Authentication over ssl with apache proxy

danielkuettner · 2014-08-06 09:10:03

I habe an apache conf like this:

Listen 8880
<VirtualHost *:8880>
SSLEngine On

ProxyRequests off
ProxyPreserveHost on

ProxyPass /dk/ http://192.168.1.16:8180/
ProxyPassReverse /dk/ http://192.168.1.16:8180/

Header set Access-Control-Allow-Credentials: true
Header set Access-Control-Allow-Headers: Authorization
Header set Access-Control-Allow-Methods: *

<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
AuthName "Datasnap"
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost/ou=people,dc=kanzlei,dc=local?uid
Require user daniel sylvia melanie
#Satisfy Any
</Proxy>
</VirtualHost>

Apache is using for ssl and auhtentication. MORMot is for REST.

For external access I only need one Port(8880) and over proxy I can have many mORMot-Restserver on different ports.

Without Autentication (setting Satisfy Any) it works.

How can I set the username+password for apache (Authscheme ist Basic)?

ab · 2014-08-06 09:20:26

AFAIR mORMot does not support Basic authentication, which is pretty weak yet.

I do not know anything about Apache proxy support.
Is not the authentication supposed to be at proxy level, not at mORMot's level?

danielkuettner · 2014-08-06 11:56:18

Thanks for the very quick reply!

Because all traffic is over ssl, I don't see a problem of security.
I have tested with this code:

var
s: string;
begin
s:= 'username:passw';
s:= BinToBase64(s);
s:= TWinHTTP.Get('https://domain:Port/dk/root/Konten', 'Authorization: Basic '+s);
end;

This works. I need the possibility of a custom header I can send with all requests.

Daniel

danielkuettner · 2014-08-06 13:16:52

I am a newbie in mORMot, please excuse my suggestions:

in mORMot.pas I would need in TSQLRestClientURI.URI (row 24650) something like this:

Call.InHead:= 'Authorization: Basic ' + BinToBase64(fUsername + ':' + fPassword);

To get this working I need two Fields in TSQLRestClientURI (fUsername and fPassword) which were set in TSQLRestClientURI.SetUser
by a call of TSQLHTTPClient(Database).SetUser.

Username and Password for mORMOT auhtentication would be used also for Basic-Auth of the proxy (e.g. Apache).

Daniel

ab · 2014-08-06 14:15:31

Could you please create a feature request ticket?

danielkuettner · 2014-08-06 15:10:43

OK, ticket uuid is d214048facaa3944f96ee5b30716b4f81b12f26e.

Hope ticket is ok so...

ab · 2014-08-06 20:21:48

Ticket http://synopse.info/fossil/tktview/d214048facaa394 is correct.

But I still do not understand your request.

Why on earth would the Call.InHead contain the authentication at mORMot level?
mORMot won't use this value at all.
Are you not meaning Call.OutHead?
I'm a little confused by your request.

What we can do is handle basic-authentication at mORMot level, in addition to other means...
But sounds not like what you want...

Edit: I just understood that you need it at CLIENT level.
OK - does make sense.
But even more if we implement it at server level also.
For compatibility reasons (over SSL) with some weak / old / third party clients.

danielkuettner · 2014-08-07 06:15:17

>But even more if we implement it at server level also.

No.
You only need it in client. The (mORMot)server knows nothing about this special HTTP-Header.

>For compatibility reasons (over SSL) with some weak / old / third party clients.

No.
The advantage is the using of an existing authentication-system (my bsd-apache is ready for ssl and authentication over ldap since years).
Why should I make the mORMot-Server SSL-able? In mORMot I need authorization, but not authentication.

The Auth-Basic is not for mORMot, but for apache as proxy:

mORMOT-Client-->HTTPS(apache-proxy)-->HTTP(mORMot-Server).
In my firewall is only one port open wich is forwarding to a bsd-apache-server. Behind the firewall are my serveral mORMot-Windows-Servers.
The mORMot-Windows-Servers don't have authentication. They confide all what comes from my bsd-apache.

For windows-clients I've solved this problem, but it were good, if you could incorporate this feature in mORMot.

BUT: I've this problem already in CrossPlatform. I little test shows, that Crossplatform works well under FMX with an Android-Client, but not with ssl,
neither with FMX-Windows-Client nor FMX-Android-Client.

Exception is: EIdIOHandlerPropInvalid (Values for IOHandler is invalid).

What I'm doing wrong?

