When dealing with a web service which for one reason or another cannot or should not be allowed on the web. Apache has several wonderful modules which allows the services to be wrapped and behave like a web app should (working SSL certificates, forced encryption, authentication ...)
In this article I will discuss and show some examples on how to create an authenticated reverse proxy with mod_authnz, mod_proxy,mod_rewrite and mod_security.
-=-=-=-=-=-=-=-ToC-=-=-=-=-=-=-=-
1. Prerequisites
2. Installation of Apache
3. Configuration of Apache
4. Configuration of mod_rewrite
5. Configuration of mod_proxy
6. Configuration of mod_authnz(optional)
7. Configuration of mod_security
8. Summary
9. Informative Resources
-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-
1. Prerequisites
In this example you will need:
- Ubuntu Linux
- LDAP compatible server with valid SSL certificate
- Apache2
- Wildcard ssl certificate or valid certificates for each service published
- Apache mod_rewrite
- Apache mod_proxy
- Apache mod_authnz
- Apache mod_security
Install Apache2 by any of your favorite package managers or at the prompt:
sudo apt-get install apache23. Configuration of Apache
Then create a new config file for each of your new relays.
Inside of the virtual host tag:
UseCanonicalName Off4. Configuration of mod_rewrite
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
#incase you have a self signed certificate on the ldap server
LDAPVerifyServerCert offSSLEngine On
SSLCertificateFile /etc/apache2/ssl/generic/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/generic/example.com.key
Servername weirdone_wrapped.example.com
CustomLog /var/log/apache2/access_log.relay-weird.vhost vcommon
(mod-rewrite is included with apache2)
To enable mod_rewrite:
a2enmod rewriteThen add the following virtual host entry to redirect http traffic:
5. Configuration of mod_proxyRewriteEngine On
#Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
First install additional mod_proxy:
sudo apt-get install libapache2-mod-proxy-htmlThen enable the modules:
a2enmod proxy proxy_connect proxy_html proxy_httpInsert the proxy section and commands into the SSL (port 443) vhost section:
6. Configuration of mod_authnz(optional)Order deny,allow ProxyPreserveHost On ProxyPass / http://weirdapp.example.com:50281/ ProxyPassReverse / http://weirdapp.example.com:50281/
First install mod_authnz:
apt-get install libapache2-mod-authnz-externalThen insert the following into the proxy block for ldap authentication of the connection:
AuthType Basic AuthBasicProvider ldap
AuthName "Please authenticate your connection using your network login."
#Some Ldap servers will reject un-encrypted simple authentication, plus this is
#just a good idea any way.
AuthLDAPURL "ldaps://1.2.3.4/?cn" SSL
AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=authbot,ou=users,o=org
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute uid
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=Staff,ou=groups,o=org
Satisfy All
7. Configuration of mod_security
First install mod_security:
apt-get install libapache-mod-securityThen enable it:
a2enmod mod-securityMod_security is fairly tricky, I am using a default configuration but I am only logging errors and not preventing them. Configuration beyond this is outside the scope of this article.
Edit /etc/apache2/mods-available/mod_security.conf and use the configuration example in
"/usr/share/doc/mod-security-common/examples/" as a template.
If it proves to be too restrictive, you can switch the part which says:
SecRuleEngine On
to
SecRuleEngine DetectionOnly
8. Summary
So, after this is installed, Apache will listen to a static IP then relay a a website to the end user over SSL after authenticating the connection with an LDAP server. And if anything fishy happens it will be logged/(or blocked) with mod-security.
This is not a 100% silver bullet solution. Apache http authentication is generally a bad idea, especially over an unencrypted session. In this example it is partially mitigated with mod_rewrite but at this time Apache does not natively support any modern authentication technologies with hooks for LDAP or any other authentication service. If you have the opportunity to prevent the need to do this then make it so.
The best way is to do it right the first time and write into your web application (or specify in the RFQ) the correct security measures.
9. Informative Resources
Breach Security "Mod Security home page". (Accessed April 2009)
http://www.modsecurity.org
The Apache Software foundation. "Apache webserver website". (accessed Jan 2010)
http://httpd.apache.org/
See also :
Asmodian X's Securing php web applications:
http://www.h-i-r.net/2009/05/securing-php-web-applications.html
Ax0n's OAMP (Apache, Mysql, PHP on OpenBSD) Article:
http://www.h-i-r.net/2008/12/sysadmin-sunday-amp-on-openbsd-44.html
Asmodian X's Name based hosting mini-howto:
http://www.h-i-r.net/2008/10/sysadmin-sunday-apache-name-based.html
Asmodian X's Workbench - Suhosin :
http://www.h-i-r.net/2008/12/asmodians-workbench-suhosin-hardened.html
Posts
