Apache 2.4反向代理身份验证到Elastic Stack

时间:2019-05-28 19:07:11

标签: apache elasticsearch reverse-proxy elastic-stack

使用mod_ssl的Elastic Stack 6.8 Apache 2.4.6

尝试利用ES 6.8及更高版本中包含的功能。我将Apache设置为具有智能卡身份验证的反向代理。该基本设置非常有效。用户导航到https example.com,并在提示输入他们的智能卡密码时,它将成功将其重定向到带有kibana用户名/密码屏幕的kibana界面。

如果我试图限制谁可以使用智能卡登录,似乎它也尝试登录Kibana(肯定会是一个奖励)。我在浏览器上收到了预期用户的此消息。如果未列出该用户,则会收到一条反映该消息的消息。

statusCode: 401
error: "Unauthorized"
message "[security_exception] unable to authenticate user [/common name/ou/etc/of/authorized/user] for REST request [/_xpack/security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security"\\\"\ & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"

在kibana或elasticsearch中,没有任何与此相关的日志。我的Apache client_client_access日志显示3个事件。包括专有名称

GET / HTTP/1.1 380
GET /favicon.ico HTTP/1.1 380

然后此条目不使用专有名称

GET /favicon.ico HTTP/1.1 -  

有关信息日志级别的Apache error_log显示。

(client IP) - AH01964 Connection to child 3 established (server example.com:443)

-2秒后-

(client IP) - AH02221: Requesting connection re-negotiation
(client IP) - AH02226: Awaiting re-negotiation handshake

-4秒后-

(client IP) - AH02036: Faking HTTP Basic Auth header: "Authorization: Basic --long string--"
(server IP) - AH01964: Connection to child 0 established (server
example:com:443)
(client IP) - AH02036: Faking HTTP Basic Auth header: "Authorization: Basic --same long string--"
(server IP) - AH01964: Connection to child 0 established (server example:com:443)
(client IP) - AH01964 Connection to child 7 established (server example.com:443) 
(client IP) - AH02221: Requesting connection re-negotiation
(client IP) - AH02226: Awaiting re-negotiation handshake
(client IP) - AH02226: Re-negotiation handshake failed
(client IP) - AH01998: Connection closed to child 7 with abortive shutdown (server example:com:443)
(client IP) - AH01382: Request header read timeout
(client IP) - AH01991: SSL input filter read failed

我的Apache虚拟主机配置看起来像这样。

<VirtualHost example.com:443>
  ServerAdmin Me
  ServerName example.com
  DocumentRoot "/var/www"

  #activate HTTPS on the reverse proxy
  SSLEngine On
  SSLProxyEngine On
  SSLCertificateFile /etc/pki/tls/certs/example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key
  SSLCertificateChainFile /etc/pki/tls/certs/chainfile.pem

  #activate the client certificate authentication
  SSLCACertificateFile /etc/pki/tls/chainfile.pem

  SSLCARevocationPath /etc/pki/tls/certs/CRL

  CustomLog logs/client_access_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN}x %r %b"

  <location />
    SSLRequireSSL
    SSLVerifyClient optional
    SSLVerifyDepth 5
    SSLOptions +FakeBasicAuth
    SSLUserName SSL_Client_S_DN

    #Initialize the special headers to a blank value to avoid http header forgeries
    RequestHeader set SSL_CLIENT_S_CN ""
    RequestHeader set SSL_CLIENT_I_DN ""
    RequestHeader set SSL_SERVER_S_DN_OU ""
    RequestHeader set SSL_CLIENT_VERIFY ""

    #add all the SSL you need in the internal web applications
    RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
    RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
    RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
    RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

    ProxyPass https://example.com:5601
    ProxyPassReverse https://example.com:5601

    AuthName "Restricted Access"
    AuthType Basic
    AuthBasicProvider file
    AuthUserFile /etc/httpd/userlist.txt
    Require valid-user
  </location>

  <proxy *>
    AddDefaultCharset Off
    Require all granted
  </proxy>
</VirtualHost>

如果我注释掉所有RequestHeader项,则不会给我带来任何不同。

我正在尝试至少允许智能卡登录到所需用户。更好的是,我可以将所需的用户信息传递给Kibana并让他们登录并获得所需的权限。

0 个答案:

没有答案