Apache2 authentication module with many website and one redis cache

Nicke · June 12, 2015, 8:03am

Hi
Am trying out the new apache2 authentication module. I have a case where it
does not really work the way I want and need suggestions how to solve it.
Am having a webserver with many sites that has basic apache2 authentication
with the privacyidea apache2 client attached. Because the same redis server
is running on this ubuntu 14.04 host it creates problem.

Privacyidea: aaa.example.com
Website 1: subdomain1.example.com
Website 2: subdomain2.example.com

When authenticating against subdomain1.example.com everything works as
expected. redis is caching the authentication, “SETEX” “nicke” "300"
“1234801509”.
As probably expected, problems comes up when I now authenticate with the
same username against subdomain2.example.com, my browser is asking for
username and password and I supply a new one, redis is setting this new
values in cache, “SETEX” “nicke” “300” “1234453288”.
I now need to login again against subdomain1.example.com because the
password has been changed in the cache. And login again at
subdomain2.example.com after that, and so on…

I can use both subdomain1.example.com and subdomain2.example.com at the
same time if I use different usernames, but that is not a good way.
So any suggestion how to solve this? Some kind of prefixing depending on
website in the redis cache?

Nicke · June 12, 2015, 10:27am

You have this line in privacyidea_apache.py
def check_password(environ, username, password):

in the environ variable is a json object that contains something like this:
{
“HTTP_REFERER”: “https://subdomain1.example.com/home/”,
“SERVER_SOFTWARE”: “Apache/2.4.7 (Ubuntu)”,
“SERVER_SIGNATURE”: “Apache/2.4.7 (Ubuntu) Server at
subdomain1.example.com Port 443</address>\n”,
“REQUEST_METHOD”: “GET”,
“SERVER_PROTOCOL”: “HTTP/1.1”,
“QUERY_STRING”: “”,
“HTTP_USER_AGENT”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36”,
“HTTP_CONNECTION”: “keep-alive”,
“SERVER_NAME”: “subdomain1.example.com”,
“REMOTE_ADDR”: “2a02:xxx:0:10:a059:7106:87b4:63bb”,
“mod_ssl.var_lookup”: “<built-in method ssl_var_lookup of mod_wsgi.Auth
object at 0x7f74d3281198>”,
“SERVER_PORT”: “443”,
“SERVER_ADDR”: “2a02:xxx:15b::18”,
“DOCUMENT_ROOT”: “/var/www/subdomain1”,
“mod_wsgi.process_group”: “”,
“HTTP_X_REQUESTED_WITH”: “XMLHttpRequest”,
“SERVER_ADMIN”: "postmaster@example.com",
“HTTP_DNT”: “1”,
“HTTP_HOST”: “subdomain1.example.com”,
“mod_ssl.is_https”: “<built-in method ssl_is_https of mod_wsgi.Auth
object at 0x7f74d3281198>”,
“REQUEST_URI”: “/ui/get_messages/”,
“HTTP_ACCEPT”: “application/json, text/javascript, /; q=0.01”,
“wsgi.errors”: “mod_wsgi.Log object at 0x7f74d35b2c70”,
“REMOTE_PORT”: “60945”,
“HTTP_ACCEPT_LANGUAGE”: “sv”,
“mod_wsgi.application_group”: “default”,
“mod_wsgi.script_reloading”: 1,
“HTTP_ACCEPT_ENCODING”: “gzip, deflate, sdch”
}

So you are thinking about using the DOCUMENT_ROOT and prefixing it on the
username and storing it into redis cache?
This way many website can use the same redis cache.

cornelinux · June 15, 2015, 4:13pm

Hello Nicke,

I added servername, port and document root to the key, to try to
distinuish a user with the same username.
I also hashed the password stored in redis.

It will be available in a while in PPA privacyidea-dev as 2.4dev7.

Please check it our, if it works for you.

Thanks a lot and kind regards
CorneliusAm Freitag, den 12.06.2015, 03:27 -0700 schrieb Nicke:

You have this line in privacyidea_apache.py
def check_password(environ, username, password):

in the environ variable is a json object that contains something like
this:
{
“HTTP_REFERER”: “https://subdomain1.example.com/home/”,
“SERVER_SOFTWARE”: “Apache/2.4.7 (Ubuntu)”,
“SERVER_SIGNATURE”: “Apache/2.4.7 (Ubuntu) Server at
subdomain1.example.com Port 443</address>\n”,
“REQUEST_METHOD”: “GET”,
“SERVER_PROTOCOL”: “HTTP/1.1”,
“QUERY_STRING”: “”,
“HTTP_USER_AGENT”: “Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0
Safari/537.36”,
“HTTP_CONNECTION”: “keep-alive”,
“SERVER_NAME”: “subdomain1.example.com”,
“REMOTE_ADDR”: “2a02:xxx:0:10:a059:7106:87b4:63bb”,
“mod_ssl.var_lookup”: “<built-in method ssl_var_lookup of
mod_wsgi.Auth object at 0x7f74d3281198>”,
“SERVER_PORT”: “443”,
“SERVER_ADDR”: “2a02:xxx:15b::18”,
“DOCUMENT_ROOT”: “/var/www/subdomain1”,
“mod_wsgi.process_group”: “”,
“HTTP_X_REQUESTED_WITH”: “XMLHttpRequest”,
“SERVER_ADMIN”: “postmaster@example.com”,
“HTTP_DNT”: “1”,
“HTTP_HOST”: “subdomain1.example.com”,
“mod_ssl.is_https”: “<built-in method ssl_is_https of mod_wsgi.Auth
object at 0x7f74d3281198>”,
“REQUEST_URI”: “/ui/get_messages/”,
“HTTP_ACCEPT”: “application/json, text/javascript, /; q=0.01”,
“wsgi.errors”: “mod_wsgi.Log object at 0x7f74d35b2c70”,
“REMOTE_PORT”: “60945”,
“HTTP_ACCEPT_LANGUAGE”: “sv”,
“mod_wsgi.application_group”: “default”,
“mod_wsgi.script_reloading”: 1,
“HTTP_ACCEPT_ENCODING”: “gzip, deflate, sdch”
}

So you are thinking about using the DOCUMENT_ROOT and prefixing it on
the username and storing it into redis cache?
This way many website can use the same redis cache.

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/809f4064-2d4d-441e-a847-e9951f5bb15e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)