To authenticate users for our applications, I have a setup which can be represented with the following diagram:
I have a server with OpenAM
running on it (OpenSSO Enterprise in the diagram), have several client servers and use an Apache2
(HTTPD
) server as a reverse proxy with two agent configurations.
I have a functional flow of authentication and redirection using the following virtual host configuration:
<VirtualHost *:443>
AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
ProxyPreserveHost On
ProxyPass /application1 https://server1.com:10443/application1
ProxyPassReverse /application1 https://server1.com:10443/application1
</VirtualHost>
I connect to https://reverseproxy.com/application1
, redirect for OpenAM authentication and get redirected to my landing page on server1.com
after logging in.
I also have a secondary configuration (agent_2
) which does its correct authorization, based on the policy profile configured in OpenAM.
My issue arises when wanting to configure two different OpenAM configurations on two different ProxyPass/ProxyPassReverse
instances.
The snippet above uses the AmAgentConf
on everything within the virtual host listening on port 443.
But I want two applications, both reachable on the same reverse proxy URL, to use the correct agent configuration.
Ideally, I'd like something like the following:
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass /application1 https://server1.com:10443/application1
ProxyPassReverse /application1 https://server1.com:10443/application1
ProxyPass /application2 https://server2.com:443/application2
ProxyPassReverse /application2 https://server2.com:443/application2
<Proxy "https://server1.com:10443/*">
AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
</Proxy>
<Proxy "https://server2.com:443/*">
AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_2/config/agent.conf
</Proxy>
</VirtualHost>
But AmAgent
and AmAgentConf
are not allowed within the <Proxy/>
directive.
centos httpd[1238]: AH00526: Syntax error on line 28 of /etc/httpd/conf.d/default-site.conf:
centos httpd[1238]: AmAgent not allowed here
I've read the OpenAM documentation about configuring OpenAM on virtual hosts, but I'm not configuring two separate DocumentRoot
s. The applications aren't on Apache itself, it just forwards.
I'm probably able to listen on two seperate ports (e.g. 443 and 444) and configure the agent based on the port. But that's just ridiculous. It seems like a common issue, but my configuration just won't cooperate.
So in essence, how do you configure two (or more) proxied applications to use an alternative agent configuration?