Join Log in
Score:0
matrix154 avatar Server

Apache Basic authentication based on AuthUserFile is ignored, when mod_auth_radius.c is enabled

cn flag
matrix154

I hope you can help me with my problem.

I initially had a vhost config with Basic Authentication with "AuthUserFile" which works fine. Now I wanted to use Radius for certain sites and installed "mod_auth_radius" according to the instructions. Since then, the other sites try also authentication via radius instead of "AuthUserFile", although no radius is configured there.

[001mgm ~]$ grep LoadModule /etc/httpd/conf/httpd.conf
# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
[001mgm ~]$
[001mgm ~]$
[001mgm ~]$ sudo httpd -M | egrep '(rad|basic|core|file)'  core_module (static)
 radius_auth_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)

Here the 1st vhos1-site.conf with AuthUserFile authentication

# domain name
Define SERVER_NAME site1.x.x.x
Define ROOTDIR /..../site1
Define LOCATION site1

# HTPASSWD File
<AuthnProviderAlias file allowed-users>
        AuthUserFile ${ROOTDIR}/.htpasswd
</AuthnProviderAlias>
<VirtualHost *:80>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        RedirectMatch (.*) https://${SERVER_NAME}$1
</VirtualHost>
<VirtualHost *:443>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        DocumentRoot ${ROOTDIR}

        LogLevel debug rewrite:trace6
        #LogLevel error ssl:warn
        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        SSLEngine on
        SSLCertificateFile ${SSL_CERT}
        SSLCertificateKeyFile ${SSL_KEY}

        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
        SSLCompression Off

        <Directory ${ROOTDIR}>
                Options Indexes MultiViews FollowSymlinks SymLinksIfOwnerMatch
                DirectoryIndex index.php
                <RequireAll>
                        Require ip ....
                        Require ip ....
                        Require ip ....
                </RequireAll>
                SSLRequireSSL
                AuthType Basic
                AuthName "Auth for ${Location}"
                AuthBasicProvider allowed-users
                Require valid-user
        </Directory>
</VirtualHost>

And the 2nd vhost-site2.conf with radius authentication:

# domain name
Define SERVER_NAME site2.x.x.x
Define ROOTDIR /..../site2
Define LOCATION site2

# RADIUS
Define RADIUS_HOST x.x.x.x:1812
<IfModule mod_auth_radius.c>
        AddRadiusAuth ${RADIUS_HOST} xxxxsecretxxxx 5:3
        AddRadiusCookieValid 5
</IfModule>

<VirtualHost *:80>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        RedirectMatch (.*) https://${SERVER_NAME}$1
</VirtualHost>
<VirtualHost *:443>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        DocumentRoot ${ROOTDIR}

        LogLevel debug rewrite:trace6
        #LogLevel error ssl:warn
        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        SSLEngine on
        SSLCertificateFile ${SSL_CERT}
        SSLCertificateKeyFile ${SSL_KEY}

        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
        SSLCompression Off

        <Directory ${ROOTDIR}>
                Options Indexes MultiViews FollowSymlinks SymLinksIfOwnerMatch
                DirectoryIndex index.php
                <RequireAll>
                        Require ip ....
                        Require ip ....
                        Require ip ....
                </RequireAll>
                SSLRequireSSL
                AuthType Basic
                AuthName "Auth for ${Location}"
                AuthBasicProvider radius
                AuthBasicAuthoritative Off
                AuthRadiusAuthoritative on
                AuthRadiusActive On
                AddRadiusCallingStationID ${Location}
                AuthRadiusCookieValid 15
                AuthRadiusDebug on
                Require valid-user
        </Directory>
</VirtualHost>

The Logs show (debug) following:

AH02034: Initial (No.1) HTTPS request received for child 146 (server site1.x.x.x.x:443)
[Thu Jul 20 15:31:44.459561 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1308): Radius Auth for: site1.x.x.x.x requests / : file=/.../site1/
[Thu Jul 20 15:31:44.459587 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1338): No cookie found.  Trying RADIUS authentication.
[Thu Jul 20 15:31:44.460186 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1037): Sending packet on x.x.x.x:1812
[Thu Jul 20 15:31:44.516263 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1196): RADIUS authentication failed for user "user_in_AuthFile"
[Thu Jul 20 15:31:44.516284 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1355): RADIUS authentication for user=user_in_AuthFile password=yyyyyy failed
[Thu Jul 20 15:31:44.516293 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1361): Sending failure message to user=user_in_AuthFile

As you can see, even radius is not configured i vhost-site1.conf, authentication is checked via radius and not to the local file.

When i disabled "radius_auth_module" and restart apache, authentication on site1 works again.

What's wrong with my vhosts-config or httpd.conf?

Many thanks for any hints or suggestions

29
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.