phokz / mod-auth-external Goto Github PK
View Code? Open in Web Editor NEWExternal Authentication Module for Apache HTTP Server - mod_authnz_external
mod-auth-external's People
Contributors
Stargazers
Watchers
Forkers
agentydragon wtrocki ka7 mkj jgiangrande-applause bimimicah littlekita eloentropy httang12 michaelpaddon pbiering ananalaghbar chrullrichmod-auth-external's Issues
Internal Server Error when using SSL Virtual Host
What steps will reproduce the problem?
1. Create a destination with an external authenticator inside an SSL Virtual
Host
2. Browse to this destination
3. Enter username and password
What is the expected output? What do you see instead?
Get "500 Internal Server Error".
Nothing logged in error_log
What version of the product are you using? On what operating system?
Apache 2.2.15 running on Linux Fedora 12
mod_authnz_external-3.2.6
Please provide any additional information below.
Relevant snippets from apache configuration:
DefineExternalAuth extauth pipe /usr/lib/httpd/test.pipe
<VirtualHost _default_:443>
...
Alias /myfiles /var/www/secure/myfiles
<Location /myfiles>
Order allow,deny
Allow from all
AuthType Basic
AuthName "MyFiles"
AuthBasicProvider external
AuthExternal extauth
Require valid-user
</Location>
Original issue reported on code.google.com by [email protected] on 4 Dec 2012 at 10:58
How do I use mod_authnz_external with php on Windows?
I try to config each folder for each user (or folder can access (or not) by mutl user)
I got log from apache log
[Mon Mar 30 15:10:49.181579 2020] [authnz_external:error] [pid 9352:tid 1904] [client xxx.xxx.xx.xxx:53116] AuthExtern auth "folder" Failed (-1) for user test1
My config:
DefineExternalAuth auth environment D:/xampp/htdocs/private/auth.php
<Directory D:/xampp/htdocs/myfoldersecret>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AuthBasicProvider external
AuthType Basic
AuthName "Restricted area"
Require valid-user
AuthExternal auth
My code for check valid user php
$realm = 'Restricted area';
$validUser = getenv('USER');
$validPass = getenv("PASS");
$db_host="localhost"; //localhost server
$db_user="root"; //database username
$db_password=""; //database password
$db_name="db_tmp"; //database name
$uri = $_SERVER['REQUEST_URI'];
$uri=explode("/",$uri);
if (empty($uri[count($uri)]))
$folder_name=$uri[count($uri)-2];
else
$folder_name=$uri[count($uri)-1];
try
{
$db=new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_password);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOEXCEPTION $e)
{
exit(1);
}
$select_stmt=$db->prepare("SELECT * FROM tbl_user WHERE user_login=:uname AND folder_name=:folder_name");
$select_stmt->execute(array(':uname'=>$validUser,':folder_name'=>$folder_name));
$row=$select_stmt->fetch(PDO::FETCH_ASSOC);
if ($select_stmt->rowCount() > 0)
{
$cryptor = new Cryptor($encryption_key);
$token= $cryptor->decrypt($row['user_password']);
if ($validPass!=$token)
requireLogin($realm,$nonce);
else
exit(0);
}
else
requireLogin($realm,$nonce);// This function forces a login prompt
function requireLogin($realm,$nonce) {
header('WWW-Authenticate: Basic realm="' . $realm . '"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
}
mod-auth-external 3.3.3 has issue with external-group check
something is weird since latest version on github
LoadModule authnz_external_module modules/mod_authnz_external.so
DefineExternalAuth pwauth pipe /usr/bin/pwauth
AuthExternal pwauth
AuthBasicProvider socache external
AuthExternalProvideCache On
AuthnCacheProvideFor external
Require user test
-> working fine
LoadModule authnz_external_module modules/mod_authnz_external.so
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup unixgroup environment /usr/bin/unixgroup
AuthExternal pwauth
GroupExternal unixgroup
AuthBasicProvider socache external
AuthExternalProvideCache On
AuthnCacheProvideFor external
Require external-group monitor
returns after some requests
[Sun Jan 16 09:13:19.123176 2022] [authnz_external:error] [pid 2394628:tid 140390149625600] (10)No child processes: [client ***] Could not get status from child process, referer: https://SERVER/mrtg/index-month.html
[Sun Jan 16 09:13:19.163517 2022] [authnz_external:error] [pid 2394628:tid 140390149625600] [client ***] Authorization of user USER to access /mrtg/PICTURE.png failed. User not in Required group. Last result code: 1, referer: https://SERVER/mrtg/index-month.html
-> related to the external call of "unixgroup", which is a Perl program, have no idea what and why this is suddenly happend.
Changed now the configuration to use authz_unixgroup instead of calling external script "unixgroup":
LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so
DefineExternalAuth pwauth pipe /usr/bin/pwauth
AuthExternal pwauth
AuthBasicProvider socache external
AuthExternalProvideCache On
AuthnCacheProvideFor external
Require unix-group monitor
-> all works fine!
Has anyone the same issue seen?
