Apache with mod_shib and mod_proxy

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache with mod_shib and mod_proxy

Jack Hill
Hi,

I'm interested in using mod_shib with Apache to serve applications via
reverse proxy. I would like the shib SP to be able to pass along
attributes to the application. The obvious (at last to me) way to do this
is to pass the attributes via request headers. However, I've read the big
warnings on
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking 
am reluctant to take that approach, and am interested in doing the work to
avoid using request headers. Unfortunately, I'm not sure what that work
is. Is it possible to to use shib in this way with a reverse proxy? If so,
how? (In particular, I'm interested in reverse proxying Ruby's Puma
webserver and also Tomcat via ajp://)

Also, I don't think I fully understand the risk of using request headers.
I understand that these can be set by an untrusted client, but I don't
know why it is error-prone and risky to scrub the known headers that shib
sets. Enlightenment on this topic would be appreciated.

Best,
Jack
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Apache with mod_shib and mod_proxy

Greg Haverkamp

On Wed, May 16, 2018 at 10:32 AM, Jack Hill <[hidden email]> wrote:
I'm interested in using mod_shib with Apache to serve applications via reverse proxy. I would like the shib SP to be able to pass along attributes to the application. The obvious (at last to me) way to do this is to pass the attributes via request headers. However, I've read the big warnings on https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking am reluctant to take that approach, and am interested in doing the work to avoid using request headers. Unfortunately, I'm not sure what that work is. Is it possible to to use shib in this way with a reverse proxy? If so, how? (In particular, I'm interested in reverse proxying Ruby's Puma webserver and also Tomcat via ajp://)

For AJP, you can use mod_proxy_ajp.

There was some considerable discussion on this recently in a tangentially related thread:

If you're set on Puma vs uWSGI (Peter's recommendation in that post) with mod_proxy_uwsgi, then my quick googling suggests no alternative to headers for Puma, or something like the JWT approach that started the thread.  (There are other ways to add more assurance to the communications with those headers, which Peter also suggests in there.)

(I don't have any personal recommendations for Ruby, but I did run a production Python application on uWSGI for several years, and it never gave me any problems.)
 
Also, I don't think I fully understand the risk of using request headers. I understand that these can be set by an untrusted client, but I don't know why it is error-prone and risky to scrub the known headers that shib sets. Enlightenment on this topic would be appreciated.

As is so often the case with this sort of problem, can you think of everything a wily attacker might come up with to fool the system?

Greg
 

Best,
Jack
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Apache with mod_shib and mod_proxy

Peter Schober
* Greg Haverkamp <[hidden email]> [2018-05-16 21:46]:
> (I don't have any personal recommendations for Ruby, but I did run a
> production Python application on uWSGI for several years, and it
> never gave me any problems.)

There's also mod_rack ("Phusion Passenger"), I guess.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Apache with mod_shib and mod_proxy

Cantor, Scott E.
In reply to this post by Jack Hill
> Also, I don't think I fully understand the risk of using request headers.
> I understand that these can be set by an untrusted client, but I don't know why
> it is error-prone and risky to scrub the known headers that shib sets.

Proxies should never forward "all" headers, they should start with nothing and build up a set to explicitly send. And the connection between a proxy and the back end has to be inviolate, or you're blown anyway.

The SP is not a proxy, whatever people like to think about it, so it has a different problem to deal with. Web servers don't default-deny the headers they transmit to applications, so the whole thing is imperfect and prone to bugs. There is no good reason to ever turn the SP headers on in Apache (and soon not in IIS). The SP should set server variables and the proxy module should set headers based on those variables if it wants to.

It's also crucial to have knowledge of the application APIs used and ensure that it's impossible for access to a server variable to be diverted to a header. That's a terrible practice but it used to be common.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]