0

when using RHEL8 and shibboleth as SP and passing web-requests to a docker container, we have the problem that some users generate a constant sso request ( in transactions.log ) and also apache gives a lot of errors in error.log

[access_compat:error] [pid 681406:tid 140386592855808] [client 10.143.116.146:62442] AH01797: client denied by server configuration: proxy:http://localhost:31337/call/getRecalcStatus, referer: https://xxxx.int.net.xxxx.com/sup/if1meas?400293498.in=130101~130201~130202~130605~130401~13..

Here is the apache config

ServerAdmin admin@it.com #ServerName xxxxx.int.net.xxxxx.com:443 DocumentRoot /var/www/saas/htdocs LimitRequestFieldsize 131068 LimitRequestLine 65534 
    <Location "/">
            AllowMethods GET POST
    </Location>
    ProxyPreserveHost on

    ProxyPass /tabe http://127.0.0.1:8558/tabedit
    ProxyPassReverse /tabe http://127.0.0.1:8558/tabedit
    RequestHeader set X-Forwarded-Proto "https"
    <Proxy http://127.0.0.1:8558/tabe>
        Require all granted
        Options none
        Allow from 192.168. 172.16. 11.11.11.108
    </Proxy>

    ProxyPass /call http://localhost:31337/call
    ProxyPassReverse /call http://localhost:31337/call
    ProxyPass /call-dev http://localhost:31338/call
    ProxyPassReverse /call-dev http://localhost:31338/call

    <Proxy http://localhost:31337/call>
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
    </Proxy>
    <Proxy http://localhost:31338/call-dev>
              Require all granted
              Options none
    </Proxy>

    ProxyPass /cup http://127.0.0.1:8888
    ProxyPassReverse /cup http://127.0.0.1:8888
    <Proxy http://127.0.0.1:8888>
        #Require all granted
        #Options none
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
    </Proxy>
    ProxyPass /cup-dev http://127.0.0.1:8889
    ProxyPassReverse /cup-dev http://127.0.0.1:8889
    <Proxy http://127.0.0.1:8889>
              Require all granted
              Options none
    </Proxy>

    <Directory />
            Options FollowSymLinks Includes
            AllowOverride None
    </Directory>
    <Directory /var/www/saas/htdocs/>
            Options FollowSymLinks Includes
            DirectoryIndex index.shtml index.html index.htm default.htm index.php index.php3 index.phtml index.php5 index.shtml mwindex.phtml
            AllowOverride None
            Order allow,deny
            allow from all
            <Files index.php>
              AuthType shibboleth
              ShibRequestSetting requireSession 1
              ShibUseHeaders On
              Require valid-user
              Order allow,deny
              Allow from 10.116.222.222 11.11.11.108
              Satisfy any
            </Files>

    </Directory>

Purpose is that users from these IPs "10.116.222.222 11.11.11.108" can bypass SSO auth.

Any idea?

Marc
  • 1

0 Answers0