#1 2014-08-06 09:10:03

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Authentication over ssl with apache proxy

I habe an apache conf like this:

Listen 8880
<VirtualHost *:8880>
SSLEngine On

ProxyRequests off
ProxyPreserveHost on

ProxyPass /dk/ http://192.168.1.16:8180/
ProxyPassReverse /dk/ http://192.168.1.16:8180/

Header set Access-Control-Allow-Credentials: true
Header set Access-Control-Allow-Headers: Authorization
Header set Access-Control-Allow-Methods: *

<Proxy *>
  Order deny,allow
  Allow from all
  AuthType Basic
  AuthName "Datasnap"
  AuthBasicProvider ldap
  AuthLDAPURL ldap://localhost/ou=people,dc=kanzlei,dc=local?uid
  Require user daniel sylvia melanie
  #Satisfy Any
</Proxy>
</VirtualHost>

Apache is using for ssl and auhtentication. MORMot is for REST.

For external access I only need one Port(8880) and over proxy I can have many mORMot-Restserver on different ports.

Without Autentication (setting Satisfy Any) it works.

How can I set the username+password for apache (Authscheme ist Basic)?

Offline

#2 2014-08-06 09:20:26

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

AFAIR mORMot does not support Basic authentication, which is pretty weak yet.

I do not know anything about Apache proxy support.
Is not the authentication supposed to be at proxy level, not at mORMot's level?

Offline

#3 2014-08-06 11:56:18

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

Thanks for the very quick reply!

Because all traffic is over ssl, I don't see a problem of security.
I have tested with this code:

var
  s: string;
begin
  s:= 'username:passw';
  s:= BinToBase64(s);
  s:= TWinHTTP.Get('https://domain:Port/dk/root/Konten', 'Authorization: Basic '+s);
end;

This works. I need the possibility of a custom header I can send with all requests.

Daniel

Offline

#4 2014-08-06 13:16:52

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

I am a newbie in mORMot, please excuse my suggestions:

in mORMot.pas I would need in TSQLRestClientURI.URI (row 24650) something like this:

Call.InHead:= 'Authorization: Basic ' + BinToBase64(fUsername + ':' + fPassword);

To get this working I need two Fields in TSQLRestClientURI (fUsername and fPassword) which were set in TSQLRestClientURI.SetUser
by a call of TSQLHTTPClient(Database).SetUser.

Username and Password for mORMOT auhtentication would be used also for Basic-Auth of the proxy (e.g. Apache).

Daniel

Offline

#5 2014-08-06 14:15:31

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Could you please create a feature request ticket?

Offline

#6 2014-08-06 15:10:43

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

OK, ticket uuid is d214048facaa3944f96ee5b30716b4f81b12f26e.

Hope ticket is ok so...

Offline

#7 2014-08-06 20:21:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Ticket http://synopse.info/fossil/tktview/d214048facaa394 is correct.

But I still do not understand your request.

Why on earth would the Call.InHead contain the authentication at mORMot level?
mORMot won't use this value at all.
Are you not meaning Call.OutHead?
I'm a little confused by your request.

What we can do is handle basic-authentication at mORMot level, in addition to other means...
But sounds not like what you want...
sad

Edit: I just understood that you need it at CLIENT level.
OK - does make sense.
But even more if we implement it at server level also.
For compatibility reasons (over SSL) with some weak / old / third party clients.

Offline

#8 2014-08-07 06:15:17

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

>But even more if we implement it at server level also.

No.
You only need it in client. The (mORMot)server knows nothing about this special HTTP-Header.

>For compatibility reasons (over SSL) with some weak / old / third party clients.

No.
The advantage is the using of an existing authentication-system (my bsd-apache is ready for ssl and authentication over ldap since years).
Why should I make the mORMot-Server SSL-able? In mORMot I need authorization, but not authentication.


