Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AACanonicaliseName setting to control redirection to the canonical ServerName #24

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
2.0.6 - 2019-09-06 mas90

. Add new configuration directive AACanonicaliseName to configure whether
to always redirect using ServerName (default) or to honour Apache's
UseCanonicalName configuration (useful for virtual hosts with configured
ServerAliases)

2.0.5 - 2017-05-26 mgk25

. delete obsolete Apache 1.3 code and macros (GitHub #18)
Expand Down
18 changes: 18 additions & 0 deletions README.Config
Original file line number Diff line number Diff line change
Expand Up @@ -770,6 +770,24 @@ AAForceAuthType
'AAForceAuthType Basic' could allow authentication systems intended
for use with HTTP Basic Auth to work under Ucam-WebAuth.

AACanonicaliseName

Syntax: AACanonicaliseName Off|On
Default: AACanonicaliseName On
Context: all
Override: AuthConfig
Module: mod_ucam_webauth

If set to On (default), the user will be redirected to the virtual
host's canonical hostname (ServerName), and that name will be used
whenever a redirection URL is constructed. This will ensure that
cookies are always set and retrieved using the primary domain.

If set to Off, the user will not be explicitly redirected by this
module, and the setting of Apache's UseCanonicalName configuration
directive will be honoured when constructing redirect URLs; see
https://httpd.apache.org/docs/current/mod/core.html#usecanonicalname

Versions of the module prior to 1.0.0 supported the AALogLevel
directive. Support for this has been withdrawn - at present any use of
this directive causes a warning to be logged; in due course use of
Expand Down
9 changes: 9 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
libapache2-mod-ucam-webauth (2.0.6apache24) unstable; urgency=medium

* Add new configuration directive AACanonicaliseName to configure whether
to always redirect using ServerName (default) or to honour Apache's
UseCanonicalName configuration (useful for virtual hosts with configured
ServerAliases)

-- Malcolm Scott <[email protected]> Sat, 06 Jul 2019 12:37:24 +0100

libapache2-mod-ucam-webauth (2.0.5apache24) unstable; urgency=low

* Modify package to include recent improvements
Expand Down
77 changes: 52 additions & 25 deletions mod_ucam_webauth.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

*/

#define VERSION "2.0.5"
#define VERSION "2.0.6"

/*
MODULE-DEFINITION-START
Expand Down Expand Up @@ -174,6 +174,7 @@ APLOG_USE_MODULE(ucam_webauth);
#define DEFAULT_header_key NULL
#define DEFAULT_force_auth_type "Ucam-WebAuth"
#define DEFAULT_required_ptags PTAGS_CURRENT
#define DEFAULT_canonicalise_name 1

/* module configuration structure */

Expand Down Expand Up @@ -207,6 +208,7 @@ typedef struct {
char *header_key;
char *force_auth_type;
unsigned int required_ptags;
int canonicalise_name;
} mod_ucam_webauth_cfg;

/* logging macro. Note that it will only work in an environment where
Expand Down Expand Up @@ -1191,7 +1193,8 @@ make_cookie_str(request_rec *r,
/* --- */

static char *
get_url(request_rec *r)
get_url(request_rec *r,
mod_ucam_webauth_cfg *c)

{

Expand All @@ -1205,11 +1208,15 @@ get_url(request_rec *r)
url = ap_construct_url(r->pool, r->unparsed_uri, r);
APACHE_LOG1(APLOG_DEBUG, "get_url: raw url = %s", url);

/* ap_construct_url honours UseCannonicalName but we really don't
/* ap_construct_url honours UseCannonicalName but we might not
want that so we re-parse this result and override the hostname
component with what we know we are really called
*/

if (c->canonicalise_name == 0) {
return url;
}

if (apr_uri_parse(r->pool, url, &uri))
APACHE_LOG0(APLOG_CRIT, "Failed to parse own URL");
uri.hostname = r->server->server_hostname;
Expand Down Expand Up @@ -1503,6 +1510,7 @@ webauth_create_dir_config(apr_pool_t *p,
cfg->header_key = NULL;
cfg->force_auth_type = NULL;
cfg->required_ptags = PTAGS_UNSET;
cfg->canonicalise_name = -1;
return (void *)cfg;

}
Expand Down Expand Up @@ -1586,6 +1594,8 @@ webauth_merge_dir_config(apr_pool_t *p,
new->force_auth_type : base->force_auth_type;
merged->required_ptags = new->required_ptags != PTAGS_UNSET ?
new->required_ptags : base->required_ptags;
merged->canonicalise_name = new->canonicalise_name != -1 ?
new->canonicalise_name : base->canonicalise_name;

log_p_or_rerror(NULL,p,"Merge result:");
dump_config(NULL,p,merged);
Expand Down Expand Up @@ -1664,6 +1674,8 @@ apply_config_defaults(request_rec *r,
apr_pstrdup(r->pool,DEFAULT_force_auth_type);
n->required_ptags = c->required_ptags != PTAGS_UNSET ? c->required_ptags :
DEFAULT_required_ptags;
n->canonicalise_name = c->canonicalise_name != -1 ? c->canonicalise_name :
DEFAULT_canonicalise_name;