1 minute wait before auth
What steps will reproduce the problem?
1. use mod-auth-external
What is the expected output? What do you see instead?
I expect the dirindex to show right away .. but it doesn't .. I have to wait a
whole minute ..
What version of the product are you using? On what operating system?
Gentoo 2.4.7, mod 3.3.1
Please provide any additional information below.
http://apaste.info/etlt
http://apaste.info/538w
Original issue reported on code.google.com by [email protected] on 11 Dec 2013 at 10:33
Environment to include REQUEST_METHOD - feature request
What steps will reproduce the problem?
1. Normal install and setup can work but the provided environment does not
include REQUEST_METHOD?
2.
3.
What is the expected output? What do you see instead?
ENV{'REQUEST_METHOD'} is null
What version of the product are you using? On what operating system?
3.2.4
Please provide any additional information below.
This is more of a feature request than an issue. It will be very useful to
also know the request_method used such as "GET" "POST" "PUT" - mostly valuable
if you are using authnz_external on a DAV folder so you can decide
read-only/read-write permissions by understanding the request_method.
The code would just need a patch to add request_method to the environment.
Happy to contribute the patch if you would like for me to!
Vijay
Original issue reported on code.google.com by [email protected] on 28 Aug 2014 at 1:20
Excellent documentation!
Just wanted to thank you for this great module and the outstanding
documentation!
Excellent work.
P.S.:
Sorry, didn't find any other way to provide you feedback. The mailingslist
didn't seem appropriate.
Original issue reported on code.google.com by [email protected] on 2 Dec 2009 at 5:41
Modification to allow an loadbalancer between browser and server
Currently if a loadbalancer is present the servers IP is sent and processed,
which of course makes no sense whatsever. In the loadbalancer sends the
X_FORWARDED_FOR header the authnz_external cannot handle it though. I wrote a
small patch which sends the X_FORWADED_FOR header to the client in the PROXY
environment variable
Here's the diff:
diff mod_authnz_external-3.2.6-new/mod_authnz_external.c
mod_authnz_external-3.2.6/mod_authnz_external.c
100d99
< #define ENV_PROXY "PROXY"
438c437
< char *child_env[13];
---
> char *child_env[12];
461c460
< const char *cookie, *host, *remote_host, *proxy;
---
> const char *cookie, *host, *remote_host;
498,499d496
< if ((proxy= apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL)
< child_env[i++]= apr_pstrcat(p, ENV_PROXY"=", proxy, NULL);
Original issue reported on code.google.com by [email protected] on 19 Aug 2013 at 1:41
- Merged into: #12
Each authentication request generates multiple invocations of mod_authnz_external
Our authentications are taking over four seconds, and I couldn't imagine why it is this slow. Our script invokes php to contact another server, and somehow this external php script is sending six different requests to the authentication server. This seems incomprehensible to us, since the script executes only a single HTTP request to the other server. Nevertheless, each invocation of mod_authnz_external translates into six different executions to the auth server, and apparently apache blocks until the last one finishes. This raises the question of what exactly is happening - is there any restart logic in the default configuration of mod_authnz_external that I was unable to find? I ran netstat -cant while it was executing an authentication, and sure enough it fires six different socket connections. The php code that does this is quite simple, and does just a POST to the server. This can timeout, but we don't have any retry logic in our php script.
$client = new \GuzzleHttp\Client();
$response = $client->request('POST', $auth_endpoint_url, ["form_params" => $query]);
Executing our script from the command line generates only a single POST, so this causes me to think that mod_authnz_external is invoking it multiple times for each authentication request from the apache server.
We are using debian 11, apache 2.4.51-1~deb11u1, mpm_prefork, php 7.4.25, and this module built from master (looks like 3.3.3). We can try installing the debian package instead, but I'm grasping at straws to imagine how a single authentication request translates into six RPC calls.
external authenticator PHP instances can't transmit cookies to the browser
Using a PHP script with mod_authnz_external which initiates a PHP session does properly create the session file, present the $_SESSION global array, and is able to populate that session file. However, the expected cookie for that PHP session does not appear to get delivered to the connected browser (FireFox, Opera). When a subsequent web page initiates PHP session, its status shows no current session in progress and it creates a new, empty, session file and establishes the corresponding browser cookie for that new PHP session. Even attempting to use the PHP setcookie function has no noticeable affect.
mod_authnz_external usage setup in ssl.conf:
SetEnv INDICATOR_VAR "{Home}"
LogLevel authnz_external:trace8
AllowOverride None
Options None
SSLRequireSSL
Require ip x.x.x.0/24 127.0.0.1
AuthType Basic
AuthName "Homepage"
AuthBasicProvider socache external
AuthExternal extAuthUser
AuthExternalContext "Authorization:Homepage"
AuthExternalProvideCache On
AuthnCacheTimeout 120
AuthnCacheProvideFor external
Require valid-user
authnz_external_module and pwauth on CentOS 6.2 failure
What steps will reproduce the problem?
