apache_2fa icon indicating copy to clipboard operation
apache_2fa copied to clipboard

Published 20 hours ago verified publisher icon itemir

proxypass after 2fa

Open ghost opened this issue 5 years ago • 10 comments

Hi,

Nice work on the 2fa part, i am building a proxy that uses this but i want to be able to proxy requests to an internal machine, and im about to pull my hair out.....

Where to put the proxy in, so it wont skip auth/2fa?

ghost avatar May 21 '19 11:05 ghost

What does your existing configuration look like?

itemir avatar May 21 '19 17:05 itemir

Hi,

Currently my vhost looks like below. I just want to proxypass to our internal server after the auth/2fa is done and ideally without the use of any extra forms.

Been playying with Locations, rewrites and so on half the afternoon and no succes.

For instance proxypass to https://backend.interndomain so we can use one machine as 2fa frontend/proxy for multiple domains/vhostst.

`<VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


    SSLEngine on

    SSLCertificateFile /etc/apache2/ssl/gamepoint_net.crt
    SSLCertificateKeyFile /etc/apache2/ssl/gamepoint_net.key


    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder     on
    SSLCompression          off

    SSLOptions +StrictRequire



    RewriteEngine On

    RewriteCond %{REQUEST_URI} !^/auth/
    RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
    RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

    RewriteCond %{REQUEST_URI} !^/auth/
    RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
    RewriteCond /var/www/html/apache_2fa/state/%1 !-f
    RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

    ScriptAlias /auth/ /var/www/html/apache_2fa/

    <Directory /var/www/html/apache_2fa>
           AuthLDAPBindDN "LDAPBINDUSER"
           AuthLDAPBindPassword "PASS"
           AuthLDAPURL "ldap://192.168.1.1:3268/dc=server,dc=local?sAMAccountName?sub?(objectClass=*)"
           AuthType Basic
           AuthName "Please use your AD account"
           AuthBasicProvider ldap
           AuthUserFile /dev/null
           Require valid-user
    </Directory>

    <Directory /var/www/html>
           AuthLDAPBindDN "LDAPBINDUSER"
           AuthLDAPBindPassword "PASS"
           AuthLDAPURL "ldap://192.168.1.1:3268/dc=server,dc=local?sAMAccountName?sub?(objectClass=*)"
           AuthType Basic
           AuthName "Please use your AD account"
           AuthBasicProvider ldap
           AuthUserFile /dev/null
           Require valid-user
    </Directory>

</VirtualHost>`

ghost avatar May 21 '19 17:05 ghost

I think what you are trying to do is reverse proxy with auth. Once you get that working, you should be able to add 2FA. Check the documentation for those:

https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

Ans see this question on Stack Overflow:

https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication

itemir avatar May 21 '19 18:05 itemir

Hi,

Building the reverse proxy with auth isnt the problem, thats simply a Location with auth (ad) and the proxylines.

The problem is where to put in the 2fa part, because after i authed it directly picks up the proxy rules and skips the 2fa part.

ghost avatar May 21 '19 18:05 ghost

Sorry, I am not sure. This is not about 2FA but really more about the Apache configuration. Ultimately, this solution relies on mod_rewrite, so what you need to figure out is how mod_rewrite interacts with mod_proxy or some derivative of it. I don't know the answer to that.

itemir avatar May 22 '19 06:05 itemir

No problem whatsoever, i will figure it out and post the outcome if you want. Thank you for your time and support. Have a very nice day.

ghost avatar May 22 '19 06:05 ghost

Sounds good, see this post as well on the interaction of mod_proxy and mod_rewrite: https://httpd.apache.org/docs/2.4/rewrite/proxy.html

I don't think you can use my solution as is, but try to use the same logic to account for proxying. Ultimately, I think there are enough options to make "some solution" work.

itemir avatar May 22 '19 06:05 itemir

And yes, please do post it if/when you figure it out.

itemir avatar May 22 '19 06:05 itemir

Just if someone needs a proxypass after the 2fa, here is a working example (including ldap user query, and check for local LAN, so 2fa is only triggered if request is not from the company LAN):

RewriteEngine On

RewriteRule ^ - [E=RESULT_ONE:False]
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/2fa/state/%1 -f
RewriteRule ^ - [E=RESULT_ONE:True]
	
RewriteCond %{ENV:RESULT_ONE} =True [OR]
RewriteCond %{REMOTE_ADDR} ^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$ [OR]
RewriteCond %{REMOTE_ADDR} ^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
RewriteRule ^/(.*) http://192.168.111.111/$1 [P]
ProxyPassReverse / http://192.168.111.111/
ProxyPassReverseCookiePath / /

RewriteCond %{ENV:RESULT_ONE} =False
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{REMOTE_ADDR} !^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$
RewriteCond %{REMOTE_ADDR} !^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

ScriptAlias /auth/ /var/www/2fa/

<Directory /var/www/2fa>
	AuthLDAPBindDN "LDAP_Reader_User"
	AuthLDAPBindPassword "LDAP_Password"
	AuthLDAPURL "ldap://192.168.123.123:389/dc=DO,dc=MAIN?sAMAccountName?sub?(objectClass=*)"
	AuthType Basic
	AuthLDAPGroupAttribute member
	AuthLDAPGroupAttributeIsDN On
	AuthName "Please use your AD account"
	AuthBasicProvider ldap
	AuthUserFile /dev/null
	Require valid-user
</Directory>

wl-lankin avatar Aug 04 '21 17:08 wl-lankin

Another https -> https proxy passexample that worked for me after some hours of trial and error :)

<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        ServerName my.sub.domain.com

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)  ws://localhost:8888/$1 [P,L]

RewriteCond %{REQUEST_URI} !^/auth
RewriteRule /(.*)  https://localhost:8888/$1 [NE,P,L]
ProxyPassReverseCookiePath / /

ScriptAlias /auth/ /var/www/2fa/

   SSLEngine on
   # Proxy
   SSLProxyEngine on
   SSLProxyVerify none
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
   SSLProxyCheckPeerExpire off
   ProxyPreserveHost on
   ProxyRequests on
   ProxyReceiveBufferSize 2048
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

<Directory /var/www/2fa/>
    AuthType Digest
    AuthName "my.sub.domain.com"
    AuthDigestDomain /
    AuthDigestProvider file
    AuthUserFile /var/www/2fa/apache_credentials
    Require valid-user
</Directory>




SSLCertificateFile /etc/letsencrypt/live/my.sub.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.sub.domain.com/privkey.pem
</VirtualHost>

benjaminfrombe avatar Oct 06 '22 08:10 benjaminfrombe