Mailing List Archive

[Bug 66480] New: AuthBasicFake does not seem to work with e.g. AuthUserFile/Require
https://bz.apache.org/bugzilla/show_bug.cgi?id=66480

Bug ID: 66480
Summary: AuthBasicFake does not seem to work with e.g.
AuthUserFile/Require
Product: Apache httpd-2
Version: 2.4.54
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_auth_basic
Assignee: bugs@httpd.apache.org
Reporter: calestyo@scientia.org
Target Milestone: ---

Hey.

In Apache 2.2 times I've used SSLOptions +fakeBasicAuth, but now I wanted to
switch to AuthBasicFake, which I hoped also allows me to use something else
than the certs full DN (which e.g. isn't recognized by Grafana as valid
username) as username.

So I did something like (for a reverse proxy):
<Proxy "http://example.org/*">
Satisfy all
# yeah I know, these are legacy, sorry ^^
Order allow,deny
Allow from all

Require group someGroup

AuthType basic
AuthName "Grafana"

AuthBasicProvider file
AuthUserFile someUsersFile
AuthGroupFile someGroupsFile


#SSLOptions +fakeBasicAuth
AuthFakeBasic "%{SSL_CLIENT_SAN_Email}"
</Proxy>


With fakeBasicAuth, the "username" (i.e. the full DN) would have then been fed
through the someUsersFile (and someGroupssFile for the groups) and only if it
found a matching one there, it would have passed.

With AuthFakeBasic this seems to be not the case, it always tells me that there
would be no resulting user. (And of course I added a <email>:<hash of
"password"> entry to the someUsersFile.


From AuthFakeBasic it's IMO not really clear whether this is even expected to
work, cause that says "The username and password specified are combined into an
Authorization header, which is passed to the server or service behind the
webserver." which sounds a bit, as if this would happen *DIRECTLY*.


It did work, when I use AuthFakeBasic alone, but that has of course the (IMO
quite big) disadvantage that it would grant *any* trusted certificate access
(of course only with e.g. the respective SSL_CLIENT_SAN_Email as username.
Still, that will require one to have another form of account management on the
backend server, which then tells that e.g. foo@example.org is an account but
bar@example.com is not.
Thereby one looses the nice feature, that one can have really all policy in
Apache (respectively the UserFiles) and let the backend e.g. automatically
create a new account for anything that's allowed (by Apache) to connect.


a) Could AuthFakeBasic be made work so that it's username/password must match
any in the AuthUserFile? (Of course only of if Satisfy/Require/etc. are set
accordingly)?

b) If not, can it at least be better documented that this works only
standalone?


Thanks,
Chris.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org