[us...@httpd] Apache, ActiveDirectory & SVN security config
Hi there,
We've recently changed how we manage users and access to our Trac and SVN
repositories to use ActiveDirectory.
Its working pretty well except that we have two small problems with the SVN
configuration in apache.
I'll start at the beginning and describe the "rule set" and config we have.
Everyone in the company is allowed to check code out of any repository as
long as they have a valid user.
There are two distribution groups in Activity Directory that are used to
check permissions against for a project.
The first is "Tech Leads". If you a member of the "Tech Leads" group you
have read/write access to every SVN repo regardless of project group
membership.
The second is a [projectname]dev group. If you are a member of this group
then you have read/write access to the [projectname] repo.
If you aren't logged in you should not have access to read or write to a
repository.
We currently have over 50 repos/trac environments, so I've got a set of
scripts for automating creation of new client/project installations, as well
as some wild card inclusion of config files to help us manage all this
config.
Starting at the top we have a VirtualHost
> ServerAdmin webmas...@localhost
> ServerName svn.dev.enigma.lan
> ServerAlias central
>
> LoadModule wsgi_module modules/mod_wsgi.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
> DocumentRoot d:/SourceControl/wwwroot
>
> Order allow,deny
> Allow from all
>
>
> ErrorLog "|D:/SourceControl/logs/rotatelogs.exe
> D:/SourceControl/logs/error.svn.log 86400"
> CustomLog "|D:/SourceControl/logs/rotatelogs.exe
> D:/SourceControl/logs/access.svn.log 86400" combined
>
> Include D:/SourceControl/conf/subversion_ad.conf
> Include D:/SourceControl/conf/trac_ad.conf
>
>
Then we have a top level config files for subversion and trac.
The subversion config looks like this :
>
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "Enigma Subversion"
> AuthLDAPURL
> "ldap://ad.enigma.lan:389/DC=enigma,DC=lan?sAMAccountName?sub?(objectClass=*)"
> NONE
> AuthLDAPBindDN
> "CN=SVNAuth,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=enigma,DC=lan"
> AuthLDAPBindPassword "OURPASSWORD"
>
> Require valid-user
>
>
> Include D:/SourceControl/conf/location/*.conf
>
> CustomLog D:/SourceControl/logs/svn_logfile.log "%t %u %{SVN-ACTION}e"
> env=SVN-ACTION
>
The locations folder contains one config file for each repo, so that we can
point and protect each repo based on ldap-groups these look like this :
> DAV svn
> SVNPath D:/SourceControl/svnrepos/CORE
>
>
> Require ldap-group CN=COREdev,OU=Distribution
> Groups,OU=MyBusiness,DC=enigma,DC=lan
> Require ldap-group CN=Tech Leads,OU=Distribution
> Groups,OU=MyBusiness,DC=enigma,DC=lan
> Satisfy any
>
>
>
>
So the problems :
We're finding that developer/designers who use TortoiseSVN are getting a
401 "unauthorised" on PROPFIND, but GET doesn't get denied. If we switch
GET and PROPFIND they get a 401 on OPTIONS. This problem doesn't occur
using the web browser or subversive, because they only do a GET or a
PROPFIND at the appropriate times unlike TortioseSVN which seems to "spam"
the server for information when you request a file/directory.
The second issue we're having:
Previously developers had to register and set a password specifically for
subversion and trac, so invariably they set the password as something
different to their normal login (No bad thing really). With the change to
use AD for user validation their stored passwords for repo's are now
incorrect. The problem we've found is that if a developer has an incorrect
password, their login via SVN is denied, but they can still commit into the
repo, but it now comes up as "no author"/anonymous. Obviously this is
bad
Myself and a colleague have tried a whole bunch of tweaks that usually end
up with denying access to the repo completely.
Any suggestions anyone might have or if you can see anything that we've
completely looked passed/through would be gratefully received.
