search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

Duplicate requests and Index not working #67

Open danchaseCTS opened 2 years ago

danchaseCTS commented 2 years ago

I followed instructions on a fresh test box, and everything works great. Then when I tried to move it to production, I'm having some serious trouble! I've got it to the point where if I put:

https://myurl.com/subdir/index.php

It works, but if I just put:

https://myurl.com/subdir/

I get a 401 Unauthorized error.

The modules between the boxes are similar, the one where it's not working: authz_core (enabled by maintainer script) mpm_prefork (enabled by maintainer script) deflate (enabled by maintainer script) php7.0 (enabled by maintainer script) autoindex (enabled by maintainer script) alias (enabled by maintainer script) mime (enabled by maintainer script) headers (enabled by site administrator) auth_basic (enabled by site administrator) authz_user (enabled by maintainer script) access_compat (enabled by maintainer script) setenvif (enabled by maintainer script) ssl (enabled by site administrator) dir (enabled by maintainer script) socache_shmcb (enabled by site administrator) status (enabled by maintainer script) rewrite (enabled by site administrator) filter (enabled by maintainer script) authz_groupfile (enabled by site administrator) negotiation (enabled by maintainer script) authz_host (enabled by maintainer script) auth_jwt (enabled by site administrator) authn_core (enabled by maintainer script) env (enabled by maintainer script) authn_file (enabled by maintainer script)

The modules where everything works fine, has: access_compat (enabled by maintainer script) ssl (enabled by site administrator) setenvif (enabled by maintainer script) autoindex (enabled by maintainer script) socache_shmcb (enabled by site administrator) env (enabled by maintainer script) mpm_event (enabled by maintainer script) auth_jwt (enabled by site administrator) dir (enabled by maintainer script) auth_basic (enabled by maintainer script) alias (enabled by maintainer script) authn_file (enabled by maintainer script) filter (enabled by maintainer script) deflate (enabled by maintainer script) authz_host (enabled by maintainer script) status (enabled by maintainer script) mime (enabled by maintainer script) authz_core (enabled by maintainer script) authz_user (enabled by maintainer script) reqtimeout (enabled by maintainer script) negotiation (enabled by maintainer script) authn_core (enabled by maintainer script)

The default-ssl.conf looks like this on both:

ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/845782569bd11d43.crt SSLCertificateKeyFile /etc/ssl/private/mysite.key SSLCACertificatePath /etc/ssl/certs/ SSLOptions +StdEnvVars SSLOptions +StdEnvVars AuthJWTFormUsername user AuthJWTFormPassword password AuthJWTAttributeUsername user AuthJWTExpDelay 1800 AuthJWTNbfDelay 0 AuthJWTLeeway 10 AuthJWTSignatureSharedSecret 23md093jd8j3 AuthJWTIss ustaclubs.com AuthJWTDeliveryType Cookie AuthJWTCookieName AuthToken SetHandler jwt-login-handler AuthJWTProvider file AuthUserFile /var/www/passwd/passwords AuthGroupFile /var/www/passwd/groups

I am using .htaccess in a directory for access, this example is in /var/www/html/meets/meet_532 AuthType jwt-cookie AuthName myauthname AuthUserFile /var/www/passwd/passwords AuthGroupFile /var/www/passwd/groups Require group meet532

My User file: myusername:$apr1$xO3YBihC$n.tALxCJ3QOsdfdsfKjyC/

My Group File: meet532: myusername

My apache2.conf directory setup: <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride all Require all granted DirectoryIndex index.php

My security.conf directory setup: <Directory /var/www/html/meets> AllowOverride all DirectoryIndex index.php

What I find is strange, is I see duplicates in the error log and I go. I've been studing the code, and it looks like things maybe are getting mixed up: [Tue Apr 12 04:28:12.778674 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token... [Tue Apr 12 04:28:12.778680 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie [Tue Apr 12 04:28:12.778682 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4 [Tue Apr 12 04:28:12.778705 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1170): [client 24.14.160.70:34742] AH55405: auth_jwt authn: checking signature and fields correctness... [Tue Apr 12 04:28:12.778762 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1175): [client 24.14.160.70:34742] AH55406: auth_jwt authn: signature is correct [Tue Apr 12 04:28:12.778765 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1178): [client 24.14.160.70:34742] AH55405: auth_jwt authn: algorithm found is HS256 [Tue Apr 12 04:28:12.778833 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token... [Tue Apr 12 04:28:12.778836 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie [Tue Apr 12 04:28:12.778838 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4 [Tue Apr 12 04:28:12.778844 2022] [auth_jwt:error] [pid 18237] [client 24.14.160.70:34742] AH55409: auth_jwt authn: missing authorization cookie

Like I said, if I put /index.php it loads, but if no index.php it gives me a 401: Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.4.18 (Ubuntu) Server at ustaclubs.com Port 443

I know it's authenticating, because if I put the wrong password, it doesn't work and errors out during authenticate.

