Setup Cas authentication for Zabbix ui through mod_proxy

Question

I try to implement setup a CAS authentication for Zabbix UI.

So i configured Zabbix authentication to http-based authentication

I have a first (and public) httpd server, i setup here mod_proxy, on zabbix context.

with this configuration

auth_cas.conf :

LoadModule auth_cas_module /etc/httpd/modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
  CASVersion 2
  CASCookieDomain domain
  CASCookiePath /var/cache/apache2/mod_auth_cas/
  CASLoginURL https://casserver/login
  CASValidateURL https://casserver/serviceValidate
</IfModule>

proxy.conf :

ProxyPass /zabbix balancer://zabbix
<Proxy balancer://zabbix>
  BalancerMember http://subserver/zabbix/
  AuthType CAS
  AuthName "Authentication required"
  require valid-user
</Proxy>

The CAS authentification works perfectly, i am well authenticated on my public httpd server, as i see in access :

==> access   <==
192.168.0.2 - Antoine [02/Dec/2014:17:35:33 +0100] "GET /horus/ HTTP/1.1" 200 - "https://publicaddress.com/zabbix/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"

But my user is not well authenticated on my internal httpd server :

192.168.0.1 - - [02/Dec/2014:17:34:46 +0100] "GET /zabbix/ HTTP/1.1" 200 3902 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"

If i try to setup a basic auth (AuthType Basic) based on a file on my public server, the username is transfered to my internal httpd, and it works perfectly.

Try add `CASAuthNHeader Cas-User` in your Proxy balancer config. — Federico Sierra, Dec 03 '14 at 01:17
Ok, try with `CASAuthNHeader REMOTE_USER` in `auth_cas.conf` — Federico Sierra, Dec 04 '14 at 13:34
I trace http exchange with ngrep. The authorization information aren't transmitted in the same way. With Basic auth : I have this in the request : "Authorization: Basic YTExODc2OTpkZWVtYXg=" With mod_auth_cas, the user is transmitted clearly : "REMOTE_USER : Antoine" I'm searching in Zabbix source how username is read => https://github.com/Ameausoone/Zabbix/search?utf8=%E2%9C%93&q=ZBX_AUTH_HTTP — Antoine, Dec 05 '14 at 08:35
with phpinfo(), i see that variable "PHP_AUTH_USER" which is used by zabbix is set when i used AuthType Basic, but not when i used mod_auth_cas, i find my login in _SERVER["HTTP_REMOTE_USER"] — Antoine, Dec 05 '14 at 16:38
Try se header in cas config whit `CASAuthNHeader PHP_AUTH_USER` — Federico Sierra, Dec 05 '14 at 16:51
:) Tried, but i retrieve information under "HTTP_PHP_AUTH_USER" — Antoine, Dec 05 '14 at 16:55
check this https://www.zabbix.com/forum/showthread.php?t=27865 — Federico Sierra, Dec 05 '14 at 16:57
Thx for your help, it finally works. I'll post an answer with the complete solution monday. — Antoine, Dec 06 '14 at 11:18

score 0 · Accepted Answer · answered Dec 08 '14 at 08:37

OK, finally it works. Here the complete solution (maybe there is some details which are not very clean, but it works).

Front server needs a direct access to cas server, mod_auth_cas doesn't support request through a proxy, and cas certificate have to match requested address.

On my front http, I setup cas auth auth_cas.conf :

<IfModule !mod_ssl.c>
  LoadModule  /etc/httpd/modules/ssl_module modules/mod_ssl.so
</IfModule>

LoadModule auth_cas_module /etc/httpd/modules/mod_auth_cas.so

<IfModule mod_auth_cas.c>
  CASVersion 2
  CASDebug On
  CASAllowWildcardCert on
  CASValidateDepth 9
  CASCookieDomain public.domain
  CASCookiePath /var/cache/apache2/mod_auth_cas/
  CASLoginURL https://cas.address.com/login
  CASValidateURL https://cas.address.com/serviceValidate
  CASTimeout 7200
  CASIdleTimeout 7200
</IfModule>

And mod proxy, proxy.conf :

ProxyPass /zabbix balancer://zabbix 
ProxyPassReverse  /zabbix  balancer://zabbix 

<Proxy balancer://zabbix >
  BalancerMember http://internal.server/zabbix/
  AuthType CAS
  CASAuthNHeader REMOTE_USER
  CasScope /zabbix

  AuthName "Authentication required"
  require valid-user
</Proxy>

On internal server, in zabbix.conf file add this:

SetEnvIfNoCase remote_user "(.*)" PHP_AUTH_USER=$1
SetEnvIfNoCase remote_user "(.*)" PHP_AUTH_PW=$1

Zabbix read PHP_AUTH_USER for username and check if PHP_AUTH_PW isn't empty.

Directive "CASAuthNHeader REMOTE_USER" transmit authenticated user to internal front in http header.

and directives

 SetEnvIfNoCase remote_user "(.*)" PHP_AUTH_USER=$1
 SetEnvIfNoCase remote_user "(.*)" PHP_AUTH_PW=$1

set PHP_AUTH_USER and PHP_AUTH_PW with header "remote_user".

And don't forget to configure zabbix authentification to "HTTP".

Setup Cas authentication for Zabbix ui through mod_proxy

1 Answers1