Translated message

A translation of this page exists in English.

一致する ProxyPass が有効の場合に mod_auth_openidc 検出応答が壊れる

Solution In Progress - Updated -

Issue

  • ProxyPass が要求に一致する場合、期待どおりに mod_auth_openidc から検出応答を受信できません。mod_auth_openidc は、ProxyPass が無効になっていれば機能します。デバッグログによると、mod_auth_openidc はハンドラーフック内で提供されるように検出応答を遅らせます。
[Thu May 18 11:46:05.017987 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2277): [client 127.0.0.1:44966] oidc_authenticate_user: enter
[Thu May 18 11:46:05.017989 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2288): [client 127.0.0.1:44966] oidc_authenticate_user: defer discovery to the content handler
[Thu May 18 11:46:05.017993 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(4045): [client 127.0.0.1:44966] oidc_authz_checker: enter: require_args="accessAllowed:true"
[Thu May 18 11:46:05.017996 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of Require claim accessAllowed:true: granted
[Thu May 18 11:46:05.017999 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of <RequireAny>: granted
  • しかし、mod_proxy は最初にフックハンドラーフェーズで要求を処理するため、mod_auth_openidc はそれを処理しません。
[Thu May 18 11:46:05.018020 2023] [proxy:debug] [pid 121870:tid 140413968389888] mod_proxy.c(1265): [client 127.0.0.1:44966] AH01143: Running scheme http handler (attempt 0)
[Thu May 18 11:46:05.018024 2023] [proxy_ajp:debug] [pid 121870:tid 140413968389888] mod_proxy_ajp.c(764): [client 127.0.0.1:44966] AH00894: declining URL http://localhost/helloworld/
[Thu May 18 11:46:05.018027 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1021): [client 127.0.0.1:44966] AH01076: url: http://localhost/helloworld/ proxyname: (null) proxyport: 0
[Thu May 18 11:46:05.018030 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1024): [client 127.0.0.1:44966] AH01077: declining URL http://localhost/helloworld/
[Thu May 18 11:46:05.018041 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2353): AH00942: HTTP: has acquired connection for (localhost)
[Thu May 18 11:46:05.018045 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2408): [client 127.0.0.1:44966] AH00944: connecting http://localhost/helloworld/ to localhost:80
[Thu May 18 11:46:05.018204 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2634): [client 127.0.0.1:44966] AH00947: connected /helloworld/ to localhost:80
[Thu May 18 11:46:05.018283 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(3095): (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
[Thu May 18 11:46:05.018326 2023] [proxy:error] [pid 121870:tid 140413968389888] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
[Thu May 18 11:46:05.018333 2023] [proxy_http:error] [pid 121870:tid 140413968389888] [client 127.0.0.1:44966] AH01114: HTTP: failed to make connection to backend: localhost

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Apache httpd
  • mod_auth_openidc

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content