Moonshot
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

The Apache HTTP server is the Apache Software Foundation's web server. See the project's website for more details.

Contents

1. Overview

Apache HTTPD is generally compatible with Moonshot through the use of an Apache GSS-API module.

2. Compatibility

2.1. Key

In the tables below, the following icons have the following meanings:

  • (tick) - This version of the software has been tested and verified as supporting Moonshot.
  • (error) - This version of the software has been tested and verified as not supporting Moonshot.
  • (question) - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!

2.2. Compatibility List

Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.

Any versions not listed below have not yet been tested. If you do so, please let us know!

VersionCompatible?Notes
Apache 2.4(tick)Using the Moonshot mod_auth_gssapi or the Github GSSAPI Negotiate modules
Apache 2.2(tick)Using the Moonshot mod_auth_gssapi module
Apache 2.0(question) 
Apache 1.3(question) 

3. Installation & Configuration

How you set up a Moonshot-enabled version of the Apache HTTP server will differ depending on your OS. See the relevant pages for your particular distribution:

Instructions for building the module manually for RHEL-based platforms can be found here.

4. Client Compatibility

The following clients are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that client):

5. Next Steps

Once you have installed the software, what happens next?

5.1. Account Mapping

To Come

5.2. Testing

The simplest way to test the Apache Moonshot integration is to create a simple script, protected by Moonshot. To do this, do the following:

  1. Create a simple script to protect by creating a directory for cgi scripts.

    $ mkdir /var/www/moonshot

  2. Create a script in that directory called "hello.cgi" with the following content:

    #!/bin/sh
# disable filename globbing
set -f
echo Content-type: text/plain
echo
echo "Hello $REMOTE_USER, you have successfully authenticated."
echo "If an identifier is not displayed after Hello, but you can see this page, then your IdP is not releasing the AAA User-Name attribute to this service and you are anonymous."
echo
echo "Some information about your server:"
echo SERVER_SOFTWARE = $SERVER_SOFTWARE
echo SERVER_NAME = $SERVER_NAME
echo GATEWAY_INTERFACE = $GATEWAY_INTERFACE
echo SERVER_PROTOCOL = $SERVER_PROTOCOL
echo SERVER_PORT = $SERVER_PORT
echo REQUEST_METHOD = $REQUEST_METHOD
echo HTTP_ACCEPT = "$HTTP_ACCEPT"
echo PATH_INFO = "$PATH_INFO"
echo PATH_TRANSLATED = "$PATH_TRANSLATED"
echo SCRIPT_NAME = "$SCRIPT_NAME"
echo QUERY_STRING = "$QUERY_STRING"
echo REMOTE_HOST = $REMOTE_HOST
echo REMOTE_ADDR = $REMOTE_ADDR
echo REMOTE_USER = $REMOTE_USER
echo AUTH_TYPE = $AUTH_TYPE
echo CONTENT_TYPE = $CONTENT_TYPE
echo CONTENT_LENGTH = $CONTENT_LENGTH

  3. Set the permissions appropriately:

    $ chown -R www-data /var/www/moonshot && chmod 755 /var/www/moonshot/hello.cgi

  4. Configure Apache to protect this location, by creating a file at /etc/apache2/conf.d/moonshot.conf with the following content:

    <Directory "/var/www/moonshot/">
    AuthType Negotiate
    Require valid-user
    AddHandler cgi-script .cgi
    Options +ExecCGI
</Directory> 

  5. Restart Apache2

    $ service apache2 restart
  6. Test by browsing to http://$yourservername/moonshot/hello.cgi with a compatible browser.

6. Troubleshooting

6.1. mod_shib Shibboleth module incompatibility

This module is currently not compatible with the Shibboleth2 service provider Apache module. When testing or using the Moonshot module, disable the Shibboleth module and restart the webserver before attempting your test. We are attempting to resolve this problem.

One of the symptoms of this incompatibility is text similar to the below in the Apache error log (error_log):

error_log entry
[date time] [error] [client 1.2.3.4] Failed to establish authentication: Invalid token was supplied (Unknown error)
[date time] [notice] child pid 12345 exit signal Segmentation fault (11)

To resolve this error, disable the Shibboleth module.

6.2. AppArmor and SELinux

Ubuntu's AppArmor and the RedHat SELinux systems are also known to interfere with Apache's loading of the Moonshot module. Follow the appropriate operating system's instructions on how to allow Apache to access files outside its assigned directories.

  • No labels