Directives pour mod_auth_mysql debian lenny

 Trucs et astuces techniques  Commentaires fermés sur Directives pour mod_auth_mysql debian lenny
Jan 132011
 

Impossible de trouver de la doc récente sur internet.
Le mieux est d’aller directement voir dans le code source quelles sont les directives acceptées.

Auth_MySQL_Info host, user and password of the MySQL database
AuthMySQL_DefaultHost Default MySQL host
AuthMySQL_DefaultUser Default MySQL user
AuthMySQL_DefaultPassword Default MySQL password
Auth_MySQL_DefaultPort Default MySQL server port
Auth_MySQL_DefaultSocket Default MySQL server socket
Auth_MySQL_General_DB default database for MySQL authentication
AuthMySQL_DefaultDB default database for MySQL authentication
AuthMySQL_Host database host
Auth_MySQL_Host database host
Auth_MySQL_Socket database host socket
AuthMySQL_Socket database host socket
Auth_MySQL_Port database host port
AuthMySQL_Port database host port
Auth_MySQL_Username database user
AuthMySQL_User database user
Auth_MySQL_Password database password
AuthMySQL_Password database password
Auth_MySQL_DB database name
AuthMySQL_DB database name
Auth_MySQL_Password_Table Name of the MySQL table containing the password/user-name combination
AuthMySQL_Password_Table Name of the MySQL table containing the password/user-name combination
Auth_MySQL_Group_Table Name of the MySQL table containing the group-name/user-name combination; can be the same as the password-table.
Auth_MySQL_Group_Clause Additional WHERE clause for group/user-name lookup
AuthMySQL_Group_Table Name of the MySQL table containing the group-name/user-name combination; can be the same as the password-table.
Auth_MySQL_Password_Field The name of the field in the MySQL password table
AuthMySQL_Password_Field The name of the field in the MySQL password table
Auth_MySQL_Password_Clause Additional WHERE clause for group password/user-name lookup
Auth_MySQL_Username_Field The name of the user-name field in the MySQL password (and possibly group) table(s).
AuthMySQL_Username_Field The name of the user-name field in the MySQL password (and possibly group) table(s).
Auth_MySQL_Group_Field The name of the group field in the MySQL group table; must be set if you want to use groups.
AuthMySQL_Group_Field The name of the group field in the MySQL group table; must be set if you want to use groups.
Auth_MySQL_Group_User_Field The name of the user-name field in the MySQL group table; defaults to the same as the username field for the password table.
AuthMySQL_Group_User_Field The name of the user-name field in the MySQL group table; defaults to the same as the username field for the password table.
Auth_MySQL_Empty_Passwords Enable (on) or disable (off) empty password strings; in which case any user password is accepted.
AuthMySQL_Empty_Passwords Enable (on) or disable (off) empty password strings; in which case any user password is accepted.
Auth_MySQL_Authoritative When ‘on’ the MySQL database is taken to be authoritative and access control is not passed along to other db or access modules.
AuthMySQL_Authoritative When ‘on’ the MySQL database is taken to be authoritative and access control is not passed along to other db or access modules.
AuthMySQL_AllowOverride Allow directory overrides of configuration
Auth_MySQL_Encrypted_Passwords When ‘on’ the password in the password table are taken to be crypt()ed using your machines crypt() function.
AuthMySQL_Encrypted_Passwords When ‘on’ the password in the password table are taken to be crypt()ed using your machines crypt() function.
Auth_MySQL_Scrambled_Passwords When ‘on’ the password in the password table are taken to be scramble()d using mySQL’s password() function.
AuthMySQL_Scrambled_Passwords When ‘on’ the password in the password table are taken to be scramble()d using mySQL’s password() function.
Auth_MySQL_Encryption_Types Encryption types to use
AuthMySQL_Encryption_Types Encryption types to use
Auth_MySQL_Non_Persistent Use non-persistent MySQL links
AuthMySQL_Persistent Use non-persistent MySQL links
Auth_MySQL Enable MySQL authentication
AuthMySQL Enable MySQL authentication

Apache mod_proxy sous debian

 Trucs et astuces techniques  Commentaires fermés sur Apache mod_proxy sous debian
Juin 202010
 

La configuration par défaut du mod_proxy de Apache sous Debian implique les réglages suivants

<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.

ProxyRequests Off          <<<<<<<< Très bien 	:smile: 
<Proxy *>
   AddDefaultCharset off
   Order deny,allow
   Deny from all               <<<<<<< RAAAAHHHHHH ! 	:mad: 
   #Allow from .example.com
</Proxy>

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block

ProxyVia On
</IfModule>

Ce genre de sécurités à la con me sortent par les yeux parce qu’elles impliques que si vous activez (à priori volontairement) une option, cette option sera par defaut inutilisable. Et vous chercherez vainement ce que vous avez bien pu faire de travers alors que ce n’est pas de votre faute.

Changer le reglage par defaut de debian est une mauvaise piste. => gare à la prochaine mise à jour.

un vhost qui veut faire du proxy doit donc au moins avoir pour directives :

<VirtualHost :80>
  ServerName fqdn.server.com
  proxyPass localpath  http://targeturl/
  proxyVia off
  <proxy >
    Order Deny,Allow
    Deny from all
    Allow from all
  </proxy></strong>
</VirtualHost>

Authentification Kerberos/ActiveDirectory sur Apache2

 Trucs et astuces techniques  Commentaires fermés sur Authentification Kerberos/ActiveDirectory sur Apache2
Sep 142009
 

dans la conf du serveur web, ajouter dans le virtualhost concerné


<location />
    AuthType Kerberos
    KrbAuthRealms DOMAIN.IN.AD
    KrbMethodNegotiate off
    KrbMethodK5Passwd on
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbSaveCredentials off
    AuthName "Nom de la zone réservée"
    AuthGroupFile /chemin/vers/monfichierdegroupe
    Require group nomdugroupe 
</location>

On pourrait aller chercher les membres du groupe dans l’AD avec LDAP cependant ça fait vraiment bcp de requetes LDAP et les systemes de cache sont assez chiants à mettre en place. De plus, mettre dans le serveur web les crédits necessaires pour faire des interrogations LDAP sur un AD pose des problèmes de sécurité. C’est pour ça qu’il est plus simple d’utiliser un script indépendant, lancé périodiquement en CRON par un autre utilisateur afin de créer un ficher de groupes. Ok, ça n’est vraiment pas estéthique mais ça marche très bien et c’est relativement sécure. 🙂

Pour La création du fichier de groupes, voir mon programme LDAP_C