Authenticating Proxy Server

Hi,

We use Apache as an authenticating proxy server to allow off-site
students to access IP-restricted ejournal sites. They provide their
university credentials which are validated by a RADIUS server. (We have
mod_auth_radius + Apache 2.0.63.) Callers configure their Web browsers
to use a Proxy Auto-Configuration File. This works fine and has done so
for many years.

However, there is a concern that the username and password are
transmitted in the clear from, typically, the student's home computer to
the university's proxy server. We'd like to send these encrypted.

I have tried using an ssl-enabled authenticating proxy server but this
confuses the browser as it attempts to talk http to an https server.
I have looked at secure tunnelling and also wondered whether or not this
could be solved using cookies. I can't see my way to make any progress
on this problem. Can anyone comment or advise on the core issue of how
one may transmit authenticating information in a secure manner.

Thanks very much.

Roy Pearce
Enterprise Systems Support Team
Computing Systems
University of Birmingham
UK

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

On 15.04.2008, at 13:22, Roy Pearce wrote:
> I have tried using an ssl-enabled authenticating proxy server but
> this confuses the browser as it attempts to talk http to an https
> server.


Mh, why is this? I don't have experience with mod_auth_radius, but I'd
expect it to work similarily to all the other mod_auth_* modules, that
is, internally in Apache and not exposed to the user. So it shouldn't
be the cause...

For the proxy I assume you use the normal ProxyPass / ProxyPass
reverse combination?



Best wishes
Nils


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

Hi Nils,

Thanks for your reply.

Our proxy server is a forward proxy server, not a reverse one so I
haven't used the ProxyPass and ProxyPassReverse directives.

I replicated the (forward) proxy server, added SSL and changed the port
to 443. The browser was configured to use this
authenticating proxy server. The browser appears not to like talking to
an SSL-enabled proxy server. Doing this was a stab in the dark!
A guess, if you like and it's possibly a forlorn hope.

Are there other ways to transmit the credentials in an encrypted manner
rather than in plain text?

Regards,

Roy

Nils Jeppe wrote:
>
> On 15.04.2008, at 13:22, Roy Pearce wrote:
>> I have tried using an ssl-enabled authenticating proxy server but
>> this confuses the browser as it attempts to talk http to an https
>> server.
>
>
> Mh, why is this? I don't have experience with mod_auth_radius, but I'd
> expect it to work similarily to all the other mod_auth_* modules, that
> is, internally in Apache and not exposed to the user. So it shouldn't
> be the cause...
>
> For the proxy I assume you use the normal ProxyPass / ProxyPass
> reverse combination?
>
>
>
> Best wishes
> Nils
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

On Tue, 15 Apr 2008 15:19:01 +0100
Roy Pearce wrote:

> The browser appears not to like talking to
> an SSL-enabled proxy server.

Sounds to me like a browser misconfiguration.

> Are there other ways to transmit the credentials in an encrypted
> manner rather than in plain text?

HTTP digest authentication.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

Try using NTLM which provides some level of security or else try digest
authentication using mod_auth_digest

Roy Pearce wrote:
> Hi Nils,
>
> Thanks for your reply.
>
> Our proxy server is a forward proxy server, not a reverse one so I
> haven't used the ProxyPass and ProxyPassReverse directives.
>
> I replicated the (forward) proxy server, added SSL and changed the
> port to 443. The browser was configured to use this
> authenticating proxy server. The browser appears not to like talking
> to an SSL-enabled proxy server. Doing this was a stab in the dark!
> A guess, if you like and it's possibly a forlorn hope.
>
> Are there other ways to transmit the credentials in an encrypted
> manner rather than in plain text?
>
> Regards,
>
> Roy
>
> Nils Jeppe wrote:
>>
>> On 15.04.2008, at 13:22, Roy Pearce wrote:
>>> I have tried using an ssl-enabled authenticating proxy server but
>>> this confuses the browser as it attempts to talk http to an https
>>> server.
>>
>>
>> Mh, why is this? I don't have experience with mod_auth_radius, but
>> I'd expect it to work similarily to all the other mod_auth_* modules,
>> that is, internally in Apache and not exposed to the user. So it
>> shouldn't be the cause...
>>
>> For the proxy I assume you use the normal ProxyPass / ProxyPass
>> reverse combination?
>>
>>
>>
>> Best wishes
>> Nils
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

Hi Nick,

Thanks for your comments.

Nick Kew wrote:
> On Tue, 15 Apr 2008 15:19:01 +0100
> Roy Pearce wrote:
>
>
>> The browser appears not to like talking to
>> an SSL-enabled proxy server.
>>
>
> Sounds to me like a browser misconfiguration.
>

All I changed was the port number to point to a secure authenticating
proxy server.

