LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-24-2007, 03:19 PM   #1
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Rep: Reputation: 15
Question Apache2 > single sign-on on both http and https server


Hello,

I have 2 web servers on one machine : one is serving using plain http, and the other one uses ssl. They're using the same authentication mecanism (the accounts are the same on both servers). They're on the same domain, only the port is different.

I've really only one site to serve (one set of files), but I need to be able to switch to restrict some parts of the site to use https only.

I managed to make it work with apache2 as two virtual hosts : one with ssl and the other without. But when a user accesses for instance http://myserver/service1 and switches to https://myserver/service1, he is asked to log-in once for each virtual host (hence twice).

How should I do to make both sites ask the user to log-on only once so I can have seamless navigation from one site to another ?

Here's my current configuration :

Code:
DocumentRoot /var/www/test/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
LogLevel debug

NameVirtualHost *:80
NameVirtualHost *:443

<Directory /var/www/test>
	Options FollowSymLinks MultiViews Indexes
	Order Deny,Allow
	Allow from all

	AuthName Test
	AuthType Basic
	AuthBasicProvider ldap
	AuthLDAPURL ldap://localhost/ou=People,dc=MyNet,dc=MyDom
	AuthzLDAPAuthoritative off
	Require valid-user
</Directory>

<VirtualHost *:80>
</VirtualHost>

<VirtualHost *:443>
	SSLEngine On
	SSLCertificateFile    /etc/apache2/ssl/MyNet.crt
	SSLCertificateKeyFile /etc/apache2/ssl/MyNet.key
</VirtualHost>
 
Old 10-26-2007, 12:39 AM   #2
ghostdancer
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 266

Rep: Reputation: 30
What I can think of is redirect your http request to https. In this way, there is only 1 single sign on for all, since everyone will be accessing https.
 
Old 10-26-2007, 04:11 AM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
I don't think it's quite that simple. I'm having basically the same problem here:
http://www.linuxquestions.org/questi...35#post2930335

someone suggested something but I don't understand what they mean. They never came back.
 
Old 10-26-2007, 04:59 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,906

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Perhaps you should try to use a .htaccess file in the protected directory that contains both the rewrite part and the authentication part:
Code:
RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

AuthName Test
	AuthType Basic
	AuthBasicProvider ldap
	AuthLDAPURL ldap://localhost/ou=People,dc=MyNet,dc=MyDom
	AuthzLDAPAuthoritative off
	Require valid-user
So the rewrite comes first and then the server asks for the authentication
 
Old 10-26-2007, 12:22 PM   #5
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
@ ghostdancer : As I understand it, I don't think it's gonna work because a redirection still need to go through the first http url (the client asked for it), and then the second https one (the server redirects the client to it), and therefore the password will be asked for each of them.

@ bathory : I'll try but I think it falls into the same category than the solution of ghostdancer... If this solution was working (as I understand it), that would mean that any server could redirect to any another one using the same credentials (since the full http:// url is given to the rewrite rule)... I don't believe it's working like that...
 
Old 10-26-2007, 12:24 PM   #6
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Also, I want to be able to access some URL both in http and in https. I don't want only a simple redirection, I want all URL to be accessible independently.
 
Old 10-26-2007, 12:34 PM   #7
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by sneakyimp View Post
I don't think it's quite that simple. I'm having basically the same problem here:
http://www.linuxquestions.org/questi...35#post2930335

someone suggested something but I don't understand what they mean. They never came back.
As I understand, InDubio suggests you to put your files in a root that is only served by the ssl server, and create an 'empty' http server in which you will put no authentication, but only the redirections to the https site when needed. That way, the authentication is only made on the https site, and the http site serves only as a 'redirection' gateway to the right pages.

For me it doesn't do it because I really want to share the authentication 'session' (how to call it ?) between the two servers.

I don't believe nobody had this problem before : the servers are on the same domain, same IP, same machine... there must be an easy solution with Apache !
 
Old 10-26-2007, 01:28 PM   #8
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 15
First of all, with AuthType Basic, you should probably NOT be doing anything important without SSL, because AuthType Basic sends passwords unencrypted. (see also http://httpd.apache.org/docs/2.2/howto/auth.html, search for "unencrypted")

You're probably interested in the SSLRequireSSL apache directive. I highly suggest reading the docs on that one too. IIRC, it generates 403's, but a customerror page could probably detect a failed attempt on a protected directory and redirect it to https...

Your browser and apache both won't consider an http and an https session to be the same thing. It's a new network connection, thus it's a new session. The only thing that I know of that _will_ share those credentials is cookies. You might consider an alternative to using apache's auth system, such as using php's ldap auth tools instead.
 