1. Install module 3.2.6 as described by documentation
2. Configure and install pwauth 2.3.10 for PAM authentication
3. Configure httpd.conf as described by documentation
What is the expected output? What do you see instead?
pwauth works as expected when tested on command line but not through
authnz_external_module
------------------------------------------------------------
[root@sbctos4 /]# sudo -u apache /usr/local/bin/pwauth
pwtest
m0d3xt3rn@l
[root@sbctos4 /]# echo $?
0
Using wrong name or password returns 1 as expected
-----------------------------------------------------------
What version of the product are you using? On what operating system?
[root@sbctos4 /]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Feb 13 2012 22:31:42
[root@sbctos4 /]# uname -a
Linux sbctos4 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64
x86_64 x86_64 GNU/Linux
authnz_external_module: 3.2.6
pwauth: 2.3.10
Please provide any additional information below.
Same configuration works on CentOS 5 (2.6.18-308.4.1.el5) but not on CentOS 6.2
CentOS 6.2 Configuration follows:
-----------------------------------------------------------------
-rwsr-xr-x. 1 root root 20382 Jun 9 17:29 /usr/local/bin/pwauth
-----------------------------------------------------------------
pwauth config.h and Makefile attached
/etc/pam.d/pwauth attached
/etc/httpd/conf/httpd.conf attached
Original issue reported on code.google.com by [email protected] on 10 Jun 2012 at 12:13
Attachments:
[Patch] conn_rec->remote_ip compilation failure with Apache 2.4.1
The remote_ip field in the conn_rec structure was removed in Apache 2.4.1 and
replaced with client_ip and useragent_ip.
See:
http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html
http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?r1=1204968&r2=120
6291&diff_format=h
http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?r1=1211490&r2=121
4003&diff_format=h
Compilation of mod_authnz_external 3.3.1 fails with the following errors:
libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -DLINUX=2
-D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -c -o mod_authnz_external.lo
mod_authnz_external.c && touch mod_authnz_external.slo
mod_authnz_external.c: In function 'exec_external':
mod_authnz_external.c:446: error: 'conn_rec' has no member named 'remote_ip'
mod_authnz_external.c:447: error: 'conn_rec' has no member named 'remote_ip'
apxs:Error: Command failed with rc=65536
This patch replaces accesses to remote_ip with client_ip.
Original issue reported on code.google.com by davidsansome on 26 Mar 2012 at 5:40
Attachments:
PAM ENV variables for auth script
Hi!
I'm trying for 2 days now to write a custom PAM script which authenticates with
sys user and pass.
I made examples in C, python and perl but I have the same problem with all of
them.
When I test the script in my shell everything works well.
I test them with
# ./script;echo $?
And get 0 or 1 back.
But as soon as I try to use it with mod_authz_external and Apache it stops
working.
Even with a valid user I get an 1 back and are not able to log in.
It seems that there is a problem with PAM and maybe the Apache environment.
I read somewhere that I have to set the environment variables to use PAM but I
have no clue how.
I attached examples in C, Perl and Python.
Choose whatever you like, they work all the same... returning the exit code 0
or 1.
Every help or hint would be appreciated!
Thanks!
Original issue reported on code.google.com by [email protected] on 7 Feb 2014 at 11:45
Attachments:
Makefile has install for default target should be build
What steps will reproduce the problem?
1. Build the program
2.
3.
What is the expected output? What do you see instead?
a "make" tries to install the program instead of just building it.
What version of the product are you using? On what operating system?
newest on RHEL5.6
Please provide any additional information below.
Just a small makefile syntax addition to set default build target to I've
included a patch.
Original issue reported on code.google.com by [email protected] on 2 Mar 2011 at 1:48
Attachments:
passing data as base64 to prevent injection
Hello,
I think it would be a nice feature (or make it default) to be able to pass the
data in base64 to the external authentication program.
Yesterday i wrote some little script to check username/password with SQL and
thought: "oh, here you have to be very carefully.."
But mod-auth-external makes it very easy to implement an own script and I think
not everyone would realize that you have to check the input..
esco
Original issue reported on code.google.com by [email protected] on 17 Dec 2013 at 9:59
Both zip and tarball unpack as mod-auth-external-mod_authnz_external-3.3.3/
Not sure why the project name is repeated twice in directory when unpacking (well, once with hyphens and once with underscores)...
checkpassword method appears to be broken in 3.2.x version
What steps will reproduce the problem?
1. install mod_authnz_external 3.2.x version
2. configure external authenticator to use the checkpassword method
3. attempt to authenticate with checkpassword compatible authenticator
(like vcheck).
What is the expected output? What do you see instead?
Expected login when correct credentials are entered.
What version of the product are you using? On what operating system?
3.2.x versions, on CentOS. 3.1.x on same system seems fine.
Please provide any additional information below.
What seems to be happening is that the user and password are being sent in
on descriptor 0, not 3 like it should be.
Original issue reported on code.google.com by [email protected] on 4 Nov 2009 at 10:28
Tag version 3.3.2
Can you please tag version 3.3.2 (I believe that's commit 0ee39e) and consider making a new release which would be 3.3.3 (as there have a been a few commits since the last release that would be nice to have)?
