当启用 mod_auth_radius.c 时,基于 AuthUserFile 的 Apache Basic 身份验证将被忽略

tag-icon tag-icon apache-2.4 redhat radius
当启用 mod_auth_radius.c 时,基于 AuthUserFile 的 Apache Basic 身份验证将被忽略

我希望你能帮助我解决我的问题。

我最初有一个使用“AuthUserFile”进行基本身份验证的 vhost 配置,它工作正常。现在我想对某些网站使用 Radius,并根据说明安装了“mod_auth_radius”。从那时起,其他网站也尝试通过 radius 而不是“AuthUserFile”进行身份验证,尽管那里没有配置 radius。

[001mgm ~]$ grep LoadModule /etc/httpd/conf/httpd.conf
# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
[001mgm ~]$
[001mgm ~]$
[001mgm ~]$ sudo httpd -M | egrep '(rad|basic|core|file)'  core_module (static)
 radius_auth_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)

这是第一个带有 AuthUserFile 身份验证的 vhos1-site.conf

# domain name
Define SERVER_NAME site1.x.x.x
Define ROOTDIR /..../site1
Define LOCATION site1

# HTPASSWD File
<AuthnProviderAlias file allowed-users>
        AuthUserFile ${ROOTDIR}/.htpasswd
</AuthnProviderAlias>
<VirtualHost *:80>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        RedirectMatch (.*) https://${SERVER_NAME}$1
</VirtualHost>
<VirtualHost *:443>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        DocumentRoot ${ROOTDIR}

        LogLevel debug rewrite:trace6
        #LogLevel error ssl:warn
        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        SSLEngine on
        SSLCertificateFile ${SSL_CERT}
        SSLCertificateKeyFile ${SSL_KEY}

        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
        SSLCompression Off

        <Directory ${ROOTDIR}>
                Options Indexes MultiViews FollowSymlinks SymLinksIfOwnerMatch
                DirectoryIndex index.php
                <RequireAll>
                        Require ip ....
                        Require ip ....
                        Require ip ....
                </RequireAll>
                SSLRequireSSL
                AuthType Basic
                AuthName "Auth for ${Location}"
                AuthBasicProvider allowed-users
                Require valid-user
        </Directory>
</VirtualHost>

第二个 vhost-site2.conf 具有 radius 身份验证:

# domain name
Define SERVER_NAME site2.x.x.x
Define ROOTDIR /..../site2
Define LOCATION site2

# RADIUS
Define RADIUS_HOST x.x.x.x:1812
<IfModule mod_auth_radius.c>
        AddRadiusAuth ${RADIUS_HOST} xxxxsecretxxxx 5:3
        AddRadiusCookieValid 5
</IfModule>

<VirtualHost *:80>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        RedirectMatch (.*) https://${SERVER_NAME}$1
</VirtualHost>
<VirtualHost *:443>
        ServerName ${SERVER_NAME}
        ServerAdmin ${SERVER_ADMIN}

        DocumentRoot ${ROOTDIR}

        LogLevel debug rewrite:trace6
        #LogLevel error ssl:warn
        CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}/error.log

        SSLEngine on
        SSLCertificateFile ${SSL_CERT}
        SSLCertificateKeyFile ${SSL_KEY}

        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
        SSLCompression Off

        <Directory ${ROOTDIR}>
                Options Indexes MultiViews FollowSymlinks SymLinksIfOwnerMatch
                DirectoryIndex index.php
                <RequireAll>
                        Require ip ....
                        Require ip ....
                        Require ip ....
                </RequireAll>
                SSLRequireSSL
                AuthType Basic
                AuthName "Auth for ${Location}"
                AuthBasicProvider radius
                AuthBasicAuthoritative Off
                AuthRadiusAuthoritative on
                AuthRadiusActive On
                AddRadiusCallingStationID ${Location}
                AuthRadiusCookieValid 15
                AuthRadiusDebug on
                Require valid-user
        </Directory>
</VirtualHost>

日志显示(调试)以下内容:

AH02034: Initial (No.1) HTTPS request received for child 146 (server site1.x.x.x.x:443)
[Thu Jul 20 15:31:44.459561 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1308): Radius Auth for: site1.x.x.x.x requests / : file=/.../site1/
[Thu Jul 20 15:31:44.459587 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1338): No cookie found.  Trying RADIUS authentication.
[Thu Jul 20 15:31:44.460186 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1037): Sending packet on x.x.x.x:1812
[Thu Jul 20 15:31:44.516263 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1196): RADIUS authentication failed for user "user_in_AuthFile"
[Thu Jul 20 15:31:44.516284 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1355): RADIUS authentication for user=user_in_AuthFile password=yyyyyy failed
[Thu Jul 20 15:31:44.516293 2023] [:debug] [pid 10342:tid 139805463598848] mod_auth_radius.c(1361): Sending failure message to user=user_in_AuthFile

如您所见,即使在 vhost-site1.conf 中未配置 radius,也会通过 radius 检查身份验证,而不是通过本地文件检查。

当我禁用“radius_auth_module”并重新启动 apache 时,site1 上的身份验证再次有效。

我的 vhosts-config 或 httpd.conf 有什么问题?

非常感谢任何提示或建议

相关内容