From db138deb1aea2e10b4365a87ef2f2b767d74bfc0 Mon Sep 17 00:00:00 2001 From: Malcolm Scott Date: Sat, 6 Jul 2019 13:22:15 +0100 Subject: [PATCH] Add AACanonicaliseName setting to configure whether to redirect using the canonical ServerName --- CHANGES | 7 ++++ README.Config | 18 +++++++++ debian/changelog | 9 +++++ mod_ucam_webauth.c | 77 +++++++++++++++++++++++++------------- mod_ucam_webauth.conf.skel | 5 ++- 5 files changed, 90 insertions(+), 26 deletions(-) diff --git a/CHANGES b/CHANGES index bf6669a..711169d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +2.0.6 - 2019-09-06 mas90 + + . Add new configuration directive AACanonicaliseName to configure whether + to always redirect using ServerName (default) or to honour Apache's + UseCanonicalName configuration (useful for virtual hosts with configured + ServerAliases) + 2.0.5 - 2017-05-26 mgk25 . delete obsolete Apache 1.3 code and macros (GitHub #18) diff --git a/README.Config b/README.Config index 6435528..f29aaa9 100644 --- a/README.Config +++ b/README.Config @@ -770,6 +770,24 @@ AAForceAuthType 'AAForceAuthType Basic' could allow authentication systems intended for use with HTTP Basic Auth to work under Ucam-WebAuth. +AACanonicaliseName + + Syntax: AACanonicaliseName Off|On + Default: AACanonicaliseName On + Context: all + Override: AuthConfig + Module: mod_ucam_webauth + + If set to On (default), the user will be redirected to the virtual + host's canonical hostname (ServerName), and that name will be used + whenever a redirection URL is constructed. This will ensure that + cookies are always set and retrieved using the primary domain. + + If set to Off, the user will not be explicitly redirected by this + module, and the setting of Apache's UseCanonicalName configuration + directive will be honoured when constructing redirect URLs; see + https://httpd.apache.org/docs/current/mod/core.html#usecanonicalname + Versions of the module prior to 1.0.0 supported the AALogLevel directive. Support for this has been withdrawn - at present any use of this directive causes a warning to be logged; in due course use of diff --git a/debian/changelog b/debian/changelog index 88199a2..2b491df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libapache2-mod-ucam-webauth (2.0.6apache24) unstable; urgency=medium + + * Add new configuration directive AACanonicaliseName to configure whether + to always redirect using ServerName (default) or to honour Apache's + UseCanonicalName configuration (useful for virtual hosts with configured + ServerAliases) + + -- Malcolm Scott Sat, 06 Jul 2019 12:37:24 +0100 + libapache2-mod-ucam-webauth (2.0.5apache24) unstable; urgency=low * Modify package to include recent improvements diff --git a/mod_ucam_webauth.c b/mod_ucam_webauth.c index ca00309..a741acf 100644 --- a/mod_ucam_webauth.c +++ b/mod_ucam_webauth.c @@ -26,7 +26,7 @@ */ -#define VERSION "2.0.5" +#define VERSION "2.0.6" /* MODULE-DEFINITION-START @@ -174,6 +174,7 @@ APLOG_USE_MODULE(ucam_webauth); #define DEFAULT_header_key NULL #define DEFAULT_force_auth_type "Ucam-WebAuth" #define DEFAULT_required_ptags PTAGS_CURRENT +#define DEFAULT_canonicalise_name 1 /* module configuration structure */ @@ -207,6 +208,7 @@ typedef struct { char *header_key; char *force_auth_type; unsigned int required_ptags; + int canonicalise_name; } mod_ucam_webauth_cfg; /* logging macro. Note that it will only work in an environment where @@ -1191,7 +1193,8 @@ make_cookie_str(request_rec *r, /* --- */ static char * -get_url(request_rec *r) +get_url(request_rec *r, + mod_ucam_webauth_cfg *c) { @@ -1205,11 +1208,15 @@ get_url(request_rec *r) url = ap_construct_url(r->pool, r->unparsed_uri, r); APACHE_LOG1(APLOG_DEBUG, "get_url: raw url = %s", url); - /* ap_construct_url honours UseCannonicalName but we really don't + /* ap_construct_url honours UseCannonicalName but we might not want that so we re-parse this result and override the hostname component with what we know we are really called */ + if (c->canonicalise_name == 0) { + return url; + } + if (apr_uri_parse(r->pool, url, &uri)) APACHE_LOG0(APLOG_CRIT, "Failed to parse own URL"); uri.hostname = r->server->server_hostname; @@ -1503,6 +1510,7 @@ webauth_create_dir_config(apr_pool_t *p, cfg->header_key = NULL; cfg->force_auth_type = NULL; cfg->required_ptags = PTAGS_UNSET; + cfg->canonicalise_name = -1; return (void *)cfg; } @@ -1586,6 +1594,8 @@ webauth_merge_dir_config(apr_pool_t *p, new->force_auth_type : base->force_auth_type; merged->required_ptags = new->required_ptags != PTAGS_UNSET ? new->required_ptags : base->required_ptags; + merged->canonicalise_name = new->canonicalise_name != -1 ? + new->canonicalise_name : base->canonicalise_name; log_p_or_rerror(NULL,p,"Merge result:"); dump_config(NULL,p,merged); @@ -1664,6 +1674,8 @@ apply_config_defaults(request_rec *r, apr_pstrdup(r->pool,DEFAULT_force_auth_type); n->required_ptags = c->required_ptags != PTAGS_UNSET ? c->required_ptags : DEFAULT_required_ptags; + n->canonicalise_name = c->canonicalise_name != -1 ? c->canonicalise_name : + DEFAULT_canonicalise_name; /* the string 'none' resets the various '...Msg' settings to default */ @@ -1872,6 +1884,9 @@ dump_config(request_rec *r, apr_pool_t *p, log_p_or_rerror(r,p," AAForceAuthType = %s", (c->force_auth_type == NULL ? "NULL" : c->force_auth_type)); + log_p_or_rerror(r,p," AACanonicaliseName = %d", + c->canonicalise_name); + } } @@ -2539,7 +2554,7 @@ decode_response(request_rec *r, are in a sub-request it's the URL from the corresponding main request that we need */ - this_url = get_url(r->main ? r->main : r); + this_url = get_url(r->main ? r->main : r, c); this_url = ap_getword(r->pool, &this_url, '?'); response_url = apr_table_get(response_ticket, "url"); response_url = ap_getword(r->pool, &response_url, '?'); @@ -2840,7 +2855,7 @@ construct_request(request_rec *r, request = apr_pstrcat (r->pool, "ver=", PROTOCOL_VERSION, - "&url=", escape_url(r->pool,get_url(r->main ? r->main : r)), + "&url=", escape_url(r->pool,get_url(r->main ? r->main : r, c)), "&date=", iso2_time_encode(r, apr_time_now()), NULL); @@ -2961,37 +2976,39 @@ webauth_authn(request_rec *r) (APLOG_INFO, "** mod_ucam_webauth (%s) authn handler started for %s", VERSION, r->uri); + c = (mod_ucam_webauth_cfg *) + ap_get_module_config(r->per_dir_config, &ucam_webauth_module); + c = apply_config_defaults(r,c); + + dump_config(r,NULL,c); + /* If the hostname the user used (as reported by the 'Host' header) doesn't match the configured hostname for this server then we are going to have all sorts of problems with cookies and redirects, so fix it (with a redirect) now. */ - host = apr_pstrdup(r->pool,apr_table_get(r->headers_in, "Host")); - if (host != NULL) { - colon = strchr(host,':'); - if (colon != NULL) - *colon = '\0'; - if (r->server->server_hostname && - strcasecmp(r->server->server_hostname,host)) { + if (c->canonicalise_name != 0) { + host = apr_pstrdup(r->pool,apr_table_get(r->headers_in, "Host")); + if (host != NULL) { colon = strchr(host,':'); if (colon != NULL) *colon = '\0'; - APACHE_LOG2 - (APLOG_DEBUG,"Browser supplied hostname (%s) does not match " - "configured hostname (%s) - redirecting", - host, r->server->server_hostname); - apr_table_set(r->headers_out, "Location", get_url(r)); - return (r->method_number == M_GET) ? - HTTP_MOVED_TEMPORARILY : HTTP_SEE_OTHER; + if (r->server->server_hostname && + strcasecmp(r->server->server_hostname,host)) { + colon = strchr(host,':'); + if (colon != NULL) + *colon = '\0'; + APACHE_LOG2 + (APLOG_DEBUG,"Browser supplied hostname (%s) does not match " + "configured hostname (%s) - redirecting", + host, r->server->server_hostname); + apr_table_set(r->headers_out, "Location", get_url(r, c)); + return (r->method_number == M_GET) ? + HTTP_MOVED_TEMPORARILY : HTTP_SEE_OTHER; + } } } - c = (mod_ucam_webauth_cfg *) - ap_get_module_config(r->per_dir_config, &ucam_webauth_module); - c = apply_config_defaults(r,c); - - dump_config(r,NULL,c); - cache_control(r,c->cache_control); rc = decode_cookie(r,c); @@ -3383,6 +3400,16 @@ static const command_rec webauth_commands[] = { RSRC_CONF | OR_AUTHCFG, "a list of required ptags for authentication to succeed"), + AP_INIT_FLAG("AACanonicaliseName", + ap_set_flag_slot, + (void *)APR_OFFSETOF + (mod_ucam_webauth_cfg,canonicalise_name), + RSRC_CONF | OR_AUTHCFG, + "either 'on' or 'off'; " + "'on' (default) always uses the virtual host's ServerName in " + "redirect URLs; 'off' honours UseCanonicalName and may use the " + "client-supplied Host header in URLs"), + {NULL} }; diff --git a/mod_ucam_webauth.conf.skel b/mod_ucam_webauth.conf.skel index 1899e4f..d39551b 100644 --- a/mod_ucam_webauth.conf.skel +++ b/mod_ucam_webauth.conf.skel @@ -46,4 +46,7 @@ LoadModule ucam_webauth_module @@LIBEXECDIR@@/mod_ucam_webauth.so # AAFail Off # AAAlwaysDecode Off -# AAAlwaysDecode Off \ No newline at end of file +# AAAlwaysDecode Off + +# AACanonicaliseName On +