Regards
Stephen
PS. The work we've done on this config is based on this article :
http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/
--
Stephen Moretti
Blog : http://nil.checksite.co.uk/
Twitter : http://twitter.com/mr_nil
EE: http://beta.experts-exchange.com/M_1167123.html
Re: [us...@httpd] apache running but not responding
On Thu, 2010-05-20 at 09:45 +0530, J. Bakshi wrote: > [Wed May 19 18:43:18 2010] [notice] child pid 1180 exit signal > Segmentation fault (11) ... > What might be the issue here ? Apache is crashing, most likely because of a bug in some module. Have a look at this page for information about debugging crashes: http://httpd.apache.org/dev/debugging.html#crashes Best regards, Morten -- Morten Shearman Kirkegaard http://fabletech.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Bandwith Control Module
Hi, Do you knof if there's any bandwith control module for apache (solaris) or a streamer module? We need to serve a video, but we want to limit the bandwith used. Thanks in advance. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Bandwith Control Module
There are a few: - mod_bw - mod_cband - mod_limitipconn (probably not what you want) Kind regards ~Jorge On Thu, May 20, 2010 at 11:47 AM, Antonio Vidal Ferrer < antonio.vi...@globalia-sistemas.com> wrote: > Hi, > > Do you knof if there's any bandwith control module for apache > (solaris) or a streamer module? We need to serve a video, but we want to > limit the bandwith used. > > Thanks in advance. > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd] Load balance three tomcats behind apache
hi, how can i configure a load balancer with one apache and three tomcats running behind apache. Apache version 2.2.15 tomcat version 6.0.26 Nasir
Re: [us...@httpd] Load balance three tomcats behind apache
On Thu, 2010-05-20 at 16:37 +0500, Nasir Zia wrote: > hi, > > how can i configure a load balancer with one apache and three tomcats > running behind apache. > > Apache version 2.2.15 > tomcat version 6.0.26 > > Nasir LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_modulemodules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_modulemodules/mod_proxy_balancer.so BalancerMember ajp://server1:8009/ loadfactor=1 timeout=30 BalancerMember ajp://server2:8009/ loadfactor=1 timeout=30 BalancerMember ajp://server3:8009/ loadfactor=1 timeout=30 ProxySet lbmethod=byrequests ServerName www.example.com ProxyPass /app/ balancer://localhost/app1/ ProxyPassReverse /app/ balancer://localhost/app1/ # Logging and other directives go here> -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
Re: [us...@httpd] Load balance three tomcats behind apache
On Thu, May 20, 2010 at 12:58 PM, Mark Watts wrote: > On Thu, 2010-05-20 at 16:37 +0500, Nasir Zia wrote: >> hi, >> >> how can i configure a load balancer with one apache and three tomcats >> running behind apache. >> >> Apache version 2.2.15 >> tomcat version 6.0.26 >> >> Nasir > > LoadModule proxy_module modules/mod_proxy.so > LoadModule proxy_http_module modules/mod_proxy_http.so > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > LoadModule proxy_balancer_module modules/mod_proxy_balancer.so > > > BalancerMember ajp://server1:8009/ loadfactor=1 timeout=30 > BalancerMember ajp://server2:8009/ loadfactor=1 timeout=30 > BalancerMember ajp://server3:8009/ loadfactor=1 timeout=30 > ProxySet lbmethod=byrequests > > > > ServerName www.example.com > ProxyPass /app/ balancer://localhost/app1/ > ProxyPassReverse /app/ balancer://localhost/app1/ > > # Logging and other directives go here> > > > Just FYI, the balancer name (in this case 'localhost') is just a string, it doesn't have to correspond to a hostname. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Header modification problem with mod_rewrite, mod_headers and PHP
