Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: GSSAPI SSO have to exclude URL form SSO |
|
Author |
|
seb69
Joined: 03 Apr 2024 Posts: 2
|
Posted: Wed 03 Apr '24 14:54 Post subject: GSSAPI SSO have to exclude URL form SSO |
|
|
Hello everyone and thank you for your help,
I'm going crazy with the apache conf of my site I explain ...
here is my configuration :
debian12, website apache2 installed in "/var/www/glpi/"
I have two related problems.
problem 1
I've set up SSO authentication with GSSAPI which works "almost" well, in fact it only works if I put "<Location "/">" in "local-ssl.conf".
if I put "<Directory /var/www/glpi> it doesn't work anymore.
If I put "<Location "/glpi">" it no longer works.
You're going to tell me why I want to put anything other than "<Location "/">" ...
here's the conf that works:
Code: |
<Location "/">
AuthType GSSAPI
AuthName "GLPI SSO
GssapiCredStore keytab:/etc/apache2/krb.keytab
GssapiAllowedMech krb5
Require valid-user
GssapiBasicAuth On
# Options FollowSymlinks ?works without
# AllowOverride All ?works without
Order allow,deny
Allow from all
</Location>
|
here is my problem number 2
the goal in all cases is to exclude a url from SSO authentication.
In fact, I need to authorize the /glpi/front/inventory url to "pass" without authentication, and despite all my attempts, nothing works (perhaps this is due to my first problem...).
I've tried :
Code: |
<Directory /var/www/glpi/front/inventory.*>
<LocationMatch ".*inventory.*">
<Location "/front/inventory.*">
<If "! %{REQUEST_URI} =~ inventory(.*)$/">
with these options for example:
<LocationMatch ".*inventory.*">
Require all granted
Allow from all
</LocationMatch>
|
none of this works....
I'm probably a bit confused but I've tried to put in as much information as possible, I've lost half my hair and I don't know what to do anymore ....
mod note: added code tags[/code] |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 346 Location: UK
|
Posted: Wed 03 Apr '24 21:02 Post subject: |
|
|
A few observations:
Firstly, I'd personally stick with <Location> directives, since you're trying to control access to site content, rather than the underlying filesystem directories, per se.
Secondly, you've included the old 'Order' (and 'Allow') directives which were deprecated under Apache 2.4, primarily because they're extremely confusing. The 'Order' can be removed since the various Require directives provide equivalent logic; see https://httpd.apache.org/docs/trunk/howto/auth.html#beyond
Regarding excluding a URL from authentication, this question was recently asked here - https://www.apachelounge.com/viewtopic.php?p=42518
They've not responded to say if the proposed fix worked for them, but my suggestion was to put the unprotected location block before the protected one.
You say you need to unprotect /glpi/front/inventory, so I'd try:
Code: | <Location "/glpi/front/inventory">
Require all granted
Satisfy any
Allow from All
</Location> |
followed by your GSAPI protected location block(s).
Location blocks are processed in the order they appear in the configuration; see https://httpd.apache.org/docs/current/mod/core.html#location |
|
Back to top |
|
seb69
Joined: 03 Apr 2024 Posts: 2
|
Posted: Fri 05 Apr '24 8:49 Post subject: |
|
|
thank you tangent for your reply!
Unfortunately it doesn't work
I added what you told me first but I still have an "authntification required" on the URL /front/inventory.php (I added the .php to test both)
Here are the full contents of the configuration (just changed my domain name by ***):
Code: |
<VirtualHost *:443>
ServerName ***.******.local
SSLEngine on
DocumentRoot /var/www/glpi/public
# If you want to place GLPI in a subfolder of your site (e.g. your virtual host is serving multiple applications),
# you can use an Alias directive. If you do this, the DocumentRoot directive MUST NOT target the GLPI directory itself.
# Alias "/glpi" "/var/www/glpi/public"
<Location "/front/inventory"> (tried with inventory.php too)
Require all granted
Satisfy any
Allow from All
</Location>
<Location "/">
AuthType GSSAPI
AuthName "GLPI SSO"
GssapiCredStore keytab:/etc/apache2/krb.keytab
GssapiAllowedMech krb5
Require valid-user
GssapiBasicAuth On
# Options FollowSymlinks
# AllowOverride All
Order allow,deny
Allow from all
</Location>
<Directory /var/www/glpi/public>
Require all granted
Order allow,deny
Allow from all
RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
SSLEngine on
SSLCertificateFile /etc/apache2/glpi.crt
SSLCertificateKeyFile /etc/apache2/***.***.local.key
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/Helpdesk-ssl_error.log
CustomLog ${APACHE_LOG_DIR}/Helpdesk-ssl_access.log combined
</VirtualHost>
|
mod note: added code tags |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 346 Location: UK
|
Posted: Fri 05 Apr '24 11:05 Post subject: |
|
|
You'll need the precise URLs (case sensitive too) on your unprotected pages.
Does your inventory.php page reference other pieces of site content that would otherwise be protected by your <Location "/"> block, e.g. image files, javascript, etc?
I'd suggest you check what GET requests are made through a client browser (Chrome/Firefox) using Developer Tools (Shift+Ctrl+I) for network traffic .
If you use <LocationMatch> you can include a number of regular expressions in one go, e.g.
Code: | <LocationMatch "(Regex A)|(Regex B)|(Regex C)">
Require all granted
Satisfy any
Allow from All
</LocationMatch> |
|
|
Back to top |
|
|
|
|
|
|