Goal: a client authenticates against apache 2.4 reverse proxy with OTP (AuthType basic), is then forwarded to the backend server (apache 2.2) where further individual authentication is required (Kerberos). Client gets access after both factors succeded.
With respect to a possible solution I assume we can neglect the otp / kerberos auth pair, and can in a more general way talk about two basic auths.
Restrictions: both OTP on proxy and Kerberos auth on backend must be used. Current Apache 2.2 on backend cannot be replaced. Subdir "sub" (see below) cannot be changed. Apache 2.4 as proxy must be used (cannot be replaced by nginx or squid) due to the proprietary otp module.
Preparations / config so far:
All necessary proxy modules are in place (we are on SuSE 12.2)
/etc/apache2/loadmodules.conf:
LoadModule proxy_module
LoadModule proxy_http_module
LoadModule proxy_html_module
LoadModule xml2enc_module
and enabled $ a2emod [module]
The virtual host conf currently looks like:
<VirtualHost myproxy.domain.com:443>
DocumentRoot "/srv/www/myproxy"
ServerName myproxy.domain.com:443
# requests must point to the subdir /sub
RewriteEngine on
RewriteRule ^/$ sub/ [R]
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/pubkey.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
# no open forwarding proxy:
ProxyRequests off
# use SSL between proxy and backend in a loose fashion
# i.e. do not check cert validity etc.
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# try to forward 2nd authentication to backend srv ?
SetEnv Proxy-Chain-Auth On
ProxyPass /sub https://mybackend.domain.com/sub/
ProxyPassReverse /sub https://mybackend.domain.com/sub/
ProxyPreserveHost On
<Proxy https://mybackend.domain.com/sub/>
AuthType basic
AuthName "OTP protected Login"
AuthBasicProvider someOTPprovider
Require valid-user
someValidationURL https://xyz/validate
</Proxy>
</VirtualHost>
Current achievements:
- SSL is ok, no handshake or other complaints as before (see the "offs" in the SSLProxy category).
- authentication step 1 with OTP is fine (can see this on otp srv)
- 2nd auth dialog pops up and asks for backend credentials
- Kerberos auth on backend is ok (only if used directly, i.e. w/o proxy request)
Problem:
auth input for 2nd factor / backend does not arrive at the backend but stays at the proxy, throws an error
[:error] [pid 12804] Rejecting authentication for user 'someuser' [auth_basic:error] [pid 12804] [client ip:port] AH01617: user someuser: authentication failure for "/sub/": Password Mismatch
and asks again for the first factor otp.
Further log info: the first (positive) otp request always throws an error in the backend apache error_log:
[error] [client ip] krb5_get_init_creds_password() failed: Looping
detected inside krb5_get_in_tkt
I further tried additional options like CacheDisable [url_to_backend] or RequestHeader unset Authorizationbut to no avail.