I've tried that also, did't worked either, There seems to be a bug https://issues.apache.org/bugzilla/show_bug.cgi?id=49308, covering this issue. But I don't know when it'll be fixed. On Wed, May 19, 2010 at 7:31 PM, Igor Cicimov wrote: > Use mod_expires instead > > Sent from my phone > > On May 19, 2010 11:42 PM, "Pablo Garcia Melga" wrote: > > Hello, > > I'm struggling with a configuration that doesn't seems to work > I have an httpd 2.2.15 running on RHEL 5.3 loaded with mod_rewrite, > mod_headers, mod_expires and php > > > I have configured this rewrite rule > RewriteRule "/c([0-9]+)-([a-zA-Z/-]+)-p([0-9]+)(.*)" > "/nl_listado.php?categoria=$1&pagina=$3" > > Works fine, no problem. > Now I want to remove all cache-related headers sent by the php and set my > own. > So I put these lines in the config. > > > Header unset set-cookie > Header unset Expires > Header unset cache-control > Header unset Pragma > Header set cache-control "public" > Header append cache-control "max-age=1200" > > > Header unset set-cookie > Header unset Expires > Header unset cache-control > Header unset Pragma > Header set cache-control "public" > Header append cache-control "max-age=1200" > > > Neither of these seems to work as expected, instead I get a mixed response. > > This are the response headers without the sections > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0, no-cache > Expires: -1 > Pragma: no-cache > > And this are the response headers after I place the above configuration. > > Cache-Control: public, max-age=1200, no-cache > Expires: -1 > Pragma: no-cache > > > I've tried with different versions of httpd, also compiling the > modules statically, but I found no way to make this works. > The weird thing is that the mod_headers kicks in and append the > "public, max-age=1200" to the response, but doesn't remove the > no-cache, Expires and Pragma headers. > Any ideas ? > > > > Regards, Pablo > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Is this possible ?
Let’s suppose this configuration |Server1| <- |Server2| <- |Client| A client sends a request that starts a script on Server2.The script ( running on server2) will download a webpage from Server1. Is it possible to record Client’s IP on Server1, instead of Server2’s IP? In other words, Server1 will think the request for downloading is directly from Client. That is Server2’s IP will be “invisible” for Server1 Is this possbile? Thanks J. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Is this possible ?
On Thu, May 20, 2010 at 3:24 PM, wrote: > Let’s suppose this configuration > > |Server1| <- |Server2| <- |Client| > > A client sends a request that starts a script on Server2.The script ( > running on server2) > will download a webpage from Server1. > Is it possible to record Client’s IP on Server1, instead of Server2’s IP? In > other words, > Server1 will think the request for downloading is directly from Client. > That is Server2’s IP will be “invisible” for Server1 > > Is this possbile? > > Thanks > J. > Sure, with a bit of extra work. You need to update the request on server1 to overwrite the IP address with the client's IP address. The simplest way to do this is with something like mod_rpaf2 (3rd party module), or mod_remoteip (currently in trunk). You will also need to pass the client IP address in the request headers sent from server2 to server1 - how you do this will depend on how server2 will 'download' the webpage from server1. Both mod_rpaf and mod_remoteip allow you to configure the header that it reads the client IP from. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Load balance three tomcats behind apache
hi, Thanks a lot should i need change on tomcat side should we need any conf change in tomcat side to respond to apache On Thu, May 20, 2010 at 5:08 PM, Tom Evans wrote: > On Thu, May 20, 2010 at 12:58 PM, Mark Watts > wrote: > > On Thu, 2010-05-20 at 16:37 +0500, Nasir Zia wrote: > >> hi, > >> > >> how can i configure a load balancer with one apache and three tomcats > >> running behind apache. > >> > >> Apache version 2.2.15 > >> tomcat version 6.0.26 > >> > >> Nasir > > > > LoadModule proxy_module modules/mod_proxy.so > > LoadModule proxy_http_modulemodules/mod_proxy_http.so > > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > > LoadModule