The Apache HTTP server is the Apache Software Foundation's web server. See the project's website for more details.
Contents
All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).
1. System Preparation
1.1. Add the Moonshot libraries
If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on Debian 8.
2. Installation Instructions
To use the Apache module, install it and the MIT Kerberos client package:
$ apt-get install krb5-user apache2-mpm-prefork libapache2-mod-auth-gssapi
To install the Apache module, issue the following command (or create the appropriate symlinks manually):
$ a2enmod auth_gssapi
Add a dummy Kerberos key to make the module happy:
$ ktutil ktutil: addent -password -p HTTP/localhost@YOUR-WEBSERVER-HOSTNAME -k 1 -e aes256-cts <enter any password> ktutil: wkt /etc/apache2/krb5.keytab ktutil: quit
Export the location of the keytab file into Apache's config:
$ echo export KRB5_KTNAME=/etc/apache2/krb5.keytab >> /etc/apache2/envvars
Assign the correct permissions to the keytab file:
$ chown www-data /etc/apache2/krb5.keytab
Ensure that the certificates referenced in
/etc/radsec.conf
can be read by the Apache user:$ su - --shell=/bin/bash www-data $ cat path_to_ca.pem $ cat path_to_client.pem $ cat path_to_client.key
Verify that the
KeepAlive
option is enabled in the Apache configuration file/etc/apache2/apache2.conf
:KeepAlive On
Restart Apache:
$ service apache2 restart
3. Configuration Instructions
Shibboleth2 Apache module incompatibility
Please read Section 6.2 in Apache HTTPD on module incompatibilities.
3.1. Protecting a location with Moonshot
To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".
The /etc/apache2/conf.d/auth_gssapi.conf
file contains a sample configuration that can get you started.
Example
To allow anyone with a valid Moonshot account to access /wherever
, you would do the following:
<Location "/wherever"> AuthType Negotiate Require valid-user </Location>
3.2. Populating REMOTE_USER
Web services often rely on the REMOTE_USER
Apache environment variable for user information, such as a local user account or a pseudonymous identifier.
To populate REMOTE_USER
, update the FreeRADIUS reply from the RP Proxy with the User-Name
RADIUS attribute in the RP Proxy's post-auth section:
update reply { User-Name := "content" }
3.3. Accessing Moonshot attributes
The Moonshot module can use either the Shibboleth attribute resolver library to map RADIUS and SAML attributes to internal Shibboleth attributes, and then to environment variables, or use its own internal JSON attribute resolver to map either RADIUS attributes or SAML attributes to environment variables. Read more at Configure a Linux Server's Attribute Resolution about how to configure Shibboleth or the internal JSON attribute resolvers.
We are working on enhancements that allow the Moonshot module to expose attributes in the same way as the RedHat module.
4. HTTPS Internet Explorer compatibility
For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.