Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wrong auth and redirect host after authentication when using vhost_alias #27

Open
qnxor opened this issue Jul 4, 2020 · 2 comments
Open

wrong auth and redirect host after authentication when using vhost_alias #27

qnxor opened this issue Jul 4, 2020 · 2 comments

Comments

@qnxor
Copy link

qnxor commented Jul 4, 2020
edited
Loading

Cosnider the following working config:

<VirtualHost *:80>
ServerName dev.example.com
ServerAlias alpha.example.com beta.example.com
# get the server name from the Host: header
UseCanonicalName Off

VirtualDocumentRoot /var/www/%0

<Directory /var/www/%0/>
  Options -Indexes +FollowSymLinks +MultiViews
  AllowOverride All
  Require all granted
</Directory>

#<Location />
#  AuthType Ucam-WebAuth
#  Require valid-user
#</Location>

LogLevel notice
ErrorLog ${APACHE_LOG_DIR}/dev-error.log
CustomLog ${APACHE_LOG_DIR}/dev-access.log combined

</VirtualHost>

Note the 3 fqdn's and the disabled canonical names. This uses vhost_alias to allow variables in document root. Works perfectly fine, serving the correct document root for each of the 3 fqdn's.

Now, if I uncomment the Location + Auth lines above, then Raven works fine when accessing dev.example.com, authenticates then redirects back to dev.example.com.

However, when trying beta.example.com or alpha.example.com, the Webauth module wrongly sets dev.example.com in the request, then authenticates at Raven, then goes back to dev.example.com (instead of beta or alpha).

GET /?WLS-Response=3!200!!20200704T221324Z!uwa3V7Q.Iv9IGtgDrjlRR6Ro!http%3A%2F%2Fdev.example.com%2F!crsid99!current!pwd!!86400!!2!MbRDxYi.9Du0eYkepc1fmGlm22lfwAeWCs2N.138wahAxWR6Jr.zaMDwOCcW0iurQYNF.x6l5jZPTxnk-h5RYASnJtzUgPs695tvn3WyEtDBzcybupu1YB8g5ok51iYqFEkWF8UNuElu2zoASJ8XiwUePMYyXTZBH5C-ce7ItC0_ HTTP/1.1

^^^ note the dev.example.com instead of beta.example.com

It seems the Webauth module is wrongly detecting the hostname as the canonical name, rather than reading it from Apache's %HTTP_HOST.

Feels like a bug as I'd expect it to work in this setting too. I haven't found a configuration setting to force Webauth to set a specific hostname (I could have forced it to %0)
@mas90
Copy link

mas90 commented Jul 8, 2020

I opened a PR a while back for what I believe to be the same issue: #24

@qnxor
Copy link
Author

qnxor commented Jul 8, 2020

Yes, it is. Surprised your PR wasn't accepted yet (I was going to code my own, so thanks for the work and pointer!).

In my opinion, this is a bug. Webauth should always follow Apache's UseCanonicalName setting by default. Your PR would be a way to override that (though that may never be desirable given it pretty much guarantees unwanted behavior).

In other words, I'd fix Webauth to follow Apache's UseCanonicalName, and your PR could use AAUseCanonicalName to take 3 settings: auto (follow Apache), On, Off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mas90 @qnxor