It appears that FF assumes the proxy server is talking HTTP when I would
like it to talk HTTPS.
There doesn't appear to be any way to define the protocol when
configuring a proxy server.
(Of course, if this was to work, then all of the traffic would be
encrypted - which would be overkill!)
>
>> Are there other ways to transmit the credentials in an encrypted
>> manner rather than in plain text?
>>
>
> HTTP digest authentication.
>

We can't use Digest as the password file is not on the same machine. We
use mod_auth_radius to connect to a RADIUS server (on another machine)
to check credentials against the ADF database.

Regards,

Roy Pearce
Computing Systems
University of Birmingham
UK

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

On Thu, 17 Apr 2008 15:28:19 +0100
Roy Pearce wrote:

> > Sounds to me like a browser misconfiguration.
> >
>
> All I changed was the port number to point to a secure authenticating
> proxy server.
>
> It appears that FF assumes the proxy server is talking HTTP when I
> would like it to talk HTTPS.

Sorry, I'm no expert on firefox. Did you try its "about:"?
I expect there's a plugin for it, it it really isn't builtin.

> > HTTP digest authentication.
> >
>
> We can't use Digest as the password file is not on the same machine.
> We use mod_auth_radius to connect to a RADIUS server (on another
> machine) to check credentials against the ADF database.

One of the changes in 2.2 over earlier versions is that the HTTP
authentication method (Basic/Digest/Homebrew) is decoupled from
the backend lookup (radius, in your case). So that's no longer
an issue, assuming the radius authentication module has been
updated to use the new framework.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

Hi,

Nick Kew wrote:
> On Thu, 17 Apr 2008 15:28:19 +0100
> Roy Pearce wrote:
>
>>> Sounds to me like a browser misconfiguration.
>>>
>> All I changed was the port number to point to a secure authenticating
>> proxy server.
>>
>> It appears that FF assumes the proxy server is talking HTTP when I
>> would like it to talk HTTPS.
>
> Sorry, I'm no expert on firefox. Did you try its "about:"?
> I expect there's a plugin for it, it it really isn't builtin.
>
>>> HTTP digest authentication.
>>>
>> We can't use Digest as the password file is not on the same machine.
>> We use mod_auth_radius to connect to a RADIUS server (on another
>> machine) to check credentials against the ADF database.
>
> One of the changes in 2.2 over earlier versions is that the HTTP
> authentication method (Basic/Digest/Homebrew) is decoupled from
> the backend lookup (radius, in your case). So that's no longer
> an issue, assuming the radius authentication module has been
> updated to use the new framework.

We (as Nick knows) had major problems with mod_auth_radius so we
commissioned mod_auth_xradius

http://www.outoforder.cc/projects/apache/mod_auth_xradius/

which should be fully compatible with Apache 2.2.

HTH,


Neil.

--
Neil Hillard neil.hillard@agustawestland.com
AgustaWestland http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authenticating Proxy Server

No FF will not communicate to a proxy using SSL. It will communicate
using SSL to any webserver via proxy or directly, but not to a proxy
using SSL. Its not forbidden, but its not explicitly defined anywhere.
Similar to bug http://issues.apache.org/bugzilla/show_bug.cgi?id=29744

Till Necko comes out I dont think it will be possible to tinker with the
network code in mozilla.

So that leaves us with NTLM, Digest or Radius. Hope you are able to get
something to work.

Neil A. Hillard wrote:
> Hi,
>
> Nick Kew wrote:
>> On Thu, 17 Apr 2008 15:28:19 +0100
>> Roy Pearce wrote:
>>
>>>> Sounds to me like a browser misconfiguration.
>>>>
>>> All I changed was the port number to point to a secure
>>> authenticating proxy server.
>>>
>>> It appears that FF assumes the proxy server is talking HTTP when I
>>> would like it to talk HTTPS.
>>
>> Sorry, I'm no expert on firefox. Did you try its "about:"?
>> I expect there's a plugin for it, it it really isn't builtin.
>>
>>>> HTTP digest authentication.
>>>>
>>> We can't use Digest as the password file is not on the same machine.
>>> We use mod_auth_radius to connect to a RADIUS server (on another
>>> machine) to check credentials against the ADF database.
>>
>> One of the changes in 2.2 over earlier versions is that the HTTP
>> authentication method (Basic/Digest/Homebrew) is decoupled from
>> the backend lookup (radius, in your case). So that's no longer
>> an issue, assuming the radius authentication module has been
>> updated to use the new framework.
>
> We (as Nick knows) had major problems with mod_auth_radius so we
> commissioned mod_auth_xradius
>
> http://www.outoforder.cc/projects/apache/mod_auth_xradius/
>
> which should be fully compatible with Apache 2.2.
>
> HTH,
>
>
> Neil.
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org