Thanks!
(BTW, I'm the Gentoo maintainer of this package)
pwauth: External authenticator died on signal 15
Hello,
i have a problem using libapache2-mod-authnz-external 3.3.2 on Ubuntu 16.04. Securing my website works, but i have to enter my login credentials multiple times. There seems to be a problem with pwauth:
[Fri Jan 12 09:28:21.999926 2018] [auth_basic:error] [pid 29170:tid 140181752051456] [client xxx] AH01617: user mlohr: authentication failure for "/xxx": Password Mismatch, referer: https://xxx
[Fri Jan 12 09:33:23.729266 2018] [authnz_external:error] [pid 29171:tid 140181835978496] [client xxx] External authenticator died on signal 15, referer: https://xxx
[Fri Jan 12 09:33:23.729310 2018] [authnz_external:error] [pid 29171:tid 140181835978496] [client xxx] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (-2) for user mlohr, referer: https://xxx
[Fri Jan 12 09:33:23.729328 2018] [auth_basic:error] [pid 29171:tid 140181835978496] [client xxx] AH01617: user mlohr: authentication failure for "xxx": Password Mismatch, referer: https://xxx
[Fri Jan 12 09:33:23.784328 2018] [authnz_external:error] [pid 29171:tid 140181835978496] [client xxx] External authenticator died on signal 15, referer: https://xxx
[Fri Jan 12 09:33:23.784370 2018] [authnz_external:error] [pid 29171:tid 140181835978496] [client xxx] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (-2) for user mlohr, referer: https://xxx
[Fri Jan 12 09:33:23.784389 2018] [auth_basic:error] [pid 29171:tid 140181835978496] [client xxx] AH01617: user mlohr: authentication failure for "xxx": Password Mismatch, referer: https://xxx
[Fri Jan 12 09:33:23.916434 2018] [authnz_external:error] [pid 29171:tid 140181819193088] [client xxx] External authenticator died on signal 15, referer: https://xxx
[Fri Jan 12 09:33:23.916470 2018] [authnz_external:error] [pid 29171:tid 140181819193088] [client xxx] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (-2) for user mlohr, referer: https://xxx
[Fri Jan 12 09:33:23.916481 2018] [auth_basic:error] [pid 29171:tid 140181819193088] [client xxx] AH01617: user mlohr: authentication failure for "xxx": Password Mismatch, referer: https://xxx
Problem here: I'm pretty sure that my password is correct, because the index page loaded. This problem occurs maybe every 10 requests. Any idea what's going on there? Is there any limitation to valid passwords? My password is using some special symbols.
Best regards
Matthias
Very slow authentication
It's likely that I'm doing something wrong but my authenticator script runs on the command line in approximately 0.05seconds. However, it takes approximately 15 seconds for my directory listing to appear. I'm really not sure why it's so slow. Can you give me any ideas?
no php environment when using pipe
What steps will reproduce the problem?
1. use mod-auth-external
What is the expected output? What do you see instead?
$_ENV containing vars like the AUTHENTICATORS file says
Nothing there ...
What version of the product are you using? On what operating system?
Gentoo, apache 2.4.7, mod-auth-external-3.3.2
Please provide any additional information below.
I have the following auth php script ..
#!/usr/bin/php
<?php
function flog($msg){
$fh = fopen("/tmp/apache_auth", "a");
fwrite($fh, date("Y-m-d H:i:s")." - ".$msg."\n");
fclose($fh);
}
$user = trim(fgets(STDIN));
$pass = trim(fgets(STDIN));
$pass = sha1($pass);
flog($user." - ".$pass);
flog(print_r($_ENV, 1));
foreach ($_ENV as $k => $v){
flog($k . '=' . $v);
}
$conn = mysql_connect(...);
mysql_select_db(...);
$checkquery = "SELECT `id`, `expiry` FROM `auth` WHERE `user` =
'".mysql_real_escape_string($user)."' AND `password` =
'".mysql_real_escape_string($pass)."' AND `enabled` = '1' AND (`expiry` > NOW()
OR `expiry` = '0000-00-00 00:00:00') LIMIT 1;";
flog($checkquery);
$check = mysql_query($checkquery, $conn) or die(mysql_error($conn));
if (mysql_num_rows($check) > 0){
$row = mysql_fetch_array($check);
if($row['expiry'] != '0000-00-00 00:00:00'){
$update = "UPDATE `auth` SET `expiry` = NOW()+INTERVAL 1 MONTH WHERE `id` = '".$row['id']."' LIMIT 1;";
$update = mysql_query($update, $conn) or die(mysql_error($conn));
}
flog("Yes");
exit(0);
}else{
flog("NO");
exit(1);
}
?>
Here's what /tmp/apache_auth contains:
2013-12-12 19:30:17 - SELECT `id`, `expiry` FROM `auth` WHERE `user` = '...'
AND `password` = '...' AND `enabled` = '1' AND (`expiry` > NOW() OR `expiry` =
'0000-00-00 00:00:00') LIMIT 1;
2013-12-12 19:30:17 - Yes
2013-12-12 19:30:17 - dex - ...
