Apache: 2FA vhost config


#1

TL/DR: How to setup second factor question besides SSLVerifyClient?

Hi! Please excuse if this question is misplaced here. It’s more of an Apache config issue.

Trying to set up 2FA for a web application via the Apache plugin. The application uses user certificates via SSLVerifyClient optional and the user certificate’s CN is tested against LDAP to assign a group.

If I now add the AuthBasicProvider wsgi, the application does not receive the user certificate any more. It’s not PrivacyIDEA’s fault. AuthBasicProvider wsgi works on an empty vhost.

  • Tried via reverse proxy where the BasicAuth is in a separate vhost from the SSLVerifyClient, but that does not seem to work.
  • Tried re-writing by setting RequestHeader, e.g. RequestHeader set SSL_SERVER_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"

Could you give me a hint how to troubleshoot or mitigate this?
Thanks a bunch!


Without 2nd factor:

<VirtualHost *:443>
        ServerName application.company.corp
        DocumentRoot /var/www/application/app/webroot
        <Directory /var/www/application/app/webroot>
                Options -Indexes
                AllowOverride all
                Order allow,deny
                allow from all
         </Directory>

        SSLEngine On
        SSLCertificateFile /etc/ssl/private/application.crt
        SSLCertificateKeyFile /etc/ssl/private/application.key
        SSLCACertificateFile /etc/ssl/private/sso_ca.crt

        SSLOptions +StdEnvVars +ExportCertData
        SSLVerifyClient optional
        SSLVerifyDepth 1
        SSLVerifyClient optional_no_ca

        LogLevel warn
        ErrorLog /var/log/apache2/application.local_error.log
        CustomLog /var/log/apache2/application.local_access.log combined
        ServerSignature Off
</VirtualHost>

From apache log:

[Wed May 23 15:19:10.942509 2018] [auth_basic:error] [pid 53746] [client 10.10.10.5:52002] AH01617: user exampleuser: authentication failure for "/index.htm": Password Mismatch
(...)
[Wed May 23 15:59:21.841165 2018] [auth_basic:error] [pid 53748] [client 10.10.10.5:64591] AH01617: user exampleuser: authentication failure for "/index.php": Password Mismatch

From privacyidea log:

[2018-05-23 15:59:18,712][15275][140603824219904][INFO][privacyidea.lib.user:230] user u'exampleuser' found in resolver u'LDAP_GROUPNAME'
[2018-05-23 15:59:18,712][15275][140603824219904][INFO][privacyidea.lib.user:231] userid resolved to '0d1cacd1-a859-a859-a859-08b942408aeb'

#3

Worked around this issue via Reverse Proxy and resetting the auth header. Not sure if it’s the best idea, but it works.

<VirtualHost 10.111.111.111:443>

        SSLEngine On
        SSLCertificateFile /etc/ssl/private/application.crt
        SSLCertificateKeyFile /etc/ssl/private/application.key
        SSLCACertificateFile /etc/ssl/private/sso_ca.crt

        <Location />
                AuthType Basic
                AuthName "Protected Area"
                AuthBasicProvider wsgi
                WSGIAuthUserScript /usr/share/pyshared/privacyidea_apache.py
                Require valid-user
         </Location>

        RequestHeader unset Authorization
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        ProxyPass / https://localhost:443/
        ProxyPassReverse / https://localhost:443/

        LogLevel warn
        ErrorLog /var/log/apache2/application.local_error.log
        CustomLog /var/log/apache2/application.local_access.log combined
        ServerSignature Off
</VirtualHost>