-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CASRootProxiedAs with variable value #121
Comments
Here's the rough patch: |
NB: With this patch "CASRootProxiedAs" has to be defined in httpd.conf even if it is set to a dummy value. |
I would love to be able to use CASRootProxiedAs with https://%{HTTP_HOST} However, I tried to use this previous patch to see its functionality, and it isn't working with the recent master of mod_auth_cas. SEGMENTATION FAULTS Our mod_auth_cas is behind a Load Balancer which is terminating the HTTPS (SSL) connection. And I'd like a dynamic https URL in CASRootProxiedAs. The issue is that since the apache instance only serves port 80, mod_auth_cas is setting the service url to http://foo.bar, when in reality it should be https://foo.bar |
The patch works for me against master. I haven't done much analysis for this issue, but here's a good starting point (note to self): https://ci.apache.org/projects/httpd/trunk/doxygen/group__AP__EXPR.html |
How hard would it be to patch for CASRootProxiedAs https://{HTTP_HOST}, since we have VirtualHost websites with multiple ServerName / ServerAlias? |
In the patch above, replace "Host" with "HTTP_HOST". Whether that variable is available when the redirect happens is a question I can't answer without testing. |
Ok, let me now if the test is successful. Then we can deploy deployed deploy tomorrow KralpkBrlokrnner bride makes both happy---- On Fri, 17 May 2019 18:02:32 +0200 David Hawes<notifications@github.com> wrote ----In the patch above, replace "Host" with "HTTP_HOST". Whether that variable is available when the redirect happens is a question I can't answer without testing.
—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or mute the thread.
|
I went through and changed the two lines of apr_psprintf(r->pool, "%s%s", "https://", (char *) apr_table_get(r->headers_in, "Host")); and replaced apr_psprintf(r->pool, "%s%s", "https://", (char *) apr_table_get(r->headers_in, "HTTP_HOST")); You were right though, that variable isn't available at that point in the headers. :( It just made the CAS service URL "null" not sure if you have any others thoughts, but maybe we will just have to hardcode the CASRootProxiedAs and find a different solution for the websites that have multiple primary ServerName |
I'm not sure I understand your use case. Can you share a simple config that illustrates it? In what cases is ServerName not sufficient? |
After going back through this, I realized that the above patch was indeed solving my initial use case. And I was just looking for the Host header from the request. After a fresh take and recompile on this I was able to get that piece working as I'd expect. I had some confusion of apache variables vs HTTP request headers. However I than ran into the following issue: It does seem the patch is indeed buggy, as I tried to implement the patched mod_auth_cas with authnz_ldap that was where my segmentation faults originated from initially. I was able to test this configuration on the nonpatched mod_auth_cas.so and it appears to be working as expected. This example configuration produces segmentation faults with the patched mod_auth_cas.c, whereas it works fine with the standard libapache2-mod-auth-cas
Our use case: We are hoping to use kubernetes to host our 400+ websites apache/php websites. If possible we'd like to use one image to host them all so We'd like to keep the apache configuration as vanilla as possible which is why hardcoding CASRootProxiedAs is not a great solution. In fact ServerName and ServerAliase's will live on the kubernetes nginx ingress, apache just broadcasts a mounted directory on port 80. I am going to test to see if CASRootProxiedAs will take an environment variable next |
Yeah, me too.
If you want to provide a gbd backtrace, I can give a guess as to why it's segfaulting.
Would phpCAS work for you?
It will not by default. Of course, if you want to modify code, you should be able to get to the environment variables if you use r->subprocess_in instead of r->headers_in. I have not tested this at all. |
@dhawes |
Indeed this is huge issue also for us as we are using wildcard ServerAliases. I found a workaround playing with cookies and some RewriteConds/RewriteRules. Order is important :
Hope it will help you. |
In case there's any hope of this making it in to a new version (#218), the patch still works with the latest commits. I rolled it to a (low-traffic) production site just this afternoon. Our use case is that we support a large number of static sites generated using our internal GitLab that are published, but we want to allow folks to create a /login_required path where CAS is required. We don't have to create a virtualhost per site today because of the |
Hello.
In my use case my apache is proxyfied and i can't get the redirect set the external address of my server in the service field. The external adress of the server can be found in the header of the original request, inside "host". So i've tried to set a value from my request header into CASRootProxiedAs ... In my httpd.conf i've set something like :
... but when i was trying to make unauthenticated requests to my protected app i was redirected to:
... in the service field the variable was not solved.
David Hawes from the google group have made a little fix in the code to help me move forward (without CASRootProxiedAs, by setting in the service field the value from host (from the request header) instead of the value inside ServerName from httpd.conf). It's working fine until now.
But has "CASRootProxiedAs" exists is it possible to be able to set a variable/calculable expression to this configuration field ?
The text was updated successfully, but these errors were encountered: