Join Log in
Score:0
Marc avatar Server

Apache with shibboleth as SP and proxypass

pt flag
Marc

when using RHEL8 and shibboleth as SP and passing web-requests to a docker container, we have the problem that some users generate a constant sso request ( in transactions.log ) and also apache gives a lot of errors in error.log

[access_compat:error] [pid 681406:tid 140386592855808] [client 10.143.116.146:62442] AH01797: client denied by server configuration: proxy:http://localhost:31337/call/getRecalcStatus, referer: https://xxxx.int.net.xxxx.com/sup/if1meas?400293498.in=130101~130201~130202~130605~130401~13..

Here is the apache config

ServerAdmin [email protected] #ServerName xxxxx.int.net.xxxxx.com:443 DocumentRoot /var/www/saas/htdocs LimitRequestFieldsize 131068 LimitRequestLine 65534 
    <Location "/">
            AllowMethods GET POST
    </Location>
    ProxyPreserveHost on

    ProxyPass /tabe http://127.0.0.1:8558/tabedit
    ProxyPassReverse /tabe http://127.0.0.1:8558/tabedit
    RequestHeader set X-Forwarded-Proto "https"
    <Proxy http://127.0.0.1:8558/tabe>
        Require all granted
        Options none
        Allow from 192.168. 172.16. 11.11.11.108
    </Proxy>

    ProxyPass /call http://localhost:31337/call
    ProxyPassReverse /call http://localhost:31337/call
    ProxyPass /call-dev http://localhost:31338/call
    ProxyPassReverse /call-dev http://localhost:31338/call

    <Proxy http://localhost:31337/call>
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
    </Proxy>
    <Proxy http://localhost:31338/call-dev>
              Require all granted
              Options none
    </Proxy>

    ProxyPass /cup http://127.0.0.1:8888
    ProxyPassReverse /cup http://127.0.0.1:8888
    <Proxy http://127.0.0.1:8888>
        #Require all granted
        #Options none
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
    </Proxy>
    ProxyPass /cup-dev http://127.0.0.1:8889
    ProxyPassReverse /cup-dev http://127.0.0.1:8889
    <Proxy http://127.0.0.1:8889>
              Require all granted
              Options none
    </Proxy>

    <Directory />
            Options FollowSymLinks Includes
            AllowOverride None
    </Directory>
    <Directory /var/www/saas/htdocs/>
            Options FollowSymLinks Includes
            DirectoryIndex index.shtml index.html index.htm default.htm index.php index.php3 index.phtml index.php5 index.shtml mwindex.phtml
            AllowOverride None
            Order allow,deny
            allow from all
            <Files index.php>
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
            </Files>

    </Directory>

Purpose is that users from these IPs "10.116.222.222 11.11.11.108" can bypass SSO auth.

Any idea?

87
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.