See below, on the following log, I can see that first it says ok, then it says denied for the group and the user:

[Tue Apr 12 04:28:12.778652 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: denied (no authenticated user yet) [Tue Apr 12 04:28:12.778663 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : denied (no authenticated user yet) [Tue Apr 12 04:28:12.778674 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token... [Tue Apr 12 04:28:12.778680 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie [Tue Apr 12 04:28:12.778682 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4 [Tue Apr 12 04:28:12.778705 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1170): [client 24.14.160.70:34742] AH55405: auth_jwt authn: checking signature and fields correctness... [Tue Apr 12 04:28:12.778762 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1175): [client 24.14.160.70:34742] AH55406: auth_jwt authn: signature is correct [Tue Apr 12 04:28:12.778765 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1178): [client 24.14.160.70:34742] AH55405: auth_jwt authn: algorithm found is HS256 [Tue Apr 12 04:28:12.778792 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: granted [Tue Apr 12 04:28:12.778794 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : granted [Tue Apr 12 04:28:12.778828 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: denied (no authenticated user yet) [Tue Apr 12 04:28:12.778830 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : denied (no authenticated user yet) [Tue Apr 12 04:28:12.778833 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token... [Tue Apr 12 04:28:12.778836 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie [Tue Apr 12 04:28:12.778838 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4 [Tue Apr 12 04:28:12.778844 2022] [auth_jwt:error] [pid 18237] [client 24.14.160.70:34742] AH55409: auth_jwt authn: missing authorization cookie

Notice at the bottom it complaints about missing the authorization cookie, but in the log above it, it found it and granted the group.

If anyone can help me, I'd be greatly appreciative, I've been staring at the source and tracing for days now.

I've modified some parts of the log such as the IP address and a couple of directories, so if you see a small difference go ahead and call it out, but it may just be something I forgot to update. I tried to be concise and provide all of the information possible.

Thank you! Dan Chase

danchaseCTS commented 2 years ago

I did more debugging on the one that WORKS, and it looks like there is no mention of some of the other modules in the log above:

Wed Apr 13 03:05:29.662266 2022] [ssl:debug] [pid 67925:tid 140460479715072] ssl_engine_kernel.c(415): [client 4.14.160.70:41135] AH02034: Initial (No.1) HTTPS request received for child 74 (server devsuey.com:443) [Wed Apr 13 03:05:29.662335 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(436): [client 4.14.160.70:41135] Headers received from client: [Wed Apr 13 03:05:29.662399 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Host: devsuey.com [Wed Apr 13 03:05:29.662461 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Connection: keep-alive [Wed Apr 13 03:05:29.662470 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Cache-Control: max-age=0 [Wed Apr 13 03:05:29.662475 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"101\", \"Microsoft Edge\";v=\"101\" [Wed Apr 13 03:05:29.662480 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] sec-ch-ua-mobile: ?0 [Wed Apr 13 03:05:29.662484 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] sec-ch-ua-platform: \"Windows\" [Wed Apr 13 03:05:29.662489 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Upgrade-Insecure-Requests: 1 [Wed Apr 13 03:05:29.662493 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.15 Safari/537.36 Edg/101.0.1210.10 [Wed Apr 13 03:05:29.662498 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 [Wed Apr 13 03:05:29.662502 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Sec-Fetch-Site: none [Wed Apr 13 03:05:29.662506 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Sec-Fetch-Mode: navigate [Wed Apr 13 03:05:29.662510 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Sec-Fetch-User: ?1 [Wed Apr 13 03:05:29.662514 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Sec-Fetch-Dest: document [Wed Apr 13 03:05:29.662519 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Accept-Encoding: gzip, deflate, br [Wed Apr 13 03:05:29.662523 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Accept-Language: en-US,en;q=0.9 [Wed Apr 13 03:05:29.662536 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] Cookie: AuthToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkZW1vIiwiZXhwIjoxNjQ5NzE1NTUzLCJpYXQiOjE2NDk3MTM3NTMsImlzcyI6ImRldnN1ZXkuY29tIiwibmJmIjoxNjQ5NzEzNzUzLCJ1c2VyIjoidXNlciJ9.T4yCNDdBCe-y_6m37WtpDoLsLgZmF_C_5BhWlpcmT2Q [Wed Apr 13 03:05:29.662541 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] If-None-Match: \"15-5dc67e9130bb8\" [Wed Apr 13 03:05:29.662547 2022] [http:trace4] [pid 67925:tid 140460479715072] http_request.c(439): [client 4.14.160.70:41135] If-Modified-Since: Mon, 11 Apr 2022 21:48:53 GMT [Wed Apr 13 03:05:29.662598 2022] [authz_core:debug] [pid 67925:tid 140460479715072] mod_authz_core.c(817): [client 4.14.160.70:41135] AH01626: authorization result of Require all granted: granted [Wed Apr 13 03:05:29.662604 2022] [authz_core:debug] [pid 67925:tid 140460479715072] mod_authz_core.c(817): [client 4.14.160.70:41135] AH01626: authorization result of : granted

danchaseCTS commented 2 years ago

I'm starting to wonder if this supports Require Group, it could explain if it doesn't the regular authentication mechanism is having to handle it, and failing because I don't have BasicAuth configured in this Directory.