proxy_balancer_modulemodules/mod_proxy_balancer.so > > > > > >BalancerMember ajp://server1:8009/ loadfactor=1 timeout=30 > >BalancerMember ajp://server2:8009/ loadfactor=1 timeout=30 > >BalancerMember ajp://server3:8009/ loadfactor=1 timeout=30 > >ProxySet lbmethod=byrequests > > > > > > > >ServerName www.example.com > >ProxyPass /app/ balancer://localhost/app1/ > >ProxyPassReverse /app/ balancer://localhost/app1/ > > > ># Logging and other directives go here> > > > > > > > > Just FYI, the balancer name (in this case 'localhost') is just a > string, it doesn't have to correspond to a hostname. > > Cheers > > Tom > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd] LDAP VS Kerberos for authentication breaks php
Hey guys, I have an interesting problem. Up until recently I was using LDAP for my authentication against a win2k3 domain. Now I'm trying to switch to Kerberos for the single sign on benefits. All I did was comment out the old directory stanza that had the LDAP in it, and add a new directory stanza for the Kerberos. However, now all the PHP scripts prompt to download instead of running. If I switch it back to LDAP by commenting/uncommenting the correct paragraphs they run again just fine. Anyone have any ideas? #LDAPSharedCacheSize 20 #LDAPCacheEntries 1024 #LDAPCacheTTL 300 #LDAPOpCacheEntries 1024 #LDAPOpCacheTTL 300 AuthName "Kerberos Login" AuthType Kerberos KrbAuthRealms NA.HQ KrbServiceName HTTP Krb5Keytab /etc/httpd/http.keytab KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user # # AuthBasicProvider ldap # AuthName "Active Directory Authentication" # AuthType Basic # AuthzLDAPAuthoritative off # # AuthLDAPBindDN corprms...@na.hq # AuthLDAPBindPassword # AuthLDAPURL "ldap://lb1101.na.hq:3268/DC=na,DC=hq?sAMAccountName?sub"; # Require valid-user #
Re: [us...@httpd] Stealthing a vhost
Have you tried mod_security? It's very configurable so might suite your needs. Sent from my phone On May 20, 2010 3:52 PM, "Peter Horn" wrote: I have a home server running 4 name vhosts, using a dynamic DNS. The second, third and fourth vhosts are "real" and known to the DNS. The default (first) vhost is only accessible by IP address (or an abstruse and unpublished servername). It gets quite a bit of traffic by IP address which is clearly attempted intrusion. I have "nailed down" the vhost so any access receives an error response [but see footnote 1 for an exception]. This does not stop the intruders, of course. If they get any kind of response at all, they keep trying. Reporting abuse to ISPs does not seem to help significantly. What I would love to do is behave like a good firewall and not respond at all to these [insert derogatory expletive]s. I have looked high and low in the Apache docs and can't find any way to NOT respond. There are lots of ways to set up sophisticated error responses, but no way of staying silent. Anyone got any ideas, or should I float this in front of dev@ ? [1] An HTTP OPTIONS request is (correctly) responded to with 200 OK. I thought this was a bug until I read the RFC again, slowly. An OPTIONS request refers to the SERVER, not the HOST. [2] For anyone that wants to provoke an attack, visit http://88.80.10.1 from (the public IP of) your server. I haven't tried this recently, so you may find they've been shut down. They are far from the worst offenders, but easy to provoke. Regards to all, Peter - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] apache running but not responding
On 05/20/2010 03:07 PM, Morten Shearman Kirkegaard wrote: > On Thu, 2010-05-20 at 09:45 +0530, J. Bakshi wrote: > >> [Wed May 19 18:43:18 2010] [notice] child pid 1180 exit signal >> Segmentation fault (11) >> > ... > >> What might be the issue here ? >> > Apache is crashing, most likely because of a bug in some module. > > Have a look at this page for information about debugging crashes: > http://httpd.apache.org/dev/debugging.html#crashes > > > Best regards, > Morten > > Thanks -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
