Apache Mod Proxy & Authentication

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache Mod Proxy & Authentication

Stephen Duncan Jr
I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com
Reply | Threaded
Open this post in threaded view
|

RE: Apache Mod Proxy & Authentication

Brian Fox

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: [hidden email]
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com

Reply | Threaded
Open this post in threaded view
|

Re: Apache Mod Proxy & Authentication

Stephen Duncan Jr
beta-3.1

-Stephen

On Wed, Jun 11, 2008 at 6:29 PM, Brian Fox <[hidden email]> wrote:

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: [hidden email]
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com
Reply | Threaded
Open this post in threaded view
|

RE: Apache Mod Proxy & Authentication

Brian Fox

Ok. In 3.1 we made some changes to support this better but it’s not 100% yet. What you can do is change the context from /nexus to / in the plexus.xml file. This should fix the login issue. In beta-4 (currently in final qa) we have added a baseurl parameter that is used to construct the urls used in responses.

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:48 PM
To: [hidden email]
Subject: Re: [nexus-user] Apache Mod Proxy & Authentication

 

beta-3.1

-Stephen

On Wed, Jun 11, 2008 at 6:29 PM, Brian Fox <[hidden email]> wrote:

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: [hidden email]
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com

Reply | Threaded
Open this post in threaded view
|

Re: Apache Mod Proxy & Authentication

Stephen Duncan Jr
I don't think that's the issue in my case.  I'm proxying such that http://myserver/nexus maps to http://localhost:8081/nexus (where nexus is running on 8081 on the same server as Apache), so the context is the same.  I tried messing both with the setting you mentioned & how I mapped the proxy, but that just made everything break.  Note that the error in my problem was 403: Forbidden, not 404.

My problem only occurs if I turn on authentication in Apache.  The proxying works fine when I remove my "Require" directive.

-Stephen

On Wed, Jun 11, 2008 at 8:52 PM, Brian Fox <[hidden email]> wrote:

Ok. In 3.1 we made some changes to support this better but it's not 100% yet. What you can do is change the context from /nexus to / in the plexus.xml file. This should fix the login issue. In beta-4 (currently in final qa) we have added a baseurl parameter that is used to construct the urls used in responses.

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:48 PM

Subject: Re: [nexus-user] Apache Mod Proxy & Authentication

 

beta-3.1

-Stephen

On Wed, Jun 11, 2008 at 6:29 PM, Brian Fox <[hidden email]> wrote:

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: [hidden email]
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com
Reply | Threaded
Open this post in threaded view
|

Re: Apache Mod Proxy & Authentication

Stephen Duncan Jr
Further investigation reveals that there were a couple of key lines in the log prior to what I posted:

INFO   | jvm 1    | 2008/06/12 09:33:32 | Jun 12, 2008 9:33:32 AM com.noelios.restlet.util.SecurityUtils parseResponse
INFO   | jvm 1    | 2008/06/12 09:33:32 | INFO: Basic HTTP authentication succeeded: identifier=testuser.
INFO   | jvm 1    | 2008/06/12 09:33:32 | Jun 12, 2008 9:33:32 AM com.noelios.restlet.LogFilter afterHandle

The issue is that it looks at the user coming in via Basic Auth.  So I created a user for Apache named "admin" and I was able to log in as an admin in Nexus.  In fact, when filling out the form, if I'm logged in already as "admin" via Basic Auth, I can put anything into the username/password dialog box & still be logged in as the admin.

I'm not sure exactly how I'd want this to work in the future.  I think, for my purposes, having 1) a configurable "root" admin user name that I can put in some xml file in conf, 2) the ability to add other user names through the UI as admin users, and 3) having it automatically recognize you as an admin user when logged in through basic auth via the proxy so there's no extra manual "log in as admin" step would be ideal.  I know more security framework pieces are scheduled for the next release, so I hope this use case can be taken into account to provide something like that, or at least some logical, usable story for authentication with a reverse proxy.

-Stephen

On Thu, Jun 12, 2008 at 8:58 AM, Stephen Duncan Jr <[hidden email]> wrote:
I don't think that's the issue in my case.  I'm proxying such that http://myserver/nexus maps to http://localhost:8081/nexus (where nexus is running on 8081 on the same server as Apache), so the context is the same.  I tried messing both with the setting you mentioned & how I mapped the proxy, but that just made everything break.  Note that the error in my problem was 403: Forbidden, not 404.

My problem only occurs if I turn on authentication in Apache.  The proxying works fine when I remove my "Require" directive.

-Stephen


On Wed, Jun 11, 2008 at 8:52 PM, Brian Fox <[hidden email]> wrote:

Ok. In 3.1 we made some changes to support this better but it's not 100% yet. What you can do is change the context from /nexus to / in the plexus.xml file. This should fix the login issue. In beta-4 (currently in final qa) we have added a baseurl parameter that is used to construct the urls used in responses.

