mod_auth_tkt & mod_proxy...reverse proxy removes query string?

[bmacauley]

I have an issue with mod_auth_tkt when used with mod_proxy in a reverse proxy setup.

I used this previous mod_auth_tkt thread as reference... http://sourceforge.net/mailarchive/forum.php?thread_name=07A4A9EC53C2B841A7015A2E2FAFD19506C8CA58%40flybe06.flybe.local&forum_name=modauthtkt-users

Any URL with a query string has the query string removed when it is proxy'ed to the backend application.

eg

https://config.mycompany.com/app1/csdmain.vmgw ...works http://app1.mycompany.com:8080/csdmain.vmgw sent

https://config.mycompany.com/app1/csdsrch.vmgw ...works http://app1.mycompany.com:8080/csdsrch.vmgw sent

https://config.mycompany.com/app1/csdshow.vmgw?mode=text&fname=HIGHPT&ftype=AB1234 ..doesn't work http://app1.mycompany.com:8080/csdshow.vmgw is sent to the backend application

debug dump... [ mod_auth_tkt config ] the_request: GET /app1/csdshow.vmgw?mode=text&fname=HIGHPT&ftype=AB1234 HTTP/1.1 URI: /app1/csdshow.vmgw unparsed URI: /app1/csdshow.vmgw?mode=text&fname=HIGHPT&ftype=AB1234 Args: mode=text&fname=HIGHPT&ftype=AB1234 Filename: proxy:http://app1.mycompany.com:8080/csdshow.vmgw TKTAuthSecret: wx4qJ3XWKLrN1f7EQbgP TKTAuthSecretOld: (null) TKTAuthDigestType: MD5 digest_sz: 32 directory: /app1 TKTAuthLoginURL: https://www.salesforce.com/secur/login.jsp TKTAuthTimeoutURL: (null) TKTAuthPostTimeoutURL: (null) TKTAuthUnauthURL: (null) TKTAuthCookieName: GBTicket TKTAuthDomain: .mycompany.com TKTAuthCookieExpires: 7200 TKTAuthBackCookieName: back TKTAuthBackArgName: back TKTAuthIgnoreIP: -1 TKTAuthRequireSSL: -1 TKTAuthCookieSecure: 1 TKTAuthTimeoutMin: 7200 TKTAuthTimeoutRefresh: 0.500000 TKTAuthGuestLogin: -1 TKTAuthGuestCookie: -1 TKTAuthGuestUser: (null) TKTAuthGuestFallback -1 TKTAuthDebug: 3

I am using...

CentOS 5.6 Apache 2.2 mod_auth_tkt 2.1

My config is as follows...

<VirtualHost *:443>

ServerName config.mycompany.com ServerAlias config.mycompany.com

TKTAuthSecret "secret"

all requests for /back/* must be authenticated

<Location /csd>
    #AuthType Basic
    Require valid‐user
    TKTAuthLoginURL  https://www.salesforce.com/secur/login.jsp
    TKTAuthCookieName GBTicket
    TKTAuthCookieSecure on
    TKTAuthDomain .mycompany.com
    #TKTAuthBackArgName 
    TKTAuthBackCookieName back 
    TKTAuthTimeout 2h
    TKTAuthCookieExpires 2h
    TKTAuthDebug 0  
</Location>

ProxyRequests off
ProxyPass /app1/  http://app1.mycompany.com:8080/

RewriteEngine on

RewriteRule ^/app1/?$ http://app1.mycompany.com:8080/ [P,L]

RewriteRule ^/app1/(.+)$ http://app1.mycompany.com:8080/$1 [P,L]

ProxyPassReverse  /app1/      http://app1.mycompany.com:8080/

WSGIScriptAlias /login    /var/www/public_html/config.mycompany.com/login/adapter.wsgi

The application receives a federated login from a salesforce app, and a Python wsgi app creates the GBTicket secure cookie.

I have tried both mod_proxy and mod_rewrite for the reverse proxy, with the same result. I have also tried to add the query string back in to the request using mod_rewrite, but it still gets removed.

When I disable mod_auth_tkt, the reverse proxy works as normal, and the query string is passed through to the backend application.

Do you have any idea why this is happening?

Thanks, Brian M

[gavincarr]

[Replied on the mod_auth_tkt mailing list, but duped her for search]

Hi Brian,

This is a pretty weird problem. I can't reproduce it on my laptop, which is pretty similar to your setup - CentOS 6, Apache 2.2, mod_auth_tkt 2.1.

I used the following config (pretty much cut-and-pasted from yours):

<Location /sledge> AuthType None Require valid-user TKTAuthLoginURL http://nox/auth/login.cgi TKTAuthBackCookieName back TKTAuthTimeout 2h TKTAuthCookieExpires 2h TKTAuthDebug 0

ProxyRequests on ProxyPass /sledge/ http://localhost:3005/ ProxyPassReverse /sledge/ http://localhost:3005/

I'm seeing query strings go straight through to the backend app just fine, as expected.

Have you got any further debugging this since you posted?

Cheers, Gavin