Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Location authentication configuration ignored in VirtualHost |
|
| Author |
|
bigmanroger
Joined: 25 Oct 2022
Posts: 2
Location: Ireland
|
 Posted: Tue 25 Oct '22 10:56 Post subject: Location authentication configuration ignored in VirtualHost |
 |
|
I have the following configuration in a config file for httpd:
| Code: | Listen 6666
<VirtualHost server-name:6666>
ServerName server-name
LogLevel trace6
LogFormat "%h %p %l %u %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{X-Forwarded-For}i %{X-Tor-Application}i \"BALANCER_WORKER_ROUTE: %{BALANCER_WORKER_ROUTE}e\"" combined
CustomLog /var/log/httpd/virtualhost2.log combined
ErrorLog /var/log/httpd/modcluster_error_log
EnableMCPMReceive
<Location /mod_cluster-manager>
SetHandler mod_cluster-manager
AuthType Basic
AuthName "MCM Authentication Control"
AuthUserFile /etc/modclusterpasswd
Require user root
</Location>
</VirtualHost> |
I would expect that when I run a curl command to the mod_cluster-manager endpoint, the request will only be served if I pass the username and password. However, the request is granted regardless.
I have also tried putting "Require all denied" inside my Location tag, but the modcluster manager page is still served regardless of this.
In my custom error log I can see the following:
| Code: | | [core:trace3] [pid 12219:tid 139843900258048] request.c(312): [client 10.247.246.158:35656] request authorized without authentication by access_checker_ex hook: /mod_cluster-manager |
I don't get any logs from authz/authn etc to indicate that the request is being processed for authentication.
In the Apache httpd source code (httpd_request.h) I can see:
| Code: | /**
* This hook is used to apply additional access control and/or bypass
* authentication for this resource. It runs *before* a user is authenticated,
* but after the access_checker hook.
* This hook should be registered with ap_hook_check_access_ex().
* If "Satisfy any" is in effect, this hook may be skipped.
*
* @param r the current request
* @return OK (allow access), DECLINED (let later modules decide),
* or HTTP_... (deny access)
* @ingroup hooks
* @see ap_hook_check_access_ex
*/
AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))
And also in request.c:
else if (access_status == OK) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
"request authorized without authentication by "
"access_checker_ex hook: %s", r->uri); |
This appears to be the source of the output I am seeing in the log.
What could be causing my authentication configuration to be ignored? And how can I fix it? |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Tue 25 Oct '22 22:03 Post subject: |
|
|
You don't say which version of Apache you're using, but since you're using mod_cluster suspect it's Redhat based.
In the past I've used the mod_proxy_balancer module with a location based section to control access to /balancer-manager, using file based basic authentication exactly as you've detailed in your post, and it works as expected.
So chances are, as your investigation suggests, there's something in the mod_cluster code that's setting access_status == OK, so bypassing the auth module logic.
Do your trace log entries change if you add a Satisfy Any directive to your location block?
Do you have the mod_cluster module source, to be able to check the code behind the access_checker_ex hook, as referenced from request.c? |
|
| Back to top |
|
bigmanroger
Joined: 25 Oct 2022
Posts: 2
Location: Ireland
|
| Posted: Wed 26 Oct '22 14:22 Post subject: |
|
|
| tangent wrote: | | You don't say which version of Apache you're using, but since you're using mod_cluster suspect it's Redhat based. |
Yes you're correct, running apachectl -v gives me:
Server version: Apache/2.4.37 (Red Hat) (Release 41.jbcs.el7-SP1)
| tangent wrote: | | Do your trace log entries change if you add a Satisfy Any directive to your location block? |
Just tried this, and yes the log changes if I add a Satisfy Any to the log line:
| Code: | | [Wed Oct 26 12:33:47.161653 2022] [core:trace3] [pid 5901:tid 139728154220288] request.c(323): [client 10.247.246.158:39614] request authorized without authentication by access_checker hook and 'Satisfy any': /mod_cluster-manager |
If I change to "Satisfy All" I get the same log line as the original issue, presumably because Satisfy All and Satisfy_NOSPEC are the same:
| Code: | switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
|
| tangent wrote: | | Do you have the mod_cluster module source, to be able to check the code behind the access_checker_ex hook, as referenced from request.c? |
Not sure on where to find the source I'm using but presumably it's one of the following?
https://github.com/Karm/jbcs-httpd-mod_proxy_cluster
https://github.com/modcluster/mod_cluster
Haven't found "access_checker_ex" or anything in these yet that I can see as the cause of the issue. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 26 Oct '22 20:49 Post subject: |
|
|
The GitHub links you've posted don't appear to reference any HTTPD source code, bit rather Java based JBCS Apache Server (JBoss Core Services), and a Docker script. Believe RedHat consider this code proprietary, though I did find this native HTTPD based reference to mod_cluster: https://github.com/modcluster/mod_proxy_cluster
Looking for hook code declarations in mod_manager.c, mod_proxy_cluster.c, etc., I can't see any obvious access functions which bypass subsequent authentication checks, though your testing rather confirms otherwise.
The problem I have is I don't have access to a RedHat instance to be able to troubleshoot this problem further.
I do hope other site contributers can help resolve this problem for you. |
|
| Back to top |
|
|
|
|
|
|
