Topic: Directory/Alias to Remote Windows File Share

[scgsg]

We have Apache 2.4.7 on Ubuntu 14.04 Server with PHP 5.5.9.

Hoping someone could point me in the right direction to achieve the following:

How could we create a directory/alias in Apache that will grant access to a remote windows share? That is in IIS its possible to create a Virtual Directory to a windows share and use user authentication to access the virtual directory so users would only be permitted to see what they have access to in the directory. We'd like to replicate this if possible. The server has been joined to our Active Directory domain, which enables us to provide SSO access to Moodle and Joomla using Kerberos.

Any ideas?

[James Blond]

For me it works to use https://github.com/YvesR/mod_authn_ntlm

[scgsg]

Thank you for the advise but that mod doesnt work with Apache on Linux or it didnt for me anyway when I was sorting out SSO for joomla and moodle.

Not sure what I'm asking for is even possible, given that maybe is should try a different route:
1. Maybe use apache reverse ftp proxy to gain access to the servers via ftp (at least give the option to list and get files only). Anyone have any advise on how this could be achieved?

2. Maybe go down the route of some sort of php web client that has access to internal servers?[/list]

[James Blond]

Sorry I didn't read the linux ...

For sure there is modntlm and Mod auth ntlm winbind for linux, but I haven looked into those modules for a longer time.

[scgsg]

Think I will have to give up on the idea of trying to replicate whats known as a Virtual Directory (in IIS) to a Share for now as I havent found any documentation on this. That being the case perhaps you can help me on trying to get Mod_proxy_ftp to work.

I know this is going slightly going in a different direction (different soluction to similar outcome) for this thread so would you rather i create another thread?

If its ok to continue, I have the following configured:

ProxyRequests Off

<Proxy *>
Options +Indexes
Order deny,allow
Allow from all
</Proxy>

ProxyPass /ftp ftp://IPtoServer:21/
ProxyPassReverse /ftp ftp://IPtoServer:21/
It seems to attempt to connect to the ftp server but nothing is displayed in the brower i.e. it says page cannot be found (404 error), instead of listing whats in the ftp root.

[James Blond]

What does your access log show?

[scgsg]

Messing around with it and looking into the access log, i get:

192.168.0.1 - Username [21/Jul/2015:13:23:06 +0100] "GET /ftp HTTP/1.1" 200 758 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

192.168.0.1 - - [21/Jul/2015:13:23:25 +0100] "GET /ftp HTTP/1.1" 401 690 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

Second one is 401 error but to get past username/password dialogue, a valid username and password has to be entered so something further along is denying access. Webserver to ftp server? Any ideas on how to resolve this?

[ng4win]

With nginx you run nginx as a user/pass which also exists on the backend, this will allow passthru access to any remote resource. With apache this should be no different.

[scgsg]

[maba]

In your earlier message you mentioned a 404 error. The access_log says you are getting a 401 error. So something seems to be inconsistent.

Did you play around with the / at the end of the URL. When you do a proxy of

/ftp --> ftp://someserver/

then one of the URLs will have a trailing / while the other has not.

I would propose the following experiment:

Proxy
/ftp/ --> ftp://someserver/some_valid_ftp_subdirectory/

Then do a tail on access_log and error_log

[ng4win]

[scgsg]

@maba: Yes i originally stated 404 error but after messing around I posted up what i found in the log now which is 401 error. Yes I've tested it with /ftp and /ftp/ etc and still cant get the the server to list the ftp server.

@ng4win: I dont want to create a mount because I want the access to the ftp server to be based on the user that is attempting access. If i create a mount the permission will be based on the connection i create from the apache server to the ftp server.

Its possible that the windows ftp server is rejecting the connection but not sure why, here's what i find in the ftp service log:

2015-07-22 12:55:13 IPofApacheServer - IPofFTPServer 21 ControlChannelOpened - - 0 0 768265ca-56be-49fc-8dd9-4b138bd11297 -
2015-07-22 12:55:13 IPofApacheServer - IPofFTPServer 21 USER anonymous 331 0 0 768265ca-56be-49fc-8dd9-4b138bd11297 -
2015-07-22 12:55:13 IPofApacheServer - IPofFTPServer 21 PASS apache-proxy@ 530 1326 42 768265ca-56be-49fc-8dd9-4b138bd11297 -
2015-07-22 12:55:13 IPofApacheServer - IPofFTPServer 21 ControlChannelClosed - - 0 0 768265ca-56be-49fc-8dd9-4b138bd11297 -
2015-07-22 12:55:27 IPofApacheServer - IPofFTPServer 21 ControlChannelOpened - - 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer - IPofFTPServer 21 USER username 331 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 PASS *** 230 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 /
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 EPSV - 229 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 58190 DataChannelOpened - - 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 PWD - 257 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 TYPE A 200 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 58190 DataChannelClosed - - 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 LIST -lag 226 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 /
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 QUIT - 221 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -
2015-07-22 12:55:27 IPofApacheServer domain\username IPofFTPServer 21 ControlChannelClosed - - 0 0 5d9642d5-aa3e-4e2d-82a5-3971914703e3 -

[ng4win]

[scgsg]

We're not that large so I dont think we will have 500 concurrent users at any point but that being said, I'm not entirely sure what you mean.

Lua the programming language? I will certainly will look at Lua but honestly I not sure where to even start. I assume, this somehow works with the model you suggested i.e. mount the ftp server on the apache server then add that to apache config and somehow authenticate against using lua followed by lua somehow granting access to appropriate directories within the mount based on the user. As said earlier no sure where to start, and no idea how that would work with AD.

[James Blond]

[ng4win]

[scgsg]

@James Blond: Fairly sure I login, at least initially i.e. I can only get pass the request for login with valid credentials (I purposely entered false creds and each time i entered false creds the login box reappeared, only when valid creds are entered it continued).

@ng4win: The ftp server is a MS Server 2012 IIS Ftp server so afaik that doesnt have a limit i.e. the limitation is the server resources I believe. Its not a great solution I admit but we're only looking at this because creating a directory to a windows share in apache that has pass through authentication hit a dead end (this was the start of this thread and moved to ftp instead as a workaround), in that i couldnt find any information about this.

I'll look into this and its should be useful in the future. I can see this taking several months learning a new language and learning how to use said language to try to achieve this.

[ng4win]