Hey. In Apache 2.2 times I've used SSLOptions +fakeBasicAuth, but now I wanted to switch to AuthBasicFake, which I hoped also allows me to use something else than the certs full DN (which e.g. isn't recognized by Grafana as valid username) as username. So I did something like (for a reverse proxy): <Proxy "http://example.org/*"> Satisfy all # yeah I know, these are legacy, sorry ^^ Order allow,deny Allow from all Require group someGroup AuthType basic AuthName "Grafana" AuthBasicProvider file AuthUserFile someUsersFile AuthGroupFile someGroupsFile #SSLOptions +fakeBasicAuth AuthFakeBasic "%{SSL_CLIENT_SAN_Email}" </Proxy> With fakeBasicAuth, the "username" (i.e. the full DN) would have then been fed through the someUsersFile (and someGroupssFile for the groups) and only if it found a matching one there, it would have passed. With AuthFakeBasic this seems to be not the case, it always tells me that there would be no resulting user. (And of course I added a <email>:<hash of "password"> entry to the someUsersFile. From AuthFakeBasic it's IMO not really clear whether this is even expected to work, cause that says "The username and password specified are combined into an Authorization header, which is passed to the server or service behind the webserver." which sounds a bit, as if this would happen *DIRECTLY*. It did work, when I use AuthFakeBasic alone, but that has of course the (IMO quite big) disadvantage that it would grant *any* trusted certificate access (of course only with e.g. the respective SSL_CLIENT_SAN_Email as username. Still, that will require one to have another form of account management on the backend server, which then tells that e.g. foo@example.org is an account but bar@example.com is not. Thereby one looses the nice feature, that one can have really all policy in Apache (respectively the UserFiles) and let the backend e.g. automatically create a new account for anything that's allowed (by Apache) to connect. a) Could AuthFakeBasic be made work so that it's username/password must match any in the AuthUserFile? (Of course only of if Satisfy/Require/etc. are set accordingly)? b) If not, can it at least be better documented that this works only standalone? Thanks, Chris.
I tried to add a contrast between the two directives here from what I could see in the code/comments http://svn.apache.org/viewvc?view=revision&revision=1907762 In trunk only, SSLUserName impacts how +fakebasicauth work. But in 2.4.x. Similar to changing the timing of the mod_auth_basic directive, it seems like it could have an adverse affect. It probably needs to be duplicated (SSLFakeBasicUsername) to be improved safely. Alternatively, "AuthFakeBasic expression [early]"
Hey Eric. Thanks for the clarifying commits. I would have perhaps added some concrete example directives to point out which are meant, but I guess it's also enough like that. I assume this also means that it would not be feasible to implement something that actually allows it to be used in conjunction with the others? Or would it be possible to add some functionality to mod_ssl's fakeBasicAuth to use another value instead of the full DN? Or is there some easy mechanism for a general username mapping (which one could then use to map form DN to username)? Anyway, guess from my side you this can be marked fixed and closed. Regards, Chris.
Thinking a bit more about it,... maybe the documentation should actually tell a bit more, namely with which options AuthBasicFake can actually be combined. I assume e.g. AuthName makes no sense. But is e.g. "AuthType basic" needed? Any others that work with it?