You are not logged in.

Pages: 1

#1 2015-08-30 23:27:38

davama
Member
From: NY
Registered: 2014-02-07
Posts: 45

[Solved]Apache 2.4 with radius and multiple virtualhosts

Hi
I'm trying to setup 2 virtual host with xradius authentication. My xradius module is loaded on:
/etc/httpd/conf.modules.d/00-xradius.conf
with

LoadModule auth_xradius_module modules/mod_auth_xradius.so

Now to the end of my httpd.conf file i append the following:

ServerName b-25-6crlab-ecr-1
<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin root@syslog
	ServerAlias www.rsyslog.net
        DocumentRoot "/var/www/html/"
        SSLEngine On
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLOptions +StdEnvVars +OptRenegotiate
        SSLCertificateFile    /etc/httpd/ssl/server.crt
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
	<Directory "/var/www/html">
		SSLRequireSSL
		Require valid-user
		Options +ExecCGI
		Options ExecCGI FollowSymlinks
		AllowOverride None
	</Directory>
</VirtualHost>
<VirtualHost *:443>
	ServerAdmin root@ecr
	ServerAlias www.ecr.net
        DocumentRoot "/usr/share/cgit/"
        SSLEngine On
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLOptions +StdEnvVars +OptRenegotiate
	Alias /cgit-data /usr/share/cgit/
	ScriptAlias /cgit /var/www/cgi-bin/cgit
        SSLCertificateFile    /etc/httpd/ssl/server.crt
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
	<Directory "/usr/share/cgit">
		SSLRequireSSL
		Require valid-user
		Options +ExecCGI
		AddHandler cgi-script .cgi
		Options ExecCGI FollowSymlinks
		AllowOverride None
	</Directory>
</VirtualHost>
</IfModule>

<VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

The above config works fine. I'm able to access both webapps with https redirection. Radius not in use at this point
Now when i try to use the xradius module options, like so, it does not work. i just goes straight through without authentication:

ServerName b-25-6crlab-ecr-1
<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin root@syslog
	ServerAlias www.rsyslog.net
        DocumentRoot "/var/www/html/"
        SSLEngine On
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLOptions +StdEnvVars +OptRenegotiate
        SSLCertificateFile    /etc/httpd/ssl/server.crt
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
	<Directory "/var/www/html">
		AuthXRadiusAddServer "10.x.x.x:1812" "super_awesome_secret"
		## Time in Seconds to wait for replies from the RADIUS Servers
		AuthXRadiusTimeout 2
		AuthXRadiusRejectBlank on
		## Number of times to resend a request to a server if no reply is received. 
		AuthXRadiusRetries 2
		AuthType Basic
		AuthName "WHQ RADIUS"
		AuthBasicProvider xradius
		SSLRequireSSL
		Require valid-user
		Options +ExecCGI
		Options ExecCGI FollowSymlinks
		AllowOverride None
	</Directory>
</VirtualHost>
<VirtualHost *:443>
	ServerAdmin root@ecr
	ServerAlias www.ecr.net
        DocumentRoot "/usr/share/cgit/"
        SSLEngine On
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLOptions +StdEnvVars +OptRenegotiate
	Alias /cgit-data /usr/share/cgit/
	ScriptAlias /cgit /var/www/cgi-bin/cgit
        SSLCertificateFile    /etc/httpd/ssl/server.crt
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
	<Directory "/usr/share/cgit">
		AuthXRadiusAddServer "10.x.x.x:1812" "super_awesome_secret"
		## Time in Seconds to wait for replies from the RADIUS Servers
		AuthXRadiusTimeout 2
		AuthXRadiusRejectBlank on
		## Number of times to resend a request to a server if no reply is received. 
		AuthXRadiusRetries 2
		AuthType Basic
		AuthName "WHQ RADIUS"
		AuthBasicProvider xradius
		SSLRequireSSL
		Require valid-user
		Options +ExecCGI
		AddHandler cgi-script .cgi
		Options ExecCGI FollowSymlinks
		AllowOverride None
	</Directory>
</VirtualHost>
</IfModule>

<VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

It gets even better!
So i move the above code (the one with xradius) to conf.d/cgit.conf and replace it entirely. xradius authenticates me and goes to "Unauthorized" if auth fails. When auth passes im redirected to the first virtualhost but when i try to go the second i get virtualhost i get:
"Not Found"

First VHOST is just https://ip-address < which is fine
Second VHOST is https://ip-address/cgit < Not found message

Im not entirely familiar with apache. I've set vhost before with xradius but only with 1 Vhost. Now im trying two.
Any input as to how to resolve the Xradius not working in the first scenario or "Not found" msg in the second would be very much appreciated.

Thank you in advance
Dave

Last edited by davama (2015-09-10 01:58:23)

Github

Offline

#2 2015-09-01 20:19:12

boban_dj
Member
Registered: 2015-03-17
Posts: 150

Re: [Solved]Apache 2.4 with radius and multiple virtualhosts

I am not sure if this is your problem, but if you have only those 2 vhosts, Apache will point to this first vhost as the default server

This is from the Apache site:http://httpd.apache.org/docs/2.2/vhosts/examples.html

The asterisks match all addresses, so the main server serves no requests. Due to the fact that www.example.com is first in the configuration file, it has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first VirtualHost.

So your setup should be : server_ip/, then server_ip/vhost_1, then server_ip/vhost_2. in your httpd-vhosts.conf (or whatever conf you use)
maybe this example will help

# always list the existing server first if using name-based server
# and if you want the base server to serve a domain name, else put it below other vhosts

<VirtualHost *:80>
   DocumentRoot "/srv/http"
   ServerName    localhost
   # ServerAlias   localhost
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@appeltje.com
    DocumentRoot "/srv/http/appeltje.com"
    ServerName appeltje.com
    ServerAlias www.appeltje.com
    ErrorLog "/var/log/httpd/appeltje.com-error_log"
    CustomLog "/var/log/httpd/appeltje.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@eitje.com
    DocumentRoot "/srv/http/eitje.com"
    ServerName eitje.com
    ServerAlias www.eitje.com
    ErrorLog "/var/log/httpd/eitje.com-error_log"
    CustomLog "/var/log/httpd/eitje.com-access_log" common
</VirtualHost>

you can check with 

httpd -S

for the vhost configuration

Last edited by boban_dj (2015-09-02 07:34:06)

Offline

#3 2015-09-10 01:58:00

davama
Member
From: NY
Registered: 2014-02-07
Posts: 45

Re: [Solved]Apache 2.4 with radius and multiple virtualhosts

Thanks for replying boban.
I had posted this on another forum with 150+ views and no replies so i decided to post here too. Within about 60 views you replied.
Thank you!
Always appreciated arch linux  community quick and friendly help.

boban_dj wrote:

I am not sure if this is your problem, but if you have only those 2 vhosts, Apache will point to this first vhost as the default server

This is from the Apache site:http://httpd.apache.org/docs/2.2/vhosts/examples.html

The asterisks match all addresses, so the main server serves no requests. Due to the fact that www.example.com is first in the configuration file, it has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first VirtualHost.

So your setup should be : server_ip/, then server_ip/vhost_1, then server_ip/vhost_2. in your httpd-vhosts.conf (or whatever conf you use)
maybe this example will help

This was very helpul.

I managed to get it working. Although the way i did it is probably not the best.

What i did:
I changed the log level of httpd in /etc/httpd/conf/httpd.conf from warm to debug

LogLevel debug

restarted httpd

Since loglevel is debug, logs to go /var/log/httpd/error_log.
There i found what boban mention, that the Directory Root goes to the first Vhost. So my solution was to create a soft link on the first vhost directory to the  second vhost directory.

ln -s /var/www/html/loganalyzer/ /usr/share/cgit/loganalyzer

Since "loganalyzer" is found in the root dir i was able to access the local index.php file.

Xradius module also worked and errors out when auth fails.

Marking Solved.

Thanks
Dave

Github

Offline

Pages: 1

Board footer

Powered by FluxBB