2013-12-12 19:30:17 - Array
(
)
Am I doing it wrong ? Do I need to enable special flags in php/apache ?
Original issue reported on code.google.com by [email protected] on 12 Dec 2013 at 5:35
Invalid AuthExternal keyword (pwauth)
I'm trying to setup basic authentication on my Apache2 server using AuthExternal and pwauth. Thus using the system users to perform the authentication rather than another user db.
I could install and enable everything seamlessly. Apache2 (2.4.12-2ubuntu2
), libapache2-mod-authnz-external (3.3.2-0.1) and pwauth (2.3.11-0.1). It's all running on my Ubuntu 15.10 Desktop edition and Linux 4.2.0-30-generic. Nothing fancy really, all standard willy repo installs.
Apache2 is running and the AuthExternal module is loaded correctly, at least as far as I can tell:
me@bla:~$ systemctl status apache2.service | grep Active
Active: active (running) since Thu 2016-02-25 13:41:02 CET; 33s ago
me@bla:~$ apache2ctl -M | grep external
authnz_external_module (shared)
I have defined the modules to be used as well as the Derictory to which to apply the authentication in the VHost config file. See my /etc/apache2/sites-enabled/000-default.conf below:
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/sec>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
Require user pat
</Directory>
</VirtualHost>
Now, when I try to open loclahost/sec in a browser I'm prompted to log in. I provide pat as a user and his password and wait for the magic to happen. Unfortunately I get a internal server error rather than the expected index.html 'Hello World'....
So I checked the apache2 error logs and found 'Invalid AuthExternal keyword (pwauth)' in there. After some digging I came to realize, that this error is raised by AuthExternal because it can't find the specified pwauth. So I went and checked that by running:
sudo -u www-data which pwauth
That returned the same path as specified in the above config file, so that can be excluded....
I then tried to redirect AuthExternal to a shell script to test the module independently of pwauth. The script simply appends a string to a files for me to see if it's being called by AuthExternal or not. I ran 'chmod u+s a+x' on the file to allow it to run with root privilege, as pwauth needs that to access passwd, and gave it another try. I also tried the same without u+s as it's not needed here but that didn't went any better. This test lead me to think, that there is something wrong with my apache2 and not pwauth.
I tested all of that with Cromium and Firefox, not that it matters int his case, but you know... one can never be sure enough, right? I also tried all variations I could think of with respect to where I was putting the directives. All directly in the appache2.conf, the directory in appache2.conf and the module inclusion in ./conf-enable/security.conf, modules in security and directory in the vhost, etc... None of these variations helped, some made it worst though...
I then did a lot of googling.... But I could only find information with respect to this topic from the httpd.conf era which doesn't really apply anymore. Even if it still provides some valid and useful hints... In addition, most, if not all of those threads use a .htaccess approach. Which I'm trying to avoid by using the Directory directives in order to avoid the performance lack induced by .htaccess.
Anyhow, I'm out of ideas as of where to look or what to try. I'm turning in circles to be honest and would appreciate any hint, ideas or solutions to get me further.
Is mod_authnz_external thread-safe?
This is how I set up a "stress test" for Apache:
1. Set up a web page that issues 100 AJAX requests within a short period of time
2. Using the about:config page in Firefox, modify the parameter
network.http.max-persistent-connections-per-server to allow 50 simultaneous
connections
3. Set up Apache so that the MPM operates in worker mode (rather than prefork).
What is the expected output? What do you see instead?
When I run the stress test, about 10% of the AJAX requests are lost, and the
Apache error logs contain entries like this:
[cgid:error] [pid 27442:tid 1] AH01239: cgid daemon process died, restarting
There are several ways I can make the problem go away: (1) change the MPM
to use prefork rather than worker, (2) change the authentication mode to use
file authentication instead of external authentication, (3) decrease the
number of simultaneous connections used by Firefox. However it appears that
mod_authnz_external is unable work properly under heavy loads when threading
is used.
What version of the product are you using? On what operating system?
I am running Apache 2.4.10 with version 3.2.3 of mod_authnz_external
Please provide any additional information below.
I did my testing on an HP Integrity box running HP-UX 11.31.
If mod_authnz_external simply does not support thread safety, then I will set
up my Apache server to use prefork, but I would like to use threading if
possible.
Original issue reported on code.google.com by [email protected] on 4 Feb 2015 at 8:06
Modification to allow an loadbalancer between browser and server
Currently if a loadbalancer is present the servers IP is sent and processed,
which of course makes no sense whatsever. In the loadbalancer sends the
X_FORWARDED_FOR header the authnz_external cannot handle it though. I wrote a
small patch which sends the X_FORWADED_FOR header to the client in the PROXY
environment variable
Here's the diff:
diff mod_authnz_external-3.2.6-new/mod_authnz_external.c
mod_authnz_external-3.2.6/mod_authnz_external.c
100d99
< #define ENV_PROXY "PROXY"
438c437
< char *child_env[13];
---
> char *child_env[12];
461c460
< const char *cookie, *host, *remote_host, *proxy;
---
> const char *cookie, *host, *remote_host;
498,499d496
< if ((proxy= apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL)
< child_env[i++]= apr_pstrcat(p, ENV_PROXY"=", proxy, NULL);
Original issue reported on code.google.com by [email protected] on 19 Aug 2013 at 1:41
Add the ability to specify an authenticator return code that means AUTH_USER_NOT_FOUND
See Issue #3
Also see this attempt to resolve the problem.
We want to keep the existing behaviour (no special return codes) as the default, but allow the user to define a particular return code to mean the user does not exist.
Question: How to set environment variable inside external authenticator
How can I set an environment variable inside the external authenticator script?
A cgi script should after the authentication be able to use this environment variable
mod_authz_unixgroup to support "and"
Currently mod_authz_unizgroup supports "or"
where:
Require unix-group staff admin
users in staff or admin are allowed.
Could you add a feature of "and"
where
Require unix-group staff
Require unix-group admin
only users in both staff and admin are allowed.
Patch for /trunk/mod_authnz_external/mysql/mysql-auth.pl
Fixed an exploitable SQL injection flaw - should be considered a "critical"
update for any users of this code. Patch copied from
http://anders.fix.no/software/#unix
Original issue reported on code.google.com by [email protected] on 6 Jun 2011 at 3:21
Attachments:
Now that we have official Windows builds, we should update INSTALL
Now that we have official Windows builds, we should update INSTALL with example steps and requirements. The current one claims it may not work. :)
The Wiki was previously updated, but could use more details (example, requirements) and maybe reorganization would be good.
Truly separate authN and authZ modules
For our use case, we needed to only use mod_authZ_external, the group authorization module.
However, the current design has the authZ module check if the authN module succeeded ("is there an authenticated user?").
I modified the code to include a new apache config directive that disables that check, and therefore allows mod_authz_external to be used on its own. However, for maximum compatibility, as written now, in my pull request #27, if the user does not specify the new directive, then authorization behaviour will not change.
As an aside, I hope that eventually the project can be resumed here and maybe get the latest changes back into the linux repositories? (probably a separate issue item :) )
Put the new AUTHORIZE_<header> support behind a flag? and tag a new release
Probably many existing users won't like seeing the AUTHORIZE_ headers from the other apache auth modules suddenly appearing in the child process' environment, so it would probably be best to put that behind a flag...
No issues have been noted with the last set of changes since v3.3.3, so after the change above, it's probably safe to release v.3.3.4...
Add runtime tests to Travis CI, in addition to our existing build tests
We have tests to make sure code changes build properly on Mac, Windows, and Linux.
It would be helpful to add tests for the actual functionality. Example:
- add mod_authnz_external to apache
- set up an example authenticator/authorizer
- set example configuration directives in apache conf files
- run curl on it several times
mod_authnz_external.c:496]: (style) Suspicious condition
mod_authnz_external.c:496]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
Source code is
((rc= apr_procattr_child_errfn_set(procattr, extchilderr)
!= APR_SUCCESS)))
Maybe better code
((rc= apr_procattr_child_errfn_set(procattr, extchilderr))
!= APR_SUCCESS))
Re-add the wiki (all ready, just enable, clone, & push)
Would you be interested in re-opening the wiki section for this repository?
I took the wiki branch from the Google Code import and made it the wiki repo on my fork; I fixed some links, added a sidebar file, and some other things.
I personally think the wiki is much more usable than the text files..
Wiki home page
Configuration Page on the wiki, scrolled to the newly-added section
How to propagate authenticator return code to 401 action
Is it possible to somehow propagate authenticator return code to the action defined by directive
ErrorDocument 401 <action>From my current findings it seems that the only way is by parsing Apache logs. But it doesn't seem a nice solution.
In case if this would end to be the only solution what should we be looking for? In our scenario we can put any arbitrary log from the authenticator program (either by outputting it or by calling syslog). But what to put there to ensure that 401 action will know which particular log to use? Requested URL itself doesn't seem enough. If there are multiple requests to the same URL then it could happen that more than one log will be made before 401 action reaches point of log parsing. So what else?
I documented a way to build and install on Windows
The documentation says to reach out about this topic, so here you go:
Mod-auth-external Needs a New Maintainer
Mod-auth-external was originally written by Nathan Neulinger, who passed
maintenance to Tyler Allison. I've been the maintainer for nearly 15 years now.
I've pretty much completely rewritten it more than once as Apache has evolved.
It's been years since I've done any active development, beyond just keeping up
with changes in Apache, and lately I haven't done the latter very well. I don't
actually maintain any production servers these days. To test mod-auth-external,
I set up a dummy server on my desktop linux box to work as a test bed.
I moved this project into code.google.com partly in hopes of smoothing the
transition to a new maintainer when the time comes to do so. I think that the
time has come for someone else to take the job.
