Question about the list

Question about the list

am 17.08.2005 18:56:06 von Andrew Musselman

Hello--

I have some questions that are not development questions, but I
couldn't find a list for just the use of mod_proxy. Does anyone know of
a list that might be appropriate?

Thank you,
Andrew

Andrew Musselman
andrew@cwu.edu

Re: Question about the list

am 17.08.2005 19:30:29 von Andrew Musselman

Well, after searching the archive more I found some usage questions;
hence I will post my own :)

We are trying to shut down web access to all our networked printers on
campus "the easy way": set up a proxy server through which only
selected people can access the printers. The authentication can be done
using LDAP.

A couple of methods have been suggested, and I am researching them
now:
(1) mod_ssl + mod_auth_ldap + mod_proxy
(2) mod_ssl + mod_authz_ldap + mod_proxy
(3) mod_ssl + A nice little PHP login page that queries LDAP before
turning things over to mod_proxy.

So far I have had success with setting up a virtual host as a forward
proxy and with activating SSL for LDAP queries through a login page, but
I'm really confused about something: how could I set things up so users
visit some login page, their credentials are checked through LDAP, and
then they are forwarded to the printer they want?

Does anyone have any suggestions, or has anyone tried this and gotten
anywhere? Thanks for your time.

Best,
Andrew


Andrew Musselman
andrew@cwu.edu

>>> Andrew@cwu.EDU 8/17/2005 9:56 AM >>>
Hello--

I have some questions that are not development questions, but I
couldn't find a list for just the use of mod_proxy. Does anyone know
of
a list that might be appropriate?

Thank you,
Andrew

Andrew Musselman
andrew@cwu.edu

Re: Question about the list

am 17.08.2005 21:51:02 von Ian Holsman

Hi Andrew.
I'm sure these kind of questions are best answered on httpd-
users@apache.org.

there are two options here.
you can either use apaches authentication handling, which will prompt
you with a dialog for a user/password
OR
you can use rewrite and do a cookie check which redirects non-cookied
people to a special page which does the LDAP
lookup and cookie setting.

Some people @ columbia wrote a module called mod_auth_pamacea does
this I believe. the only caveats I see with it are
:- it is GPL
:- the session manager it uses is file based, which won't scale
(their words) but you could change the session manager to use
a mysql DB or somesuch if you need scalability

regards
Ian

On 18/08/2005, at 3:30 AM, Andrew Musselman wrote:

> Well, after searching the archive more I found some usage questions;
> hence I will post my own :)
>
> We are trying to shut down web access to all our networked printers on
> campus "the easy way": set up a proxy server through which only
> selected people can access the printers. The authentication can be
> done
> using LDAP.
>
> A couple of methods have been suggested, and I am researching them
> now:
> (1) mod_ssl + mod_auth_ldap + mod_proxy
> (2) mod_ssl + mod_authz_ldap + mod_proxy
> (3) mod_ssl + A nice little PHP login page that queries LDAP before
> turning things over to mod_proxy.
>
> So far I have had success with setting up a virtual host as a forward
> proxy and with activating SSL for LDAP queries through a login
> page, but
> I'm really confused about something: how could I set things up so
> users
> visit some login page, their credentials are checked through LDAP, and
> then they are forwarded to the printer they want?
>
> Does anyone have any suggestions, or has anyone tried this and gotten
> anywhere? Thanks for your time.
>
> Best,
> Andrew
>
>
> Andrew Musselman
> andrew@cwu.edu
>
>
>>>> Andrew@cwu.EDU 8/17/2005 9:56 AM >>>
>>>>
> Hello--
>
> I have some questions that are not development questions, but I
> couldn't find a list for just the use of mod_proxy. Does anyone know
> of
> a list that might be appropriate?
>
> Thank you,
> Andrew
>
> Andrew Musselman
> andrew@cwu.edu
>

--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: 415-344-2608 (USA) /(++61) 3-9877-0909 (Australia)

Re: Question about the list

am 18.08.2005 00:33:34 von Andrew Musselman

Hi Ian,

Thanks for the response; I'll try posing my question on that list as
well.

I will try to get apache's auth stuff to work with proxying; the thing
is, I want users to be able to point to http://my.proxy.edu:81, get
authenticated, be able to select a printer address from a list, and then
have their traffic go through the proxy, to the printer, and back.

For another project I've used a cookie scheme similar to what you
suggested, but our network person wants to make it more secure.

I'll keep working on it, and thank you again.

Best,
Andrew

Andrew Musselman
andrew@cwu.edu
>>> Ian.Holsman@cnet.com 08/17/05 12:51 PM >>>
Hi Andrew.
I'm sure these kind of questions are best answered on httpd-
users@apache.org.

there are two options here.
you can either use apaches authentication handling, which will prompt
you with a dialog for a user/password
OR
you can use rewrite and do a cookie check which redirects non-cookied
people to a special page which does the LDAP
lookup and cookie setting.