Last edited by danielkuettner (2014-08-07 06:24:47)

danielkuettner · 2014-08-07 06:50:47

Now Crossplatform-SSL works (first without my special Basic-Auth problem):

In SynCrossPlatformSepcific.pas following changes were to make:

322: 
uses
  IdHTTP, IdSSLOpenSSL;

480: 
constructor TIndyHttpConnectionClass.Create(
  const aParameters: TSQLRestConnectionParams);
var
  LHandler: TIdSSLIOHandlerSocketOpenSSL;
begin
  inherited;
  fConnection := TIdHTTP.Create(nil);

  if fParameters.Https then begin
    LHandler:= TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    fConnection.IOHandler:= LHandler;
  end;

  if fParameters.ProxyName<>'' then
    fConnection.ProxyParams.ProxyServer := fParameters.ProxyName;
end;

danielkuettner · 2014-08-07 08:22:37

I hope I don't bore others with my posts but I'm very happy that mORMot-Client for Crossplatform should work now with SSL and Auth Basic:

Because Crossplatform is using TIdHTTP in SynCrossplattformSpecific.pas under Row 512 fConnection.Request.Username and .Password has to be set.

I don't know the best way, to do this.

ab · 2014-08-07 09:51:48

We have added HTTPS support for cross-platform Indy client, thanks to your patch.
See http://synopse.info/fossil/info/00baebf77b04d8

Now we will add Auth Basic support for client (and server, even if you won't use it yourself).

danielkuettner · 2014-08-07 10:10:29

Thanks a lot.

ab · 2014-08-07 17:44:46

We have just added TSQLRestServerAuthenticationHttpBasic authentication class.
See http://synopse.info/fossil/info/6d87b2af7bd
This commit includes a somewhat deep refactoring of the TSQLRestServerAuthentication* classes.
It should had HTTP Basic authentication on both client and server sides of mORMot.

For your specific proxy request, you can use TSQLRestServerAuthenticationHttpBasic.ClientSetUserHttpOnly() to force the header needed for your configuration.

Any feedback is welcome!

danielkuettner · 2014-08-08 08:17:28

Ok, thanks. I will test it on Monday (I'm illy today).
Is is right that TSQLRestServerAuthenticationHttpBasic is only for VCL? Will you implement it in CrossPlatform too?

ab · 2014-08-08 08:44:10

TSQLRestServerAuthenticationHttpBasic as client and server is only for VCL.

For SynCrossPlatformRest.pas, I've just added the ability to use your proxy request.
This is available via the new TSQLRestClientHTTP.SetHttpBasicAuthHeaders() method.
See http://synopse.info/fossil/info/ef9634a4acc99
I do not see any benefit of using HTTP Basic authentication in Cross-Platform mode, since other schemes are much safer.

Hope you would feel better soon!

danielkuettner · 2014-08-08 09:49:52

AB, in your Blog about Authentication and Authorization you compare the auth-possibilities. One of them is HTTP basic auth over HTTPS.
I think this auth-method is like its name, basic. And I can't see a difference between VCL and CrossPlatform,
because my Apache is always the same, no matter the client is VCL or Android.

Therefore I need the possibility to set the TIdHttp.Request.Username and .Password with mORMot.

ab · 2014-08-08 10:03:30

But which authentication class are you using?

AFAIR you use Basic auth just for connection to the proxy.
You set SQLRestClientHTTP.SetHttpBasicAuthHeaders() on crossplatform clients, and TSQLRestServerAuthenticationHttpBasic.ClientSetUserHttpOnly() for VCL clients.
This will put the authentication header as expected by your apache proxy.

Then you can rely on TSQLRestAuthenticationDefault, from both VCL and crossplatform clients, for authentication and authorization on the mORMot server.

danielkuettner · 2014-08-08 10:12:01

You are right, I use auth only for proxy.

OK, sounds good. I will test it at Monday (you know I'am illy).
But in my tests yesterday, I've added the auth-header and with TIdHttp it doesn't work (with VCL no Problem).
So I think, it will only work with Indy if I set Request.Username...

Last edited by danielkuettner (2014-08-09 06:48:16)

ab · 2014-08-08 10:53:57

Indy is just broken...

We do not have licenses for Delphi for Android (nor iPhone), so we cannot reproduce the issue here.
Your feedback is welcome!

danielkuettner · 2014-08-08 11:20:51

Why do you have no licenses for Delphi? Do you need one? You have such a great framework and no license?

ab · 2014-08-08 13:36:02

Simply put: I spend a lot of time in mORMot, and don't get any money from it.
See http://blog.synopse.info/post/2014/02/2 … -free-beer

From time to time, a small donation, and some consulting.
But not enough to make my living.
For mobile clients, we use SmartMobileStudio (and PhoneGap), and not FMX.
So we can't afford to acquire the highly priced Delphi XE6 license, for platforms which we won't need.
Our main IDE is still Delphi 7, or SMS itself. Then we use some Unicode version of Delphi, most of the time via its command-line compiler, if we need an Unicode VCL application.

danielkuettner · 2014-08-09 09:49:01

I've tested today your latest patches:

VCL works, CrossPlatform not.

