[rt-users] RT with https (external authentication)
Michael Erana
cto at lanusa.com
Mon Mar 20 14:08:39 EST 2006
Sounds like your running into a Virtual Hosts discrimination problem. Are you running any other VHOSTS on that box?
I'm running that exact config with external auth and https and I learned the hardway about SSL sessions and their dependancy to an Identifier like a port or IP Address.
One other comment: I run both the SSL and the Standard config in the same .conf file for ease of use. I've included a sanitized version below:
#
# rt3prod.conf
# Request Tracker 3.4 Production Server
# Apache Configuration File
#
# $Author: merana $
# $Revision: 16 $
# $HeadURL: file:///var/svn/anon-prod/trunk/etc/rt3prod.conf $
# $Id: rt3prod.conf 16 2006-03-15 12:09:44Z merana $
FastCgiServer /usr/share/request-tracker3.4/libexec/mason_handler.fcgi
NameVirtualHost 192.168.1.49:80
<VirtualHost 192.168.1.49:80>
ServerName rt.mydomain.com
ServerAlias rt2.mydomain.com
DocumentRoot /usr/share/request-tracker3.4/html
AddDefaultCharset UTF-8
ScriptAlias / /usr/share/request-tracker3.4/libexec/mason_handler.fcgi/
AddHandler fastcgi-script fcgi
CustomLog /var/log/apache2/rt.access.log combined env=!dontlog
ErrorLog /var/log/apache2/rt.error.log
RewriteEngine on
#RewriteRule ^/rt$ /
#RewriteRule ^/rt/(.*)$ /$1
#RewriteRule ^/rt$ /rt/
#RewriteCond %{REQUEST_FILENAME} -d
#RewriteRule ^(/usr/share/request-tracker3.4/html.*)/$ $1/index.html
<Location />
SetHandler fastcgi-script
</Location>
<Directory /usr/share/request-tracker3.4/html>
SetHandler fastcgi-script
</Directory>
<Directory /usr/share/request-tracker3.4/html/NoAuth>
SetHandler default-handler
</Directory>
</VirtualHost>
NameVirtualHost 192.168.1.49:443
<VirtualHost 192.168.1.49:443>
ServerName rt.mydomain.com
ServerAlias rt2.mydomain.com
DocumentRoot /usr/share/request-tracker3.4/html
AddDefaultCharset UTF-8
ScriptAlias / /usr/share/request-tracker3.4/libexec/mason_handler.fcgi/
AddHandler fastcgi-script fcgi
CustomLog /var/log/apache2/rt.access.log combined env=!dontlog
ErrorLog /var/log/apache2/rt.error.log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate & Key Files
SSLCertificateFile /etc/apache2/ssl/rt-cert.cer
SSLCertificateKeyFile /etc/apache2/ssl/rt-cert.key
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine on
#RewriteRule ^/rt$ /
#RewriteRule ^/rt/(.*)$ /$1
#RewriteRule ^/rt$ /rt/
#RewriteCond %{REQUEST_FILENAME} -d
#RewriteRule ^(/usr/share/request-tracker3.4/html.*)/$ $1/index.html
<Location />
SetHandler fastcgi-script
</Location>
<Directory /usr/share/request-tracker3.4/html>
SetHandler fastcgi-script
</Directory>
<Directory /usr/share/request-tracker3.4/html/NoAuth>
SetHandler default-handler
</Directory>
</VirtualHost>
Michael Eraña, CISSP
CTO
PC Network, Inc.
eranam at lanusa.com
|=> -----Original Message-----
|=> From: rt-users-bounces at lists.bestpractical.com
|=> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf
|=> Of Tomasz Wlodek
|=> Sent: Monday, March 20, 2006 12:29 PM
|=> Cc: rt-users at lists.bestpractical.com
|=> Subject: [rt-users] RT with https (external authentication)
|=>
|=> Hi,
|=>
|=> I have installed RT and it works.
|=>
|=> Now I wanted to use external authentication in RT.
|=>
|=> I decided to create a virtual host which would be on port
|=> 443, so that it can be accessed via https. Then I have
|=> added the following changes to RY configuration file:
|=>
|=> Set($WebExternalAuth , 1); (to set external authentication)
|=> Set($WebFallbackToInternalAuth , 1); (to use internal
|=> authentication when extrrnal fails) Set($WebExternalAuto ,
|=> 1); (to automatically create users when external
|=> authentication is OK).
|=>
|=> Then I have defined virtual host on port 443 with the same
|=> options as the virtual host on port 80.
|=>
|=> Now I logon to RT via https... I get the following error:
|=>
|=> "You're almost there!
|=> You haven't yet configured your webserver to run RT. You
|=> appear to have installed RT's web interface correctly, but
|=> haven't yet configured your web server to "run" the RT
|=> server which powers the web interface. The next step is to
|=> edit your webserver's configuration file to instruct it to
|=> use RT's mod_perl, fastcgi or speedycgi handler. If you
|=> need commercial support, please contact us at
|=> sales at bestpractical.com."
|=>
|=> Fine, but I have already configured my www server to run
|=> mod_perl,fastcgi.
|=> It works when I connect to RT using http, not https. I do
|=> have the LoadModule fastcgi_module modules/mod_fastcgi.so
|=> in apache configuration.
|=>
|=> So what is missing? Why Rt works when called by http but
|=> not when I call it by https?
|=>
|=> Tomasz Wlodek | tel 631-344-7448
|=> Brookhaven Laboratory, Building 510M | fax 631-344-7616
|=> Upton NY 11973-5000 |
|=>
|=> _______________________________________________
|=> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
|=>
|=> Community help: http://wiki.bestpractical.com Commercial
|=> support: sales at bestpractical.com
|=>
|=>
|=> Discover RT's hidden secrets with RT Essentials from
|=> O'Reilly Media.
|=> Buy a copy at http://rtbook.bestpractical.com
|=>
|=>
|=> We're hiring! Come hack Perl for Best Practical:
|=> http://bestpractical.com/about/jobs.html
|=>
More information about the rt-users
mailing list