The Auth-Basic is not for mORMot, but for apache as proxy:

mORMOT-Client-->HTTPS(apache-proxy)-->HTTP(mORMot-Server).
In my firewall is only one port open wich is forwarding to a bsd-apache-server. Behind the firewall are my serveral mORMot-Windows-Servers.
The mORMot-Windows-Servers don't have authentication. They confide all what comes from my bsd-apache.

For windows-clients I've solved this problem, but it were good, if you could incorporate this feature in mORMot.

BUT: I've this problem already in CrossPlatform. I little test shows, that Crossplatform works well under FMX with an Android-Client, but not with ssl,
neither with FMX-Windows-Client nor FMX-Android-Client.

Exception is: EIdIOHandlerPropInvalid (Values for IOHandler is invalid).

What I'm doing wrong?

Last edited by danielkuettner (2014-08-07 06:24:47)

Offline

#9 2014-08-07 06:50:47

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

Now Crossplatform-SSL works (first without my special Basic-Auth problem):

In SynCrossPlatformSepcific.pas following changes were to make:

322: 
uses
  IdHTTP, IdSSLOpenSSL;

480: 
constructor TIndyHttpConnectionClass.Create(
  const aParameters: TSQLRestConnectionParams);
var
  LHandler: TIdSSLIOHandlerSocketOpenSSL;
begin
  inherited;
  fConnection := TIdHTTP.Create(nil);

  if fParameters.Https then begin
    LHandler:= TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    fConnection.IOHandler:= LHandler;
  end;

  if fParameters.ProxyName<>'' then
    fConnection.ProxyParams.ProxyServer := fParameters.ProxyName;
end;

Offline

#10 2014-08-07 08:22:37

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

I hope I don't bore others with my posts but I'm very happy that mORMot-Client for Crossplatform should work now with SSL and Auth Basic:

Because Crossplatform is using TIdHTTP in SynCrossplattformSpecific.pas under Row 512 fConnection.Request.Username and .Password has to be set.

I don't know the best way, to do this.

Offline

#11 2014-08-07 09:51:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

We have added HTTPS support for cross-platform Indy client, thanks to your patch.
See http://synopse.info/fossil/info/00baebf77b04d8

Now we will add Auth Basic support for client (and server, even if you won't use it yourself).

Offline

#12 2014-08-07 10:10:29

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

Thanks a lot.

Offline

#13 2014-08-07 17:44:46

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

We have just added TSQLRestServerAuthenticationHttpBasic authentication class.
See http://synopse.info/fossil/info/6d87b2af7bd
This commit includes a somewhat deep refactoring of the TSQLRestServerAuthentication* classes.
It should had HTTP Basic authentication on both client and server sides of mORMot.

For your specific proxy request, you can use TSQLRestServerAuthenticationHttpBasic.ClientSetUserHttpOnly() to force the header needed for your configuration.

Any feedback is welcome!

Offline

#14 2014-08-08 08:17:28

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

Ok, thanks. I will test it on Monday (I'm illy today).
Is is right that TSQLRestServerAuthenticationHttpBasic is only for VCL? Will you implement it in CrossPlatform too?

Offline

#15 2014-08-08 08:44:10

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

TSQLRestServerAuthenticationHttpBasic as client and server is only for VCL.

For SynCrossPlatformRest.pas, I've just added the ability to use your proxy request.
This is available via the new TSQLRestClientHTTP.SetHttpBasicAuthHeaders() method.
See http://synopse.info/fossil/info/ef9634a4acc99
I do not see any benefit of using HTTP Basic authentication in Cross-Platform mode, since other schemes are much safer.

Hope you would feel better soon!
smile

Offline

#16 2014-08-08 09:49:52

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

AB, in your Blog about Authentication and Authorization you compare the auth-possibilities. One of them is HTTP basic auth over HTTPS.
I think this auth-method is like its name, basic. And I can't see a difference between VCL and CrossPlatform,
because my Apache is always the same, no matter the client is VCL or Android.

Therefore I need the possibility to set the TIdHttp.Request.Username and .Password with mORMot.

Offline

#17 2014-08-08 10:03:30

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

But which authentication class are you using?