Some people @ columbia wrote a module called mod_auth_pamacea does
this I believe. the only caveats I see with it are
:- it is GPL
:- the session manager it uses is file based, which won't scale
(their words) but you could change the session manager to use
a mysql DB or somesuch if you need scalability

regards
Ian

On 18/08/2005, at 3:30 AM, Andrew Musselman wrote:

> Well, after searching the archive more I found some usage questions;
> hence I will post my own :)
>
> We are trying to shut down web access to all our networked printers on
> campus "the easy way": set up a proxy server through which only
> selected people can access the printers. The authentication can be
> done
> using LDAP.
>
> A couple of methods have been suggested, and I am researching them
> now:
> (1) mod_ssl + mod_auth_ldap + mod_proxy
> (2) mod_ssl + mod_authz_ldap + mod_proxy
> (3) mod_ssl + A nice little PHP login page that queries LDAP before
> turning things over to mod_proxy.
>
> So far I have had success with setting up a virtual host as a forward
> proxy and with activating SSL for LDAP queries through a login
> page, but
> I'm really confused about something: how could I set things up so
> users
> visit some login page, their credentials are checked through LDAP, and
> then they are forwarded to the printer they want?
>
> Does anyone have any suggestions, or has anyone tried this and gotten
> anywhere? Thanks for your time.
>
> Best,
> Andrew
>
>
> Andrew Musselman
> andrew@cwu.edu
>
>
>>>> Andrew@cwu.EDU 8/17/2005 9:56 AM >>>
>>>>
> Hello--
>
> I have some questions that are not development questions, but I
> couldn't find a list for just the use of mod_proxy. Does anyone know
> of
> a list that might be appropriate?
>
> Thank you,
> Andrew
>
> Andrew Musselman
> andrew@cwu.edu
>

--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: 415-344-2608 (USA) /(++61) 3-9877-0909 (Australia)

Re: Question about the list

am 18.08.2005 01:37:28 von Ian Holsman

cookies can be secure, and i would actually debate that cookies are
more secure.


1. your userid/password don't get passed for every request
2. you can 'logout' a session
3. the cookie's expiry time can be controlled.

the trick with cookies is sending the encrypted session ID with some
kind of time in the salting function.
you can make them pretty secure.

On 18/08/2005, at 8:33 AM, Andrew Musselman wrote:

> Hi Ian,
>
> Thanks for the response; I'll try posing my question on that list as
> well.
>
> I will try to get apache's auth stuff to work with proxying; the thing
> is, I want users to be able to point to http://my.proxy.edu:81, get
> authenticated, be able to select a printer address from a list, and
> then
> have their traffic go through the proxy, to the printer, and back.
>
> For another project I've used a cookie scheme similar to what you
> suggested, but our network person wants to make it more secure.
>
> I'll keep working on it, and thank you again.
>
> Best,
> Andrew
>
> Andrew Musselman
> andrew@cwu.edu
>
>>>> Ian.Holsman@cnet.com 08/17/05 12:51 PM >>>
>>>>
> Hi Andrew.
> I'm sure these kind of questions are best answered on httpd-
> users@apache.org.
>
> there are two options here.
> you can either use apaches authentication handling, which will prompt
> you with a dialog for a user/password
> OR
> you can use rewrite and do a cookie check which redirects non-cookied
> people to a special page which does the LDAP
> lookup and cookie setting.
>
> Some people @ columbia wrote a module called mod_auth_pamacea does
> this I believe. the only caveats I see with it are
> :- it is GPL
> :- the session manager it uses is file based, which won't scale
> (their words) but you could change the session manager to use
> a mysql DB or somesuch if you need scalability
>
> regards
> Ian
>
> On 18/08/2005, at 3:30 AM, Andrew Musselman wrote:
>
>
>> Well, after searching the archive more I found some usage questions;
>> hence I will post my own :)
>>
>> We are trying to shut down web access to all our networked
>> printers on
>> campus "the easy way": set up a proxy server through which only
>> selected people can access the printers. The authentication can be
>> done
>> using LDAP.
>>
>> A couple of methods have been suggested, and I am researching them
>> now:
>> (1) mod_ssl + mod_auth_ldap + mod_proxy
>> (2) mod_ssl + mod_authz_ldap + mod_proxy
>> (3) mod_ssl + A nice little PHP login page that queries LDAP before
>> turning things over to mod_proxy.
>>
>> So far I have had success with setting up a virtual host as a forward
>> proxy and with activating SSL for LDAP queries through a login
>> page, but
>> I'm really confused about something: how could I set things up so
>> users
>> visit some login page, their credentials are checked through LDAP,
>> and
>> then they are forwarded to the printer they want?
>>
>> Does anyone have any suggestions, or has anyone tried this and gotten
>> anywhere? Thanks for your time.
>>
>> Best,
>> Andrew
>>
>>
>> Andrew Musselman
>> andrew@cwu.edu
>>
>>
>>
>>>>> Andrew@cwu.EDU 8/17/2005 9:56 AM >>>
>>>>>
>>>>>
>> Hello--
>>
>> I have some questions that are not development questions, but I
>> couldn't find a list for just the use of mod_proxy. Does anyone know
>> of
>> a list that might be appropriate?
>>
>> Thank you,
>> Andrew
>>
>> Andrew Musselman
>> andrew@cwu.edu
>>
>>
>
> --
> Ian Holsman
> Director
> Network Management Systems
> CNET Networks
> PH: 415-344-2608 (USA) /(++61) 3-9877-0909 (Australia)
>
>

--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: 415-344-2608 (USA) /(++61) 3-9877-0909 (Australia)

Re: Question about the list

am 18.08.2005 19:15:01 von Andrew Musselman

Wow, thanks. I may look in to using cookies after all..

Andrew Musselman
andrew@cwu.edu

>>> Ian.Holsman@cnet.com 8/17/2005 4:37:28 PM >>>
cookies can be secure, and i would actually debate that cookies are
more secure.


1. your userid/password don't get passed for every request
2. you can 'logout' a session
3. the cookie's expiry time can be controlled.

the trick with cookies is sending the encrypted session ID with some
kind of time in the salting function.
you can make them pretty secure.