also received a lot of help on mailing lists :-)

I also understand Nick's statement though, that in order to learn, you 
have to dig in yourself.


But it can be a difficult balance sometimes, because sometimes one 
cannot see the forest for the trees anymore.


I have been more than 20 years on public mailing lists and the 
question/answer patterns are still the same well, let's see, maybe 
we can break the patterns in the near future :-)


Cheers

Michael

Am 19.04.21 um 19:06 schrieb o1bigtenor:

On Mon, Apr 19, 2021 at 10:20 AM Michael Wechner
 wrote:

Hi Jason

The reverse proxy entries should look something like



(I'm not the OP - - - but - - - - )

Thank you - - - - I find most docs and almost all man pages are written
by experts for experts who just might need a reminder and everything
would be good - - - - your answer on the other hand answers the
question for someone who knows maybe not so much and gives
an example (something that is quite rare in docs and an almost never
in man pages).

Thanking you for your assistance!!!

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy and HTTPS.

2021-04-19 Thread Michael Wechner 

Hi Jason

The reverse proxy entries should look something like


    ServerAdmin michael.wech...@wyona.com
    ServerName www.wechner.ch
    ServerAlias wechner.ch
    ErrorLog ${APACHE_LOG_DIR}/wechner.ch-error_log
    CustomLog ${APACHE_LOG_DIR}/wechner.ch-access_log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =wechner.ch [OR]
RewriteCond %{SERVER_NAME} =www.wechner.ch
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


which means when you enter http://wechner.ch you will get redirected to 
https://wechner.ch





    ServerAdmin michael.wech...@wyona.com
    ServerName www.wechner.ch
    ServerAlias wechner.ch
    ErrorLog ${APACHE_LOG_DIR}/wechner.ch-error_log
    CustomLog ${APACHE_LOG_DIR}/wechner.ch-access_log combined

    ProxyPassReverseCookiePath /yanel /

    ProxyPass   /  http://127.0.0.1:7070/yanel/wechner/
    ProxyPassReverse    /  http://127.0.0.1:7070/yanel/wechner/

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/katerinaoliveros.com-0001/cert.pem
SSLCertificateKeyFile 
/etc/letsencrypt/live/katerinaoliveros.com-0001/privkey.pem
SSLCertificateChainFile 
/etc/letsencrypt/live/katerinaoliveros.com-0001/chain.pem



and the virtual host config  for 443 should contain the ProxyPass entries.

Actually certbot should do all of this for you automatically. Maybe you 
can try the following


- Delete the virtual host config for 443/HTTPS
- Make sure the virtual host config for 80/HTTP without SSL works
- Run certbot
- When certbot asks you whether you want to redirct from HTTP to HTTPS, 
then select yes


HTH

Michael



Am 19.04.21 um 14:26 schrieb Jason Long:

I created a Self-Signed SSL Certificate for Apache and changed my Apache 
configuration file on Apache Reverse Proxy Server as below:


         ServerName 192.168.56.9
         ProxyPreserveHost On
         ProxyPass / http://192.168.56.9/
         ProxyPassReverse / http://192.168.56.9/
         Redirect / https://192.168.56.9/


     SSLEngine on
     SSLCertificateFile /etc/pki/tls/certs/selfsigned.crt
     SSLCertificateKeyFile /etc/pki/tls/private/selfsigned.key


But when I browse my Reverse Proxy Server IP, then it is HTTP and not HTTPS. 
why?
It doesn't show 
"https://www.tecmint.com/wp-content/uploads/2020/05/SSL-Certificate-Warning.png;
 error too.




On Monday, April 19, 2021, 03:18:25 PM GMT+4:30, Nick Folino  
wrote:





http://httpd.apache.org/docs/2.4/ssl/

Nick

On Mon, Apr 19, 2021 at 6:37 AM Jason Long  wrote:

Thank you.
On my Apache Reverse Proxy, I have a .conf as below:

# cat /etc/httpd/conf.d/reverse_proxy.conf

         ProxyPreserveHost On
         ProxyPass / http://192.168.56.9/
         ProxyPassReverse / http://192.168.56.9/



And my website configuration file is on "192.168.56.9" server. Thus, if I setup 
Let's Encrypt on my Apache Reverse Proxy Server, then I just need below lines in a 
separate .conf file?



ServerAdmin root@localhost
ServerName Example.example
ServerAlias www.Example.example
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log common
SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/Example.example/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/Example.example/privkey.pem




About about self-signed certificate, could above file contain two separate 
certification?




On Monday, April 19, 2021, 02:48:24 PM GMT+4:30, Michael Wechner 
 wrote:





Hi Jason

Definitely "Apache Reverse Proxy (Public IP)", whereas you could use for
example

https://letsencrypt.org/
https://certbot.eff.org/

Depending on how your connection between "Apache Reverse Proxy (Public
IP) ---> Web Site (Internal IP)" is protected, you might also want to
consider a self-signed certificate for "Web Site (Internal IP)"

HTH

Michael

Am 19.04.21 um 12:07 schrieb Jason Long:

Hello,
In below diagram, which server must use HTTPS certification?

The Internet ---> Apache Reverse Proxy (Public IP) ---> Web Site (Internal IP)


Thank you.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubs

Re: [users@httpd] Apache Reverse Proxy and HTTPS.

2021-04-19 Thread Michael Wechner 
my "definitely at the proxy" was probably answered a little bit too 
quickly/intuitive :-)


As Nick is writing, it depends on your requirements and I was too 
focused on my own requirements :-)


Thanks

Michael

Am 19.04.21 um 12:17 schrieb Nick Folino:
That depends on your requirements.  You can terminate SSL at the proxy 
or the web server,


Nick

On Mon, Apr 19, 2021 at 6:08 AM Jason Long 
 wrote:


Hello,
In below diagram, which server must use HTTPS certification?

The Internet ---> Apache Reverse Proxy (Public IP) ---> Web Site
(Internal IP)


Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy and HTTPS.

2021-04-19 Thread Michael Wechner 

Hi Jason

Definitely "Apache Reverse Proxy (Public IP)", whereas you could use for 
example


https://letsencrypt.org/
https://certbot.eff.org/

Depending on how your connection between "Apache Reverse Proxy (Public 
IP) ---> Web Site (Internal IP)" is protected, you might also want to 
consider a self-signed certificate for "Web Site (Internal IP)"


HTH

Michael

Am 19.04.21 um 12:07 schrieb Jason Long:

Hello,
In below diagram, which server must use HTTPS certification?

The Internet ---> Apache Reverse Proxy (Public IP) ---> Web Site (Internal IP)


Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org