/* the string 'none' resets the various '...Msg' settings to default */

Expand Down Expand Up @@ -1872,6 +1884,9 @@ dump_config(request_rec *r, apr_pool_t *p,
log_p_or_rerror(r,p," AAForceAuthType = %s",
(c->force_auth_type == NULL ? "NULL" : c->force_auth_type));

log_p_or_rerror(r,p," AACanonicaliseName = %d",
c->canonicalise_name);

}

}
Expand Down Expand Up @@ -2539,7 +2554,7 @@ decode_response(request_rec *r,
are in a sub-request it's the URL from the corresponding main
request that we need */

this_url = get_url(r->main ? r->main : r);
this_url = get_url(r->main ? r->main : r, c);
this_url = ap_getword(r->pool, &this_url, '?');
response_url = apr_table_get(response_ticket, "url");
response_url = ap_getword(r->pool, &response_url, '?');
Expand Down Expand Up @@ -2840,7 +2855,7 @@ construct_request(request_rec *r,
request = apr_pstrcat
(r->pool,
"ver=", PROTOCOL_VERSION,
"&url=", escape_url(r->pool,get_url(r->main ? r->main : r)),
"&url=", escape_url(r->pool,get_url(r->main ? r->main : r, c)),
"&date=",
iso2_time_encode(r, apr_time_now()),
NULL);
Expand Down Expand Up @@ -2961,37 +2976,39 @@ webauth_authn(request_rec *r)
(APLOG_INFO, "** mod_ucam_webauth (%s) authn handler started for %s",
VERSION, r->uri);

c = (mod_ucam_webauth_cfg *)
ap_get_module_config(r->per_dir_config, &ucam_webauth_module);
c = apply_config_defaults(r,c);

dump_config(r,NULL,c);

/* If the hostname the user used (as reported by the 'Host' header)
doesn't match the configured hostname for this server then we are
going to have all sorts of problems with cookies and redirects,
so fix it (with a redirect) now. */

host = apr_pstrdup(r->pool,apr_table_get(r->headers_in, "Host"));
if (host != NULL) {
colon = strchr(host,':');
if (colon != NULL)
*colon = '\0';
if (r->server->server_hostname &&
strcasecmp(r->server->server_hostname,host)) {
if (c->canonicalise_name != 0) {
host = apr_pstrdup(r->pool,apr_table_get(r->headers_in, "Host"));
if (host != NULL) {
colon = strchr(host,':');
if (colon != NULL)
*colon = '\0';
APACHE_LOG2
(APLOG_DEBUG,"Browser supplied hostname (%s) does not match "
"configured hostname (%s) - redirecting",
host, r->server->server_hostname);
apr_table_set(r->headers_out, "Location", get_url(r));
return (r->method_number == M_GET) ?
HTTP_MOVED_TEMPORARILY : HTTP_SEE_OTHER;
if (r->server->server_hostname &&
strcasecmp(r->server->server_hostname,host)) {
colon = strchr(host,':');
if (colon != NULL)
*colon = '\0';
APACHE_LOG2
(APLOG_DEBUG,"Browser supplied hostname (%s) does not match "
"configured hostname (%s) - redirecting",
host, r->server->server_hostname);
apr_table_set(r->headers_out, "Location", get_url(r, c));
return (r->method_number == M_GET) ?
HTTP_MOVED_TEMPORARILY : HTTP_SEE_OTHER;
}
}
}

c = (mod_ucam_webauth_cfg *)
ap_get_module_config(r->per_dir_config, &ucam_webauth_module);
c = apply_config_defaults(r,c);

dump_config(r,NULL,c);

cache_control(r,c->cache_control);

rc = decode_cookie(r,c);
Expand Down Expand Up @@ -3383,6 +3400,16 @@ static const command_rec webauth_commands[] = {
RSRC_CONF | OR_AUTHCFG,
"a list of required ptags for authentication to succeed"),

AP_INIT_FLAG("AACanonicaliseName",
ap_set_flag_slot,
(void *)APR_OFFSETOF
(mod_ucam_webauth_cfg,canonicalise_name),
RSRC_CONF | OR_AUTHCFG,
"either 'on' or 'off'; "
"'on' (default) always uses the virtual host's ServerName in "
"redirect URLs; 'off' honours UseCanonicalName and may use the "
"client-supplied Host header in URLs"),

{NULL}

};
Expand Down
5 changes: 4 additions & 1 deletion mod_ucam_webauth.conf.skel
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,7 @@ LoadModule ucam_webauth_module @@LIBEXECDIR@@/mod_ucam_webauth.so
# AAFail Off
# AAAlwaysDecode Off

# AAAlwaysDecode Off
# AAAlwaysDecode Off

# AACanonicaliseName On