AW: Apache2 authentication module with many website and one redis cache
28 views
Skip to first unread message
Cornelius Kölbel
Jun 12, 2015, 6:13:38 AM6/12/15
to Nicke, priva...@googlegroups.com
Hi Nicke,
you are right, the implementation does not distinguish between different hosts or different directories.
I guess the best would be, to distinguish per directory.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Nicke <goo...@post.blinkiz.com>
Datum: 12.06.2015 10:03 (GMT+01:00)
An: priva...@googlegroups.com
Betreff: Apache2 authentication module with many website and one redis cache
Hi
-- Am trying out the new apache2 authentication module. I have a case where it does not really work the way I want and need suggestions how to solve it.
Am having a webserver with many sites that has basic apache2 authentication with the privacyidea apache2 client attached. Because the same redis server is running on this ubuntu 14.04 host it creates problem.
Privacyidea: aaa.example.com
Website 1: subdomain1.example.com
Website 2: subdomain2.example.com
When authenticating against subdomain1.example.com everything works as expected. redis is caching the authentication, "SETEX" "nicke" "300" "1234801509".
As probably expected, problems comes up when I now authenticate with the same username against subdomain2.example.com, my browser is asking for username and password and I supply a new one, redis is setting this new values in cache, "SETEX" "nicke" "300" "1234453288".
I now need to login again against subdomain1.example.com because the password has been changed in the cache. And login again at subdomain2.example.com after that, and so on...
I can use both subdomain1.example.com and subdomain2.example.com at the same time if I use different usernames, but that is not a good way.
So any suggestion how to solve this? Some kind of prefixing depending on website in the redis cache?
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f8e9cd88-1a38-407a-8f89-f39f42304954%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nicke
Jun 12, 2015, 6:27:38 AM6/12/15
to priva...@googlegroups.com
You have this line in privacyidea_apache.py
def check_password(environ, username, password):in the environ variable is a json object that contains something like this:
{
"HTTP_REFERER": "https://subdomain1.example.com/home/",
"SERVER_SOFTWARE": "Apache/2.4.7 (Ubuntu)",
"SERVER_SIGNATURE": "<address>Apache/2.4.7 (Ubuntu) Server at subdomain1.example.com Port 443<\/address>\n",
"REQUEST_METHOD": "GET",
"SERVER_PROTOCOL": "HTTP/1.1",
"QUERY_STRING": "",
"HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"HTTP_CONNECTION": "keep-alive",
"SERVER_NAME": "subdomain1.example.com",
"REMOTE_ADDR": "2a02:xxx:0:10:a059:7106:87b4:63bb",
"mod_ssl.var_lookup": "<built-in method ssl_var_lookup of mod_wsgi.Auth object at 0x7f74d3281198>",
"SERVER_PORT": "443",
"SERVER_ADDR": "2a02:xxx:15b::18",
"DOCUMENT_ROOT": "/var/www/subdomain1",
"mod_wsgi.process_group": "",
"HTTP_X_REQUESTED_WITH": "XMLHttpRequest",
"SERVER_ADMIN": "postm...@example.com",
"HTTP_DNT": "1",
"HTTP_HOST": "subdomain1.example.com",
"mod_ssl.is_https": "<built-in method ssl_is_https of mod_wsgi.Auth object at 0x7f74d3281198>",
"REQUEST_URI": "/ui/get_messages/",
"HTTP_ACCEPT": "application/json, text/javascript, */*; q=0.01",
"wsgi.errors": "mod_wsgi.Log object at 0x7f74d35b2c70",
"REMOTE_PORT": "60945",
"HTTP_ACCEPT_LANGUAGE": "sv",
"mod_wsgi.application_group": "default",
"mod_wsgi.script_reloading": 1,
"HTTP_ACCEPT_ENCODING": "gzip, deflate, sdch"
}So you are thinking about using the DOCUMENT_ROOT and prefixing it on the username and storing it into redis cache?
This way many website can use the same redis cache.
Cornelius Kölbel
Jun 15, 2015, 12:13:40 PM6/15/15
to priva...@googlegroups.com
Hello Nicke,
I added servername, port and document root to the key, to try to distinuish a user with the same username.
I also hashed the password stored in redis.
It will be available in a while in PPA privacyidea-dev as 2.4dev7.
Please check it our, if it works for you.
Thanks a lot and kind regards
Cornelius
I added servername, port and document root to the key, to try to distinuish a user with the same username.
I also hashed the password stored in redis.
It will be available in a while in PPA privacyidea-dev as 2.4dev7.
Please check it our, if it works for you.
Thanks a lot and kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/809f4064-2d4d-441e-a847-e9951f5bb15e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
-- Cornelius Kölbel corneliu...@netknights.it |
+49 151 2960 1417 NetKnights GmbH |
Reply all
Reply to author
Forward
0 new messages