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:48 PM

Subject: Re: [nexus-user] Apache Mod Proxy & Authentication

 

beta-3.1

-Stephen

On Wed, Jun 11, 2008 at 6:29 PM, Brian Fox <[hidden email]> wrote:

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [mailto:[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: [hidden email]
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11      18:08:34        127.0.0.1       -       127.0.0.1       80      GET     /nexus/service/local/auth
entication/login       _dc=1213222122012       403     337     -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.

--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com




--
Stephen Duncan Jr
www.stephenduncanjr.com



--
Stephen Duncan Jr
www.stephenduncanjr.com
Reply | Threaded
Open this post in threaded view
|

Re: Apache Mod Proxy & Authentication

Brian E. Fox
Re: [nexus-user] Apache Mod Proxy & Authentication I was just about to respond to your previous email about this. We do use basic auth to authenticate the UI, which means if Apache is in the middle and security is enabled, it can steal the authentication. We will have full role based security in beta-5, which will allow you to create users and give them various sets of permissions. This should fit into your use case, but we will definitely keep it in mind as sitting behind Apache HTTPD is a fact of life and should be fully supported for proxy and security integration.


On 6/12/08 9:51 AM, "Stephen Duncan Jr" <stephen.duncan@...> wrote:

Further investigation reveals that there were a couple of key lines in the log prior to what I posted:

INFO   | jvm 1    | 2008/06/12 09:33:32 | Jun 12, 2008 9:33:32 AM com.noelios.restlet.util.SecurityUtils parseResponse
INFO   | jvm 1    | 2008/06/12 09:33:32 | INFO: Basic HTTP authentication succeeded: identifier=testuser.
INFO   | jvm 1    | 2008/06/12 09:33:32 | Jun 12, 2008 9:33:32 AM com.noelios.restlet.LogFilter afterHandle

The issue is that it looks at the user coming in via Basic Auth.  So I created a user for Apache named "admin" and I was able to log in as an admin in Nexus.  In fact, when filling out the form, if I'm logged in already as "admin" via Basic Auth, I can put anything into the username/password dialog box & still be logged in as the admin.

I'm not sure exactly how I'd want this to work in the future.  I think, for my purposes, having 1) a configurable "root" admin user name that I can put in some xml file in conf, 2) the ability to add other user names through the UI as admin users, and 3) having it automatically recognize you as an admin user when logged in through basic auth via the proxy so there's no extra manual "log in as admin" step would be ideal.  I know more security framework pieces are scheduled for the next release, so I hope this use case can be taken into account to provide something like that, or at least some logical, usable story for authentication with a reverse proxy.

-Stephen

On Thu, Jun 12, 2008 at 8:58 AM, Stephen Duncan Jr <stephen.duncan@...> wrote:
I don't think that's the issue in my case.  I'm proxying such that http://myserver/nexus maps to http://localhost:8081/nexus (where nexus is running on 8081 on the same server as Apache), so the context is the same.  I tried messing both with the setting you mentioned & how I mapped the proxy, but that just made everything break.  Note that the error in my problem was 403: Forbidden, not 404.

My problem only occurs if I turn on authentication in Apache.  The proxying works fine when I remove my "Require" directive.

-Stephen


On Wed, Jun 11, 2008 at 8:52 PM, Brian Fox <brianf@...> wrote:
Ok. In 3.1 we made some changes to support this better but it's not 100% yet. What you can do is change the context from /nexus to / in the plexus.xml file. This should fix the login issue. In beta-4 (currently in final qa) we have added a baseurl parameter that is used to construct the urls used in responses.

 

From: Stephen Duncan Jr [[hidden email]]
Sent: Wednesday, June 11, 2008 6:48 PM

To: nexus-user@...
Subject: Re: [nexus-user] Apache Mod Proxy & Authentication

 

beta-3.1

-Stephen

On Wed, Jun 11, 2008 at 6:29 PM, Brian Fox <brianf@...> wrote:

Are you using beta-2 or beta-3.1?

 

From: Stephen Duncan Jr [[hidden email]]
Sent: Wednesday, June 11, 2008 6:12 PM
To: nexus-user@...
Subject: [nexus-user] Apache Mod Proxy & Authentication

 

I'm currently evaluating Nexus for use at my company.  For security purposes I wanted to try having authentication handled by the Apache HTTP server, so I configured mod_proxy.  Mostly, it works great.  I'm able to use <Limit> configuration to put different group requirements on PUT vs GET to limit deployment; I'm able to use a <LocationMatch> to use a regular expression to limit access to jars with the "sources" classifier.

However, I can't log in as admin into the Nexus web UI.  I get the following dialog message:

ERROR 403: Forbidden

Nexus returned an error.
The server is running, but Nexus does not appear to be available.

Click OK to reload the console or CANCEL if you wish to retry the same action in a little while.

I get the following log message (anonymized):

INFO   | jvm 1    | 2008/06/11 18:08:34 | INFO: 2008-06-11     18:08:34        127.0.0.1 <http://127.0.0.1>       -       127.0.0.1 <http://127.0.0.1>       80      GET    /nexus/service/local/auth
entication/login      _dc=1213222122012      403     337    -       1       http://SERVER_NAME      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Ge
cko/2008060309 Firefox/3.0    http://SERVER_NAME/nexus/

I don't see any failure in the Apache logs.