At a minimum, the job entails updating mod-auth-external each time Apache
modifies their API, which is really just a few times a year. I think there are
possibilities for new development - such as supporting authentication daemons -
but I don't think there is any clamor for that. I get user questions at a rate
of about ten to twelve a year, which I try to answer to the best of my ability.
So this is not a huge job.
You'd also be taking over support of mod_authz_unixgroup and probably pwauth.
Though possibly different people could maintain different parts. In fact, it
might not be a bad idea to have more than one maintainer. This google code
system certainly makes that easy.
Anyway, I'd appreciate hearing from volunteers. This is hardly the cutting edge
of open source software, but it's still useful and widely used.
Original issue reported on code.google.com by [email protected] on 12 Dec 2013 at 11:01
Failure stops other authenticators
What steps will reproduce the problem?
1. Put the following in a .htaccess file:
AuthType Basic
AuthBasicProvider external file
AuthExternal pwauth
AuthUserFile /web/htpasswd
Require valid-user
2. Access a URL under that tree
3. Offer credentials of a user described in /web/htpasswd
What is the expected output? What do you see instead?
Page should load. Instead, I get back "401 Authorization Required". The
error log shows the following:
[Thu May 27 11:57:51 2010] [error] [client 128.zzz.xxx.yyy] AuthExtern
pwauth [/usr/local/bin/pwauth]: Failed (1) for user htphil
[Thu May 27 11:57:51 2010] [error] [client 128.zzz.xxx.yyy] user htphil:
authentication failure for "/test/": Password Mismatch
Apparently, mod_authn_file was never consulted
What version of the product are you using? On what operating system?
Package libapache2-mod-authnz-external version 3.1.0-1ubuntu2 on Ubuntu
8.04.4 Hardy
Please provide any additional information below.
The documentation says that mod_auth_basic handles the issue of treating
the auth[nz] modules non-authoritatively, but that doesn't quite seem to be
the case.
Original issue reported on code.google.com by [email protected] on 27 May 2010 at 5:11
Cant compile source (mod-auth-external)
What steps will reproduce the problem?
1. Download source (or get source with svn)
2. Compile (with apxs2 or make)
3. get errors
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Please provide any additional information below.
[error message]
/usr/share/apr-1.0/build/libtool --silent --mode=compile --tag=disable-static
i686-linux-gnu-gcc -prefer-pic -DLINUX=2 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -D_REENTRANT -I/usr/include/apr-1.0
-I/usr/include/openssl -I/usr/include/xmltok -pthread
-I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -c -o
mod_authnz_external.lo mod_authnz_external.c && touch mod_authnz_external.slo
mod_authnz_external.c:145:1: error: unknown type name
'apr_OFN_ap_authn_cache_store_t'
mod_authnz_external.c:614:1: error: unknown type name 'authz_status'
mod_authnz_external.c: In function 'externalgroup_check_authorization':
mod_authnz_external.c:630:25: error: 'AUTHZ_DENIED_NO_USER' undeclared (first
use in this function)
mod_authnz_external.c:630:25: note: each undeclared identifier is reported only
once for each function it appears in
mod_authnz_external.c:633:28: error: 'AUTHZ_DENIED' undeclared (first use in
this function)
mod_authnz_external.c:649:24: error: 'AUTHZ_GRANTED' undeclared (first use in
this function)
mod_authnz_external.c: At top level:
mod_authnz_external.c:673:1: error: unknown type name 'authz_status'
mod_authnz_external.c: In function 'externalfilegroup_check_authorization':
mod_authnz_external.c:690:25: error: 'AUTHZ_DENIED_NO_USER' undeclared (first
use in this function)
mod_authnz_external.c:693:28: error: 'AUTHZ_DENIED' undeclared (first use in
this function)
mod_authnz_external.c:714:27: error: 'AUTHZ_GRANTED' undeclared (first use in
this function)
mod_authnz_external.c: In function 'mock_turtle_cache':
mod_authnz_external.c:746:26: error: called object 'authn_cache_store' is not a
function
mod_authnz_external.c: In function 'opt_retr':
mod_authnz_external.c:832:1: error: 'apr_OFN_ap_authn_cache_store_t' undeclared
(first use in this function)
mod_authnz_external.c:832:2: error: expected expression before ')' token
mod_authnz_external.c: At top level:
mod_authnz_external.c:855:5: warning: initialization from incompatible pointer
type [enabled by default]
mod_authnz_external.c:855:5: warning: (near initialization for
'authz_externalgroup_provider.get_user_groups') [enabled by default]
mod_authnz_external.c:856:5: warning: excess elements in struct initializer
[enabled by default]
mod_authnz_external.c:856:5: warning: (near initialization for
'authz_externalgroup_provider') [enabled by default]
mod_authnz_external.c:863:5: warning: initialization from incompatible pointer
type [enabled by default]
mod_authnz_external.c:863:5: warning: (near initialization for
'authz_externalfilegroup_provider.get_user_groups') [enabled by default]
mod_authnz_external.c:864:5: warning: excess elements in struct initializer
[enabled by default]
mod_authnz_external.c:864:5: warning: (near initialization for
'authz_externalfilegroup_provider') [enabled by default]
mod_authnz_external.c: In function 'register_hooks':
mod_authnz_external.c:872:6: error: 'AUTHN_PROVIDER_VERSION' undeclared (first
use in this function)
mod_authnz_external.c:873:32: error: 'AP_AUTH_INTERNAL_PER_CONF' undeclared
(first use in this function)