I've used TSQLRestClientHTTP(Database).SetHttpBasicAuthHeaders('aUsername', 'aPassword') and 401 is http resultcode.

There are two problems:

1. AuthHeader produce false Base64; here starts the base64-string with a JSON-FLAG '#$fff0'
2. in SynCrossPlatformSpecific (Row 522) you have to grep fConnection.Request.RawHeaders for 'Authorization: Baisc', extract username and password
with Base64Decode (this is not so nice, but is a quick suggestion to explain it)

and then

set this properties:

fConnection.Request.BasicAuthentication:= true;
fConnection.Request.Username:= xxx
fConnection.Request.Password:= xxx

This will work.

ab · 2014-08-09 10:40:17

We have fixed point 1.

About point 2, are you sure the "Authorization:" header is overridden by Indy?
I did not find anywhere in the Indy source code where this header is modified.
We added your proposal...
But Indy is really a weird beast...

See http://synopse.info/fossil/info/6b92f4c5861

danielkuettner · 2014-08-09 11:57:14

I'm not so a good developer and assembler is for me like a carbon copy of Chinese,
but I'm sure, Indy ignore that Authorization: Basic header.

I will try your patch at monday (I'm no longer sick, but I've a wife).

ab · 2014-08-09 14:32:18

Have a nice Week End!

danielkuettner · 2014-08-11 06:09:27

I've tested 6b92f4c586 and it works.

Importend notice:

- for iOS (and Android clients) you will get an IOHandler error; here you have to include in your uses IdSSLOpenSSLHeaders_Static and copy libcrypto.a and libssl.a (http://indy.fulgan.com/SSL/OpenSSLStaticLibs.7z).

This could also usefully: http://blog.marcocantu.com/blog/using_s … i_ios.html

Last edited by danielkuettner (2014-08-11 07:41:04)

ab · 2014-08-11 10:45:35

Thanks for the feedback.

I've added the SSL information to the official documentation.

mORMot Open Source

#1 2014-08-06 09:10:03

Authentication over ssl with apache proxy

#2 2014-08-06 09:20:26

Re: Authentication over ssl with apache proxy

#3 2014-08-06 11:56:18

Re: Authentication over ssl with apache proxy

#4 2014-08-06 13:16:52

Re: Authentication over ssl with apache proxy

#5 2014-08-06 14:15:31

Re: Authentication over ssl with apache proxy

#6 2014-08-06 15:10:43

Re: Authentication over ssl with apache proxy

#7 2014-08-06 20:21:48

Re: Authentication over ssl with apache proxy

#8 2014-08-07 06:15:17

Re: Authentication over ssl with apache proxy

#9 2014-08-07 06:50:47

Re: Authentication over ssl with apache proxy

#10 2014-08-07 08:22:37

Re: Authentication over ssl with apache proxy

#11 2014-08-07 09:51:48

Re: Authentication over ssl with apache proxy

#12 2014-08-07 10:10:29

Re: Authentication over ssl with apache proxy

#13 2014-08-07 17:44:46

Re: Authentication over ssl with apache proxy

#14 2014-08-08 08:17:28

Re: Authentication over ssl with apache proxy

#15 2014-08-08 08:44:10

Re: Authentication over ssl with apache proxy

#16 2014-08-08 09:49:52

Re: Authentication over ssl with apache proxy

#17 2014-08-08 10:03:30

Re: Authentication over ssl with apache proxy

#18 2014-08-08 10:12:01

Re: Authentication over ssl with apache proxy

#19 2014-08-08 10:53:57

Re: Authentication over ssl with apache proxy

#20 2014-08-08 11:20:51

Re: Authentication over ssl with apache proxy

#21 2014-08-08 13:36:02

Re: Authentication over ssl with apache proxy

#22 2014-08-09 09:49:01

Re: Authentication over ssl with apache proxy

#23 2014-08-09 10:40:17

Re: Authentication over ssl with apache proxy

#24 2014-08-09 11:57:14

Re: Authentication over ssl with apache proxy

#25 2014-08-09 14:32:18

Re: Authentication over ssl with apache proxy

#26 2014-08-11 06:09:27

Re: Authentication over ssl with apache proxy

#27 2014-08-11 10:45:35

Re: Authentication over ssl with apache proxy

Board footer