logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Location authentication configuration ignored in VirtualHost
Author
bigmanroger



Joined: 25 Oct 2022
Posts: 2
Location: Ireland

PostPosted: Tue 25 Oct '22 10:56    Post subject: Location authentication configuration ignored in VirtualHost Reply with quote

I have the following configuration in a config file for httpd:

Code:
Listen 6666
    <VirtualHost server-name:6666>

    ServerName server-name
    LogLevel trace6
    LogFormat "%h %p %l %u %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{X-Forwarded-For}i %{X-Tor-Application}i \"BALANCER_WORKER_ROUTE: %{BALANCER_WORKER_ROUTE}e\"" combined
    CustomLog /var/log/httpd/virtualhost2.log combined
    ErrorLog /var/log/httpd/modcluster_error_log

    EnableMCPMReceive

    <Location /mod_cluster-manager>
            SetHandler mod_cluster-manager
            AuthType Basic
            AuthName "MCM Authentication Control"
            AuthUserFile /etc/modclusterpasswd
            Require user root
    </Location>
</VirtualHost>

I would expect that when I run a curl command to the mod_cluster-manager endpoint, the request will only be served if I pass the username and password. However, the request is granted regardless.

I have also tried putting "Require all denied" inside my Location tag, but the modcluster manager page is still served regardless of this.

In my custom error log I can see the following:

Code:
[core:trace3] [pid 12219:tid 139843900258048] request.c(312): [client 10.247.246.158:35656] request authorized without authentication by access_checker_ex hook: /mod_cluster-manager

I don't get any logs from authz/authn etc to indicate that the request is being processed for authentication.

In the Apache httpd source code (httpd_request.h) I can see:

Code:
/**
* This hook is used to apply additional access control and/or bypass
* authentication for this resource. It runs *before* a user is authenticated,
* but after the access_checker hook.
* This hook should be registered with ap_hook_check_access_ex().
* If "Satisfy any" is in effect, this hook may be skipped.
*
* @param r the current request
* @return OK (allow access), DECLINED (let later modules decide),
*         or HTTP_... (deny access)
* @ingroup hooks
* @see ap_hook_check_access_ex
*/
AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))
And also in request.c:

else if (access_status == OK) {
            ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
                          "request authorized without authentication by "
                          "access_checker_ex hook: %s", r->uri);

This appears to be the source of the output I am seeing in the log.

What could be causing my authentication configuration to be ignored? And how can I fix it?
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Tue 25 Oct '22 22:03    Post subject: Reply with quote

You don't say which version of Apache you're using, but since you're using mod_cluster suspect it's Redhat based.

In the past I've used the mod_proxy_balancer module with a location based section to control access to /balancer-manager, using file based basic authentication exactly as you've detailed in your post, and it works as expected.

So chances are, as your investigation suggests, there's something in the mod_cluster code that's setting access_status == OK, so bypassing the auth module logic.

Do your trace log entries change if you add a Satisfy Any directive to your location block?

Do you have the mod_cluster module source, to be able to check the code behind the access_checker_ex hook, as referenced from request.c?
Back to top
bigmanroger



Joined: 25 Oct 2022
Posts: 2
Location: Ireland

PostPosted: Wed 26 Oct '22 14:22    Post subject: Reply with quote

tangent wrote:
You don't say which version of Apache you're using, but since you're using mod_cluster suspect it's Redhat based.

Yes you're correct, running apachectl -v gives me:
Server version: Apache/2.4.37 (Red Hat) (Release 41.jbcs.el7-SP1)

tangent wrote:
Do your trace log entries change if you add a Satisfy Any directive to your location block?

Just tried this, and yes the log changes if I add a Satisfy Any to the log line:
Code:
[Wed Oct 26 12:33:47.161653 2022] [core:trace3] [pid 5901:tid 139728154220288] request.c(323): [client 10.247.246.158:39614] request authorized without authentication by access_checker hook and 'Satisfy any': /mod_cluster-manager

If I change to "Satisfy All" I get the same log line as the original issue, presumably because Satisfy All and Satisfy_NOSPEC are the same:
Code:
switch (ap_satisfies(r)) {
        case SATISFY_ALL:
        case SATISFY_NOSPEC:


tangent wrote:
Do you have the mod_cluster module source, to be able to check the code behind the access_checker_ex hook, as referenced from request.c?

Not sure on where to find the source I'm using but presumably it's one of the following?
https://github.com/Karm/jbcs-httpd-mod_proxy_cluster
https://github.com/modcluster/mod_cluster

Haven't found "access_checker_ex" or anything in these yet that I can see as the cause of the issue.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Wed 26 Oct '22 20:49    Post subject: Reply with quote

The GitHub links you've posted don't appear to reference any HTTPD source code, bit rather Java based JBCS Apache Server (JBoss Core Services), and a Docker script. Believe RedHat consider this code proprietary, though I did find this native HTTPD based reference to mod_cluster: https://github.com/modcluster/mod_proxy_cluster

Looking for hook code declarations in mod_manager.c, mod_proxy_cluster.c, etc., I can't see any obvious access functions which bypass subsequent authentication checks, though your testing rather confirms otherwise.

The problem I have is I don't have access to a RedHat instance to be able to troubleshoot this problem further.

I do hope other site contributers can help resolve this problem for you.
Back to top


Reply to topic   Topic: Location authentication configuration ignored in VirtualHost View previous topic :: View next topic
Post new topic   Forum Index -> Apache