How Apache Processes Access Requests

Background

As you may have read in some of my previous posts, I’ve been changing the authentication datastore for many of my web-based apps to Kerberos based authentication. However, I recently needed to have certain hosts on my networks run automated scripts against some of these web apps without authentication. I found the “Satisfy” directive to allow this behavior. Setting this to “Any” allows the scripts to do their work without having to authenticate. If for no one else but myself, below are my notes.

Example

<Directory /var/www/html>

    #
    # 1. authentication datastore 
    #
    AuthName "Kerberos"
    AuthType Kerberos
      # use a distinct service keytab for Apache
    Krb5Keytab /etc/krb5-HTTP.keytab
    KrbAuthRealm <DOMAIN.TLD>
      # require use of a TGT, not a password prompt from the web app
    KrbMethodK5Passwd off
      # don't allow the server to save creds, unless needed
    KrbSaveCredentials off
      # let's be explicit as to which principal we want to use
    KrbServiceName HTTP/<host.domain.tld>

    #
    # 2. authentication requirements
    #
    Require group app_<service>

    #
    # 3. source host requirements
    #
    Order allow,deny
    Allow from <hostname.domain.tld>

    #
    # 4. which requirements (auth or host) need to be satisfied
    #
    Satisfy Any

</Directory>


How This Works

  1. In the first section, we’re just setting up the authentication datastore. Nothing new here.
  2. In the second section, we establish an authentication requirement.
    • In LDAP, I create a new group for each web app. Users who need access to that web app are added to the appropriate group in LDAP. Again, nothing new.
  3. In the third section, I added an Order directive. Here’s how Order breaks down:
    • By specifying “allow,deny”, Apache will process any and all “Allow” statements followed by any and all “Deny” statements.
    • For anything not explicitly defined, Apache will deny access.
  4. If I were to have ended the Directory with section 3, Apache would require all connections to both a) be authenticated and b) come from a specific source. This is not what I wanted and why the “Satisfy” directive comes in handy. “Satisfy” here states that either auth or source is acceptable. So, if a connection comes from the specified host, it does not also have to be authenticated. If a connection comes from any other source, it will have to be authenticated. If neither of these requirements are satisfied, then access is denied.

References

This is a personal website. Unless otherwise stated, the content and opinions expressed here are my own and not those of my employer.