Why do you authenticate the user twice?
On Wed, Feb 15, 2012 at 12:31 AM, <francois.tho...@orange.com> wrote: > Hi, > > I would like to do this architecture: > - a reverse proxy (based on apache 2.2.10-2.24.5) that do client > authentication with x509 certificate. The user access is validated by an > ldap server. > - a web server (based on apache 2.2.10-2.24.5) that run mod_dav with > specific user access filtering > > I setup the reverse proxy with this configuration : > > <Proxy balancer://webdavcluster> > BalancerMember http://192.168.129.18 > BalancerMember http://192.168.129.19 > </Proxy> > <VirtualHost _default_:443> > > ErrorLog /var/log/apache2/error_log > TransferLog /var/log/apache2/access_log > CustomLog /var/log/apache2/ssl_request_log ssl_combined > SSLEngine On > SSLProxyEngine On > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /etc/apache2/ssl.crt/server.crt > SSLCertificateKeyFile /etc/apache2/ssl.key/server.key > SSLCACertificateFile > /etc/apache2/ssl.crt/client-accepted-ca-chain.crt > SSLVerifyClient require > SSLVerifyDepth 3 > SSLOptions +FakeBasicAuth +ExportCertData > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ServerName webdav > ServerAlias webdav > <Location /> > AuthType Basic > AuthName "Intranet" > AuthBasicProvider ldap > AuthzLDAPAuthoritative off > AuthLDAPURL > "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"; > AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X" > AuthLDAPBindPassword X > Require valid-user > </location> > ProxyPass /balancer-manager ! > ProxyPass / balancer://webdavcluster/ > ProxyPassReverse / balancer://webdavcluster/ > </VirtualHost> > > On the web server, I configure : > > <Directory "/srv/www/htdocs"> > AllowOverride None > Order allow,deny > Allow from all > Options Indexes FollowSymLinks > AuthName "WEBDav server" > AuthType Basic > AuthBasicProvider ldap > AuthzLDAPAuthoritative on > AuthLDAPURL > "ldap://192.168.129.19:389/ou=People,dc=XXX,dc=X,dc=X,dc=X?uid"; > AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X" > AuthLDAPBindPassword X > require valid-user > DAV On > </Directory> > > On the webserver logs, I found this message : [Tue Feb 14 14:00:42 2012] > [error] [client 192.168.129.17] Encountered FakeBasicAuth spoof: > /XXXXXXXX > > It looks like error due to FakeBasicAuth option used on the reverse > proxy but when I removed it on the reverse proxy, the reverse proxy > doesn't authenticate user with the ldap. > > So my question is how to do user validation on the web server based on > information send by the reverse proxy or how to filter access to > specific directory ? > > Thanks for your help > Francois-Xavier THORET > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez > recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > France Telecom - Orange decline toute responsabilite si ce message a ete > altere, deforme ou falsifie. Merci > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorization. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, France Telecom - Orange shall not be liable if > this message was modified, changed or falsified. > Thank you. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