AFAIR you use Basic auth just for connection to the proxy.
You set SQLRestClientHTTP.SetHttpBasicAuthHeaders() on crossplatform clients, and TSQLRestServerAuthenticationHttpBasic.ClientSetUserHttpOnly() for VCL clients.
This will put the authentication header as expected by your apache proxy.

Then you can rely on TSQLRestAuthenticationDefault, from both VCL and crossplatform clients, for authentication and authorization on the mORMot server.

Offline

#18 2014-08-08 10:12:01

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

You are right, I use auth only for proxy.

OK, sounds good. I will test it at Monday (you know I'am illy).
But in my tests yesterday, I've added the auth-header and with TIdHttp it doesn't work (with VCL no Problem).
So I think, it will only work with Indy if I set Request.Username...

Last edited by danielkuettner (2014-08-09 06:48:16)

Offline

#19 2014-08-08 10:53:57

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Indy is just broken...
sad

We do not have licenses for Delphi for Android (nor iPhone), so we cannot reproduce the issue here.
Your feedback is welcome!
smile

Offline

#20 2014-08-08 11:20:51

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

Why do you have no licenses for Delphi? Do you need one? You have such a great framework and no license?

Offline

#21 2014-08-08 13:36:02

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Simply put: I spend a lot of time in mORMot, and don't get any money from it.
See http://blog.synopse.info/post/2014/02/2 … -free-beer
smile

From time to time, a small donation, and some consulting.
But not enough to make my living.
For mobile clients, we use SmartMobileStudio (and PhoneGap), and not FMX.
So we can't afford to acquire the highly priced Delphi XE6 license, for platforms which we won't need.
Our main IDE is still Delphi 7, or SMS itself. Then we use some Unicode version of Delphi, most of the time via its command-line compiler, if we need an Unicode VCL application.

Offline

#22 2014-08-09 09:49:01

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

I've tested today your latest patches:

VCL works, CrossPlatform not.

I've used TSQLRestClientHTTP(Database).SetHttpBasicAuthHeaders('aUsername', 'aPassword') and 401 is http resultcode.

There are two problems:

1. AuthHeader produce false Base64; here starts the base64-string with a JSON-FLAG '#$fff0'
2. in SynCrossPlatformSpecific (Row 522) you have to grep fConnection.Request.RawHeaders for 'Authorization: Baisc', extract username and password
with Base64Decode (this is not so nice, but is a quick suggestion to explain it)

and then

set this properties:

fConnection.Request.BasicAuthentication:= true;
fConnection.Request.Username:= xxx
fConnection.Request.Password:= xxx

This will work.

Offline

#23 2014-08-09 10:40:17

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

We have fixed point 1.

About point 2, are you sure the "Authorization:" header is overridden by Indy?
I did not find anywhere in the Indy source code where this header is modified.
We added your proposal...
But Indy is really a weird beast...
wink

See http://synopse.info/fossil/info/6b92f4c5861

Offline

#24 2014-08-09 11:57:14

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

I'm not so a good developer and assembler is for me like a carbon copy of Chinese,
but I'm sure, Indy ignore that Authorization: Basic header.

I will try your patch at monday (I'm no longer sick, but I've a wife).

Offline

#25 2014-08-09 14:32:18

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Have a nice Week End!
smile

Offline

#26 2014-08-11 06:09:27

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 330

Re: Authentication over ssl with apache proxy

I've tested 6b92f4c586 and it works.

Importend notice:

- for iOS (and Android clients) you will get an IOHandler error; here you have to include in your uses IdSSLOpenSSLHeaders_Static and copy libcrypto.a and libssl.a (http://indy.fulgan.com/SSL/OpenSSLStaticLibs.7z).

This could also usefully: http://blog.marcocantu.com/blog/using_s … i_ios.html

Last edited by danielkuettner (2014-08-11 07:41:04)

Offline

#27 2014-08-11 10:45:35

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Authentication over ssl with apache proxy

Thanks for the feedback.

I've added the SSL information to the official documentation.
smile

Offline

Board footer

Powered by FluxBB