logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: GSSAPI SSO have to exclude URL form SSO
Author
seb69



Joined: 03 Apr 2024
Posts: 2

PostPosted: Wed 03 Apr '24 14:54    Post subject: GSSAPI SSO have to exclude URL form SSO Reply with quote

Hello everyone and thank you for your help,

I'm going crazy with the apache conf of my site I explain ...

here is my configuration :
debian12, website apache2 installed in "/var/www/glpi/"

I have two related problems.

problem 1
I've set up SSO authentication with GSSAPI which works "almost" well, in fact it only works if I put "<Location "/">" in "local-ssl.conf".
if I put "<Directory /var/www/glpi> it doesn't work anymore.
If I put "<Location "/glpi">" it no longer works.

You're going to tell me why I want to put anything other than "<Location "/">" ...
here's the conf that works:
Code:

<Location "/">
        AuthType GSSAPI
        AuthName "GLPI SSO
        GssapiCredStore keytab:/etc/apache2/krb.keytab
        GssapiAllowedMech krb5
        Require valid-user
        GssapiBasicAuth On
# Options FollowSymlinks ?works without
# AllowOverride All ?works without
        Order allow,deny
        Allow from all
</Location>


here is my problem number 2

the goal in all cases is to exclude a url from SSO authentication.
In fact, I need to authorize the /glpi/front/inventory url to "pass" without authentication, and despite all my attempts, nothing works (perhaps this is due to my first problem...).

I've tried :
Code:

<Directory /var/www/glpi/front/inventory.*>
<LocationMatch ".*inventory.*">
<Location "/front/inventory.*">
<If "! %{REQUEST_URI} =~ inventory(.*)$/">

with these options for example:
<LocationMatch ".*inventory.*">
        Require all granted
        Allow from all
</LocationMatch>

none of this works....
I'm probably a bit confused but I've tried to put in as much information as possible, I've lost half my hair and I don't know what to do anymore ....

mod note: added code tags[/code]
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Wed 03 Apr '24 21:02    Post subject: Reply with quote

A few observations:

Firstly, I'd personally stick with <Location> directives, since you're trying to control access to site content, rather than the underlying filesystem directories, per se.

Secondly, you've included the old 'Order' (and 'Allow') directives which were deprecated under Apache 2.4, primarily because they're extremely confusing. The 'Order' can be removed since the various Require directives provide equivalent logic; see https://httpd.apache.org/docs/trunk/howto/auth.html#beyond

Regarding excluding a URL from authentication, this question was recently asked here - https://www.apachelounge.com/viewtopic.php?p=42518

They've not responded to say if the proposed fix worked for them, but my suggestion was to put the unprotected location block before the protected one.

You say you need to unprotect /glpi/front/inventory, so I'd try:
Code:
<Location "/glpi/front/inventory">
    Require all granted
    Satisfy any
    Allow from All
</Location>

followed by your GSAPI protected location block(s).

Location blocks are processed in the order they appear in the configuration; see https://httpd.apache.org/docs/current/mod/core.html#location
Back to top
seb69



Joined: 03 Apr 2024
Posts: 2

PostPosted: Fri 05 Apr '24 8:49    Post subject: Reply with quote

thank you tangent for your reply!
Unfortunately it doesn't work Sad
I added what you told me first but I still have an "authntification required" on the URL /front/inventory.php (I added the .php to test both)
Here are the full contents of the configuration (just changed my domain name by ***):

Code:

<VirtualHost *:443>
    ServerName ***.******.local
    SSLEngine on
    DocumentRoot /var/www/glpi/public

    # If you want to place GLPI in a subfolder of your site (e.g. your virtual host is serving multiple applications),
    # you can use an Alias directive. If you do this, the DocumentRoot directive MUST NOT target the GLPI directory itself.
    # Alias "/glpi" "/var/www/glpi/public"

<Location "/front/inventory">  (tried with inventory.php too)
    Require all granted
    Satisfy any
    Allow from All
</Location>


<Location "/">
        AuthType GSSAPI
        AuthName "GLPI SSO"
        GssapiCredStore keytab:/etc/apache2/krb.keytab
        GssapiAllowedMech krb5
        Require valid-user
        GssapiBasicAuth On
#       Options FollowSymlinks
#       AllowOverride All
        Order allow,deny
        Allow from all
</Location>
    <Directory /var/www/glpi/public>
        Require all granted
        Order allow,deny
        Allow from all
        RewriteEngine On

        # Redirect all requests to GLPI router, unless file exists.
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
    </Directory>
    <FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost/"
    </FilesMatch>

        SSLEngine on
        SSLCertificateFile /etc/apache2/glpi.crt
        SSLCertificateKeyFile /etc/apache2/***.***.local.key
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/Helpdesk-ssl_error.log
CustomLog ${APACHE_LOG_DIR}/Helpdesk-ssl_access.log combined



</VirtualHost>


mod note: added code tags
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Fri 05 Apr '24 11:05    Post subject: Reply with quote

You'll need the precise URLs (case sensitive too) on your unprotected pages.

Does your inventory.php page reference other pieces of site content that would otherwise be protected by your <Location "/"> block, e.g. image files, javascript, etc?

I'd suggest you check what GET requests are made through a client browser (Chrome/Firefox) using Developer Tools (Shift+Ctrl+I) for network traffic .

If you use <LocationMatch> you can include a number of regular expressions in one go, e.g.

Code:
<LocationMatch "(Regex A)|(Regex B)|(Regex C)">
    Require all granted
    Satisfy any
    Allow from All
</LocationMatch>
Back to top


Reply to topic   Topic: GSSAPI SSO have to exclude URL form SSO View previous topic :: View next topic
Post new topic   Forum Index -> Apache