Apache2 > single sign-on on both http and https server
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache2 > single sign-on on both http and https server
Hello,
I have 2 web servers on one machine : one is serving using plain http, and the other one uses ssl. They're using the same authentication mecanism (the accounts are the same on both servers). They're on the same domain, only the port is different.
I've really only one site to serve (one set of files), but I need to be able to switch to restrict some parts of the site to use https only.
I managed to make it work with apache2 as two virtual hosts : one with ssl and the other without. But when a user accesses for instance http://myserver/service1 and switches to https://myserver/service1, he is asked to log-in once for each virtual host (hence twice).
How should I do to make both sites ask the user to log-on only once so I can have seamless navigation from one site to another ?
Here's my current configuration :
Code:
DocumentRoot /var/www/test/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
LogLevel debug
NameVirtualHost *:80
NameVirtualHost *:443
<Directory /var/www/test>
Options FollowSymLinks MultiViews Indexes
Order Deny,Allow
Allow from all
AuthName Test
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost/ou=People,dc=MyNet,dc=MyDom
AuthzLDAPAuthoritative off
Require valid-user
</Directory>
<VirtualHost *:80>
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/MyNet.crt
SSLCertificateKeyFile /etc/apache2/ssl/MyNet.key
</VirtualHost>
What I can think of is redirect your http request to https. In this way, there is only 1 single sign on for all, since everyone will be accessing https.
Perhaps you should try to use a .htaccess file in the protected directory that contains both the rewrite part and the authentication part:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthName Test
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost/ou=People,dc=MyNet,dc=MyDom
AuthzLDAPAuthoritative off
Require valid-user
So the rewrite comes first and then the server asks for the authentication
@ ghostdancer : As I understand it, I don't think it's gonna work because a redirection still need to go through the first http url (the client asked for it), and then the second https one (the server redirects the client to it), and therefore the password will be asked for each of them.
@ bathory : I'll try but I think it falls into the same category than the solution of ghostdancer... If this solution was working (as I understand it), that would mean that any server could redirect to any another one using the same credentials (since the full http:// url is given to the rewrite rule)... I don't believe it's working like that...
Also, I want to be able to access some URL both in http and in https. I don't want only a simple redirection, I want all URL to be accessible independently.
someone suggested something but I don't understand what they mean. They never came back.
As I understand, InDubio suggests you to put your files in a root that is only served by the ssl server, and create an 'empty' http server in which you will put no authentication, but only the redirections to the https site when needed. That way, the authentication is only made on the https site, and the http site serves only as a 'redirection' gateway to the right pages.
For me it doesn't do it because I really want to share the authentication 'session' (how to call it ?) between the two servers.
I don't believe nobody had this problem before : the servers are on the same domain, same IP, same machine... there must be an easy solution with Apache !
First of all, with AuthType Basic, you should probably NOT be doing anything important without SSL, because AuthType Basic sends passwords unencrypted. (see also http://httpd.apache.org/docs/2.2/howto/auth.html, search for "unencrypted")
You're probably interested in the SSLRequireSSL apache directive. I highly suggest reading the docs on that one too. IIRC, it generates 403's, but a customerror page could probably detect a failed attempt on a protected directory and redirect it to https...
Your browser and apache both won't consider an http and an https session to be the same thing. It's a new network connection, thus it's a new session. The only thing that I know of that _will_ share those credentials is cookies. You might consider an alternative to using apache's auth system, such as using php's ldap auth tools instead.
Thanks a lot complich8 for those very interesting informations !
Quote:
Originally Posted by complich8
First of all, with AuthType Basic, you should probably NOT be doing anything important without SSL, because AuthType Basic sends passwords unencrypted. (see also http://httpd.apache.org/docs/2.2/howto/auth.html, search for "unencrypted")
You're right, actually I've planned to secure it once I'm sure I can use this strategy (maybe using digest with ldap so I can still propose login through http for people behind an aggressive firewall).
Quote:
Originally Posted by complich8
You're probably interested in the SSLRequireSSL apache directive. I highly suggest reading the docs on that one too. IIRC, it generates 403's, but a customerror page could probably detect a failed attempt on a protected directory and redirect it to https...
Very interesting, I've tried this directive already but I've been misleaded by the 403. I thought it was a problem with my configuration. I'll look further at it.
Quote:
Originally Posted by complich8
Your browser and apache both won't consider an http and an https session to be the same thing. It's a new network connection, thus it's a new session. The only thing that I know of that _will_ share those credentials is cookies. You might consider an alternative to using apache's auth system, such as using php's ldap auth tools instead.
Ok, I'm bit afraid to have to use an application-level authentication mecanism because a part of my website is hosted by a provider who doesn't provide the ldap library...
Do people usually do it this way (cookies) ?
I *think* there's an intermediate way : to pass the session id to the server on each request. But I don't know if it's reliable and secure. Am I wrong ?
Something is not clear for me : where are logon information stored once logged-in through an Apache auth mecanism ? Are they accessible through the standard variables (e.g. in PHP $_SERVER, $_SESSION) ? Can one deal with both server and client auth mecanism or are they totally separated ?
I would be happy to have a good doc about this, if you have.
Something is not clear for me : where are logon information stored once logged-in through an Apache auth mecanism ? Are they accessible through the standard variables (e.g. in PHP $_SERVER, $_SESSION) ? Can one deal with both server and client auth mecanism or are they totally separated ?
I was just wondering this myself, until about half an hour ago - whence I stumbled upon an article in wikipedia about HTTP Basic Auth. I'd post the URL here, but this is my first post to this forum, and it won't let me post a URL unless I ask a question or 'introduce myself'. Oh well... search wikipedia for "basic access authentication".
The wikipedia page seems to be a good, pithy description of how HTTP Basic Auth works. I don't think the PHP variables would be populated with HTTP Basic Auth...?
I'm facing the same sort of situation now, in that I want single sign-on across a number of intranets, using LDAP as the authentication mechanism. I think a session database of some kind is the only way this might be possible, but how to do it, I don't know. I want to have the login page in https, but the intranets themselves accessible through http, once a user is authenticated. I'm thinking that the apache server would recognise that a user is authenticated because the client's browser has a domain cookie (all our intranets are within the same domain) with the session ID. Naturally, the sessions would have to expire after a certain time of inactivity etc. etc. Don't know if this is possible, but I'll keep hunting around...
I work for an International Bank
I m looking for an Apache expert to look at our Reverse Proxy problem
experience of SSO is a must.
It is for a 2-3 weeks mission, it is in Belgium but can also be done remotly.
If you are interested, please contact me on my email address and send me CV + daily rate
Thanks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.