mod_authnz_external.c:876:34: error: 'AUTHZ_PROVIDER_GROUP' undeclared (first
use in this function)
mod_authnz_external.c:877:6: error: 'AUTHZ_PROVIDER_VERSION' undeclared (first
use in this function)
mod_authnz_external.c: At top level:
mod_authnz_external.c:889:1: warning: data definition has no type or storage
class [enabled by default]
mod_authnz_external.c:889:1: warning: parameter names (without types) in
function declaration [enabled by default]
mod_authnz_external.c:889:1: error: function 'AP_DECLARE_MODULE' is initialized
like a variable
mod_authnz_external.c:890:5: error: invalid initializer
mod_authnz_external.c:890:5: error: (near initialization for
'AP_DECLARE_MODULE')
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:890:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:890:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:891:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:891:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:892:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:892:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:893:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:893:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:894:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:894:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:895:5: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:895:5: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
mod_authnz_external.c:897:1: warning: excess elements in scalar initializer
[enabled by default]
mod_authnz_external.c:897:1: warning: (near initialization for
'AP_DECLARE_MODULE') [enabled by default]
apxs:Error: Command failed with rc=65536
Original issue reported on code.google.com by [email protected] on 24 Feb 2012 at 12:34
Environement build fix, and add REQUEST_METHOD
The attached patch fixes the build on recent apache 2.4 (remote_ip was split within client_ip and useragent ip). It also adds REQUEST_METHOD to the environment.
patch-aa.txt
Compiled static into https-2.4.46 and it broke PHP in many locations
I have an Apache server 2.4.46 which all modules are compiled in static. When I added this one it broke php, php would only execute in some places afterwards. In other locations it would print the PHP code instead of executing it. I was not able to discern a pattern and this involved NO change to the Apache configuration, ,just added this to the configuration file._
Use on Windows with Apache 2.2
"In theory it should now work on any operating system supported by Apache,
including Windows. However, I do not know that anyone has tried this. If you
experiment with this, please let us know the results."
I created a 32-bit build of the module at version 3.2.6 on Ubuntu 11.10 i386
with default compiler flags. My understanding is that Apache 2 has its own
dynamic loader and can run module dynamic libs in a platform independent way?
Anyway, this build cannot be correctly loaded in 32-bit Apache 2.2 running on
Windows 2008 Server R2. Apache fails with error "not a valid Win32
application" (or similar).
I haven't tried a Windows build yet but would probably have more success I
imagine, or at least be able to pinpoint the error.
Original issue reported on code.google.com by [email protected] on 14 Mar 2012 at 3:10
Fix launch of external processes on Windows - add %SystemRoot% (fix complete)
Pull Request #32
When compiling mod_auth_external on Windows, the SystemRoot environment variable was not set.
%SystemRoot% is supposed to point to the directory where Windows is installed (e.g. C:\WINDOWS or D:\OS\WINNT or whatever you set it to when you installed Windows)
Seemingly random things stop working when the SystemRoot environment variable is missing:
- standard Windows file open dialog
- ping command's DNS resolution
- external php script's mysqli remote database access
- etc.
p.s. also the random spelling fix from earlier is in here too for convenience...
mod-auth-external 3.3.3 results in pwauth signal 15
Since some days, in EPEL8 version 3.3.3 is available. But after update from 3.3.2, this won't behave proper.
Found now in log:
External authenticator died on signal 15, referer:
Found a hint: https://bz.apache.org/bugzilla/show_bug.cgi?id=59237
but HTTP/2 is not enabled on server.
working:
- pwauth-2.3.10-24.el8.x86_64
- mod_authnz_external-3.3.2-13.el8 (self-build some time ago taken SRPMS from https://kojipkgs.fedoraproject.org//packages/mod_authnz_external/3.3.2/13.fc33/src/mod_authnz_external-3.3.2-13.fc33.src.rpm)
problem:
- pwauth-2.3.10-24.el8.x86_64
- mod_authnz_external-3.3.3-3.el8.x86_64
I've protected an /mrtg directory, so on each image request it will fire the "pwauth" (also visible in audit log). Looks like some of them are receiving SIGSEGV...but this did not happen with 3.3.2
Any hints where to look further on?
Has one detected similar issue?
Group Authentication not passing 'GROUP' env or argv variables
What steps will reproduce the problem?
1. Regular Setup
What is the expected output? What do you see instead?
Using PHP "print_r($_SERVER['GROUP'])" is empty, i expect to see the group name
via
Require external-group developer test
What version of the product are you using? On what operating system?
3.3.1
Please provide any additional information below.
'GROUP' variable is not being passed to external script
Original issue reported on code.google.com by [email protected] on 17 Jul 2013 at 1:33
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.