Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PyAuthenNTLM2 auth skipped when PHP-FPM processing is enabled for PHP #27

Open
akovacs123 opened this issue Jun 22, 2016 · 1 comment
Open

PyAuthenNTLM2 auth skipped when PHP-FPM processing is enabled for PHP #27

akovacs123 opened this issue Jun 22, 2016 · 1 comment

Comments

@akovacs123
Copy link

Hi All,

I do not know if this is a bug or simply an Apache configuration issue. I use latest PyAuthenNTLM2 and Apache 2.4.10 (Debian Jessie stock).

Here is my problem:

  1. PyAuthenNTLM2 works nicely when I add it to my virtual host config. I get [REMOTE_USER] in my PHP scripts.
  2. When I request to pass PHP processing to FPM [REMOTE_USER] disappears from server variables.

My first idea is HTTP Authentication header is not passed to fcgi. But using the following rewrite rule does not help:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

It provides an empty HTTP_AUTHORIZATION field. According to Apache debug logs Python processing is skipped:

[Wed Jun 22 09:56:53.261502 2016] [authz_core:debug] [pid 16270] mod_authz_core.c(835): [client 192.168.23.35:64541] AH01628: authorization result: granted (no directives)

[Wed Jun 22 09:56:53.261570 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(77): [client 192.168.23.35:64541] AH01060: set r->filename to proxy:fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php

[Wed Jun 22 09:56:53.261607 2016] [proxy:debug] [pid 16270] mod_proxy.c(1155): [client 192.168.23.35:64541] AH01143: Running scheme fcgi handler (attempt 0)

[Wed Jun 22 09:56:53.261651 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(786): [client 192.168.23.35:64541] AH01076: url: fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php proxyname: (null) proxyport: 0

My Apache virtual host config is:

<VirtualHost *:80>
    ServerName myserver.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/ntlm/

    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/ntlm/$1

    <Directory /var/www/ntlm>

        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Satisfy any

        AuthType NTLM
        AuthName "NTLM Authentication"
        require valid-user
        PythonOption Require valid-user

        AddHandler mod_python .py
        PythonHandler mod_python.publisher

        PythonAuthenHandler pyntlm
        PythonOption Domain MYDOMAIN
        PythonOption PDC mypdc
        PythonOption BDC mybdc
        PythonDebug On

    </Directory>

    LogLevel debug

    ErrorLog ${APACHE_LOG_DIR}/ntlm-error.log
    CustomLog ${APACHE_LOG_DIR}/ntlm-access.log combined

</VirtualHost>

Any help is appreciated. Thank you very much.
@stroobl
Copy link

stroobl commented Apr 10, 2017

We have a similar issue on Debian Jessie. This might help: http://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers
Still testing some config options. (The Apache version in Jessie is too low to use CGIPassAuth on)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stroobl @akovacs123