1

To authenticate users for our applications, I have a setup which can be represented with the following diagram:

Image used from Oracle OpenSSO documentation

I have a server with OpenAM running on it (OpenSSO Enterprise in the diagram), have several client servers and use an Apache2 (HTTPD) server as a reverse proxy with two agent configurations. I have a functional flow of authentication and redirection using the following virtual host configuration:

<VirtualHost *:443>
    AmAgent On
    AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf

    ProxyPreserveHost On
    ProxyPass /application1 https://server1.com:10443/application1
    ProxyPassReverse /application1 https://server1.com:10443/application1
</VirtualHost>

I connect to https://reverseproxy.com/application1, redirect for OpenAM authentication and get redirected to my landing page on server1.com after logging in. I also have a secondary configuration (agent_2) which does its correct authorization, based on the policy profile configured in OpenAM.

My issue arises when wanting to configure two different OpenAM configurations on two different ProxyPass/ProxyPassReverse instances. The snippet above uses the AmAgentConf on everything within the virtual host listening on port 443. But I want two applications, both reachable on the same reverse proxy URL, to use the correct agent configuration. Ideally, I'd like something like the following:

<VirtualHost *:443>
    ProxyPreserveHost On

    ProxyPass /application1 https://server1.com:10443/application1
    ProxyPassReverse /application1 https://server1.com:10443/application1

    ProxyPass /application2 https://server2.com:443/application2
    ProxyPassReverse /application2 https://server2.com:443/application2

    <Proxy "https://server1.com:10443/*">
        AmAgent On
        AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
    </Proxy>

    <Proxy "https://server2.com:443/*">
        AmAgent On
        AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_2/config/agent.conf
    </Proxy>
</VirtualHost>

But AmAgent and AmAgentConf are not allowed within the <Proxy/> directive.

centos httpd[1238]: AH00526: Syntax error on line 28 of /etc/httpd/conf.d/default-site.conf:
centos httpd[1238]: AmAgent not allowed here

I've read the OpenAM documentation about configuring OpenAM on virtual hosts, but I'm not configuring two separate DocumentRoots. The applications aren't on Apache itself, it just forwards.

I'm probably able to listen on two seperate ports (e.g. 443 and 444) and configure the agent based on the port. But that's just ridiculous. It seems like a common issue, but my configuration just won't cooperate.

So in essence, how do you configure two (or more) proxied applications to use an alternative agent configuration?

Jaims
  • 111
  • 2
  • Can't the agent handle two different paths in one single server and one single configuration? The way you describe it the agent seemed to take effect over the proxy, not the backend so defining it twice for each backend.. looks odd. – ezra-s Sep 27 '17 at 12:06
  • @ezra-s yes, it can handle two different paths for a single VirtualHost. And thus two equally configured back-end servers. But `server1` and `server2` use a different authentication manner (e.g. Active Directory and Username/Password). Which are defined in two separate agent configurations. I'd like the reverse proxy to be responsible for the redirect and authentication for these two servers. – Jaims Sep 27 '17 at 12:39
  • Try defining your Amgent directives in different Location directive instead of using Proxy. – ezra-s Sep 27 '17 at 13:15
  • @ezra-s I have, sadly it's also not allowed inside the Location directive. I haven't found any documentation about the AmAgent directive itself, but it seems quite picky. It can't be placed inside the `If` directive neither to try and create something dynamic. – Jaims Sep 27 '17 at 13:40

0 Answers0