Old 10-26-2007, 06:08 PM   #9
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Thanks a lot complich8 for those very interesting informations !

Quote:
Originally Posted by complich8 View Post
First of all, with AuthType Basic, you should probably NOT be doing anything important without SSL, because AuthType Basic sends passwords unencrypted. (see also http://httpd.apache.org/docs/2.2/howto/auth.html, search for "unencrypted")
You're right, actually I've planned to secure it once I'm sure I can use this strategy (maybe using digest with ldap so I can still propose login through http for people behind an aggressive firewall).

Quote:
Originally Posted by complich8 View Post
You're probably interested in the SSLRequireSSL apache directive. I highly suggest reading the docs on that one too. IIRC, it generates 403's, but a customerror page could probably detect a failed attempt on a protected directory and redirect it to https...
Very interesting, I've tried this directive already but I've been misleaded by the 403. I thought it was a problem with my configuration. I'll look further at it.

Quote:
Originally Posted by complich8 View Post
Your browser and apache both won't consider an http and an https session to be the same thing. It's a new network connection, thus it's a new session. The only thing that I know of that _will_ share those credentials is cookies. You might consider an alternative to using apache's auth system, such as using php's ldap auth tools instead.
Ok, I'm bit afraid to have to use an application-level authentication mecanism because a part of my website is hosted by a provider who doesn't provide the ldap library...
Do people usually do it this way (cookies) ?

I *think* there's an intermediate way : to pass the session id to the server on each request. But I don't know if it's reliable and secure. Am I wrong ?


Something is not clear for me : where are logon information stored once logged-in through an Apache auth mecanism ? Are they accessible through the standard variables (e.g. in PHP $_SERVER, $_SESSION) ? Can one deal with both server and client auth mecanism or are they totally separated ?
I would be happy to have a good doc about this, if you have.


Thanks already to give me some good pointers.
 
Old 11-07-2007, 11:47 PM   #10
guido90210
LQ Newbie
 
Registered: Nov 2007
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by cbonar View Post
Something is not clear for me : where are logon information stored once logged-in through an Apache auth mecanism ? Are they accessible through the standard variables (e.g. in PHP $_SERVER, $_SESSION) ? Can one deal with both server and client auth mecanism or are they totally separated ?
I was just wondering this myself, until about half an hour ago - whence I stumbled upon an article in wikipedia about HTTP Basic Auth. I'd post the URL here, but this is my first post to this forum, and it won't let me post a URL unless I ask a question or 'introduce myself'. Oh well... search wikipedia for "basic access authentication".

The wikipedia page seems to be a good, pithy description of how HTTP Basic Auth works. I don't think the PHP variables would be populated with HTTP Basic Auth...?

I'm facing the same sort of situation now, in that I want single sign-on across a number of intranets, using LDAP as the authentication mechanism. I think a session database of some kind is the only way this might be possible, but how to do it, I don't know. I want to have the login page in https, but the intranets themselves accessible through http, once a user is authenticated. I'm thinking that the apache server would recognise that a user is authenticated because the client's browser has a domain cookie (all our intranets are within the same domain) with the session ID. Naturally, the sessions would have to expire after a certain time of inactivity etc. etc. Don't know if this is possible, but I'll keep hunting around...
 
Old 11-08-2007, 08:45 AM   #11
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Post

The URL seems to be http://en.wikipedia.org/wiki/Basic_a...authentication. I'll check that soon, thanks.
 
Old 11-03-2008, 10:58 AM   #12
Vanessa
LQ Newbie
 
Registered: Nov 2008
Posts: 1

Rep: Reputation: 0
Looking for an Apache expert - urgent

Hello,

I work for an International Bank
I m looking for an Apache expert to look at our Reverse Proxy problem
experience of SSO is a must.
It is for a 2-3 weeks mission, it is in Belgium but can also be done remotly.
If you are interested, please contact me on my email address and send me CV + daily rate
Thanks
 
  


Reply

Tags
apache2, http, https, same, server, sso


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NIS or ??? for single sign on w/ AD DotHQ Linux - General 2 12-20-2006 04:01 PM
Apache2 rewrite http to https gabsik Linux - Networking 3 10-26-2006 12:18 PM
redirect SquirrelMail from http to https using Apache2 cccc Linux - Server 3 09-23-2006 10:02 AM
HTTPS and HTTP on same server Jake_B Linux - Software 2 11-28-2005 04:47 PM
Single Sign-On help vvandam Linux - Security 6 07-21-2003 05:23 AM


All times are GMT -5. The time now is 03:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration