(third party) Apache module mod_auth[n]_nufw

This module provides SSO user authentication, based on NuFW Firewalling solution.

Status: Extension
Source File: mod_auth_nufw.c
Module Identifier: mod_auth_nufw (1.3 and 2.0), mod_authn_nufw (2.2)
Compatibility: Available in Apache 1.3, 2.0 and 2.2.

Summary

This module allows for a totally transparent, and strict, identification of users. It uses NuFW as backend, performs SQL requests on the NuFW-fed SQL tables. This module is probably of no use if not used with NuFW, as it lays on a database constantly up-to-date with user network activity.

For additional information, please visit NuFW website or mod_auth_nufw home page.

Compile time options

These options are available at compile time:

• --with-mysql
This option implies the module will connect to a Mysql database. If ommited, the module will connect to a PostGresql database.

Known problems

If you use PHP/SQL and observe children segfaults, here is the reason : your PHP module is linked on its own Mysql Library (bundled with PHP), while mod_auth_nufw is linked to the system's SQL library. Hence, a collision appears at runtime, which gets apache child to segfault (the segfault happens if mod_auth_nufw is loaded, and whether it is enabled or not). The solution to this is to recompile either PHP, either mod_auth_nufw, so they are linked on the same library.

Loading the module

On apache 1.3 or 2.0, add this line to your configuration file:

On apache 2.2, add this line to your configuration file:

General Naming of directives

Directives starting with AuthNufw are for 1.3 and 2.0 installations of the module.

Directives starting with AuthnNufw are for 2.2 installations of the module.

Note that the internals of mod_auth_nufw are the same from 2.0 to 2.2, only very minor API changes were reflected. The naming change is intended to make it clear and logical to the administrator that mod_auth_nufw is an Authentication module, ie, authorization is to be performed separately.

The description of all directives is therefore valid for 1.3, 2.0 and 2.2 installations.

Directives

• Auth[n]NufwEnabled
• Auth[n]NufwAuthoritative
• Auth[n]NufwProtocolVersion
• Auth[n]NufwAuthFrom
• Auth[n]NufwSQLHost
• Auth[n]NufwSQLPort
• Auth[n]NufwSQLDatabase
• Auth[n]NufwSQLTable
• Auth[n]NufwSQLUser
• Auth[n]NufwSQLPassword
• Auth[n]NufwSQLSSLEnabled
• Auth[n]NufwSQLSSLKeyfile
• Auth[n]NufwSQLSSLCertfile
• Auth[n]NufwSQLSSLCA
• Auth[n]NufwSQLSSLCAPath
• Auth[n]NufwSQLSSLCypher
• Auth[n]NufwTimeWindow
• Auth[n]NufwMaxSqlConns
• Auth[n]NufwMaxSimilarSqlConns
• Auth[n]NufwTokensEnabled

Auth[n]NufwEnabled directive

Specifies whether to activate mod_auth_nufw features. If set to Off, all other mod_auth_nufw directives will be ignored, apart from Auth[n]NufwTokensEnabled

Auth[n]NufwAuthoritative directive

Specifies whether Authentication should be tempted through other modules, if mod_auth_nufw fails. For instance, falling back into prompting user a login/password may be suitable if the Nufw SQL database is unreachable. If Set to On, no other module will be used.

Auth[n]NufwProtocolVersion directive

Specifies protocol version of the Nufw backend firewall. The default, version 2, is simplest. Everyone uses 2.0 anyway, so this option will be removed soon.

Auth[n]NufwAuthFrom directive

Specifies on which conditions the auth module should query the database. Typically, one will set it to their internal network address. This directive works on the same philosophy as "Allow" or "deny" from mod_access. Beware this is part of the mod_auth_nufw module, and can therefore of course be combined with "classical" allow and deny directives.

Auth[n]NufwSQLHost directive

Specifies SQL host to connect to to perform user identification. SQL table contains : UserID, TCP connection parameters and time of the connection. This parameter accepts either FQDN or IP address. Example:

    AuthNufwSQLHost 127.0.0.1

Auth[n]NufwSQLPort directive

Specifies SQL port to connect to to perform user identification.

    AuthNufwSQLPort 5432

Auth[n]NufwSQLDatabase directive

Specifies database to connect to to perform user identification. Example:

    AuthNufwSQLDatabase nulog

Auth[n]NufwSQLTable directive

Specifies database to connect to to perform user identification. Example:

    AuthNufwSQLTable nulog

Auth[n]NufwSQLUser directive

Specifies username to use for SQL connection. Example:

    AuthNufwSQLUser nulog

Auth[n]NufwSQLPassword directive

Specifies password to use for SQL connection. Example:

    AuthNufwSQLPassword nulog

Auth[n]NufwSQLSSLEnabled directive

Specifies whether to wrap SQL connection in a SSL session.

If this parameter is set to Off, all options starting with AuthNufwSQLSSL... are ignored

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwSQLSSLKeyfile directive

Specifies the full path of the file containing the private key for SSL encryption. This must be set if you want to use ssl.

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwSQLSSLCertfile directive

Specifies the full path of the file containing the public certificate for SSL encryption. This must be set if you want to use ssl.

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwSQLSSLCA directive

Specifies the full path of your Certificate Authority (CA) file, in PEM format. You can safely leave this unset if you do not have a CA file.

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwSQLSSLCAPath directive

Specifies the full path of a directory containing your Certificate Authority (CA) files, in PEM format. You can safely leave this unset if you do not have CA files.

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwSQLSSLCypher directive

the list of ciphers you wish to use for SQL connections. A complete cipher list on your system should be available if you issue : openssl ciphers. The default means "Use any but give RC4 the lowest priority". For more info see : http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp

This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.

Auth[n]NufwTimeWindow directive

Specifies a time window that must match user's connection. The Nufw SQL database contains records of users connections, with time of connection. When mod_auth_nufw receives a connection, it will match the connection's time against the time in the database. Due to network latency, it is possible that those two times be slightly different. The timewindow is the number of tenth of seconds around the "apache time" that will be accepted to match in the SQL records.
WARNING : if you use HTTP 1.1, this parameter will probably break your auth for all requests but the first in the connection. In that case, it is advised to leave this parameter to its default value of 0, which disables time matching. Example:

    AuthNufwTimeWindow 5

Auth[n]NufwMaxSqlConns directive

Specifies maximum overall number of SQL connections to open. When that number of connections is open, module refuses to open any more. This may hence totally block some connections in case you have several SQL servers to connect to. Use in conjunction with Auth[n]NufwMaxSimilarSqlConns to solve this potential problem, or set to 0 for no limit.

Auth[n]NufwMaxSimilarSqlConns directive

Specifies maximum number of SQL connections to maintain to a given target, per child, at any time. A target is an entity defined by (host, port, database name, table name, username, and optionnally SSL parameters).
It is to be noted that 1 should be an acceptable value for this parameter on Apache 1.3 as well as on 2.0 with MPM prefork, as children are not threaded on such setups. Set to 0 for no limit. Example:

    AuthNufwMaxSimilarSqlConns 5

Auth[n]NufwTokensEnabled directive

Specifies whether to mention "NuFW" in server tokens.

Sample configuration

    <Directory /var/www>
     <IfModule mod_auth_nufw.c>
      AuthnNufwEnabled On
      AuthnNufwAuthoritative Off
      AuthnNufwProtocolVersion 2
      AuthnNuFWSQLHost localhost
      AuthnNuFWSQLDatabase ulogd
      AuthnNuFWSQLTable conntrack_ulog
      AuthnNuFWSQLUser apache
      AuthnNuFWSQLPassword secret
      #Networks covered by NuFW auth. No SQL request will be performed if client is out of these networks. Auth will fallback (see below)
      AuthnNufwAuthFrom from 192.168.0.0/24
      AuthnNufwAuthFrom from 10.0.0.0/8
     </IfModule>
     AuthType Basic
     AuthName "INL OBM"
     # These two lines are optional : fallback in case NuFW is deactivated, and no result is found in database.
     AuthBasicProvider file
     AuthUserFile /etc/apache2/htpasswd
     # Authorization phase. This is most basic : any authenticated user (by NuFW or by htpasswd) can access the resource.
     Require valid-user
    </Directory>