JADDOG

The problem:

I was using mod_auth_kerb to authenticate and ProxyPass to pass off the request to another server. I’m trying to support Kerberos Authentication but split the infrastructure into a proxy/app tiering using ProxyPass because I needed the ProxyPassReverseCookieDomain directive. Problem is I need to pass the user that had been authenticated along with the ProxyPass (ie. the value of REMOTE_USER) and found no configs to let me do that with mod_auth_kerb and ProxyPass.

What I tried:
I found a bunch of pages that referenced using a lookahead (LA-U:REMOTE_USER) to get the value of REMOTE_USER. Take that value and set an environment variable. Then use the env var to set a header, say, X-Forwarded-User. This didn’t seem quite right since this was being implemented at the rewrite stage (pre authentication, hence the lookahead’s subrequest) and spawned the overhead of another subrequest to get the initial value. I tried all kinds of permutations of some rewrite configs that looked something like this:

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* – [E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e

http://n2.nabble.com/SSO-with-SSPI-and-SSL-LA-U-REMOTE-USER-always-null-td4086748.html et al.

In spite of the “not quite right” of the subrequest to env var to header I always got a value of (null) back from the lookahead. So this never even worked in combination with mod_auth_kerb (I’ve been told it does with basic auth or with mod_auth_kerb + RewriteRule [P]). Further it seemed inefficient to do all this subrequest to env to header stuff. I figured the most efficient thing to do (relative to processing the requests) would be to write a simple apache module that was in the module chain after auth but before proxy. Turns out that it didn’t take too long to do either.

The Solution:

I started with a tutorial at threebit.net where I just wanted to compile an apache module and insert it into the module chain. This worked like a champ (Thanks Kevin!) and I was logging to my error_log via stderr in no time at all. After reading though some apache code I figured out that r->user was the variable that mod_auth_kerb was populating the authenticated user to and that the ap_hook_handler method was inserting this module into the chain after proxypass. This location in the module chain was a problem because when I turn on proxypass the request was being proxied before the module was being executed. After a bit more docs and code reading I found ap_hook_fixups, which is in a stage between the auth and proxy modules. So that diff would look something like this:

< ap_hook_handler(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);
> ap_hook_fixups(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);

Finally, the method_hander’s code was changed from the stderr functionality to these two lines to use the r->user variable:

apr_table_set(r->headers_in, “X-Forwarded-User”, r->user);
apr_table_unset(r->headers_in, “Authorization”);

This sets the X-Forwarded-User header with the user the proxy has authenticated and strips out the Authorization header to be sure that your not passing any basic auth information (passwords in clear text!) from server to server.

I don’t have a complete set of code anywhere for you to download at this point, though, hopefully there’s enough here that all you’d have to do is swap a few pieces of code out, compile it (I had to update the automake stuff on the tutorial cuz it’s kinda old) and install it according to the tutorial’s directions.

Words of Warning:
1. Secure your app!
If you open your app up to accept X-Forwarded-User and trust that header as a source of an already authenticated user you must make sure that the only host that can pass that header to your app is your proxy! It would not be hard to install this custom module elsewhere (or use the lookahead stuff), slap basic auth on it and pass the header to your app completely ignoring your authoritative authentication infrastructure.

2. This will be applied to every request on your proxy.
There is nothing in this module that will only apply this to a specific vhost or anything. Every request that your proxy processes will get your custom header.

Future?
A nice addition to this would to let you configure the header name in your vhost config (ProxyUserHeader “X-Custom-Header-Name”) or even to submit a patch to mod_proxy so it’s not a separate module but built into mod_proxy (ProxyPassUserHeader “X-Custom-Header-Name”). Seems intriguing to do a bit more with it.

Ran my first half-marathon this morning: Tobacco Road Marathon

My goal was to do it in less than 2 Hours.

Chip time: 1:45:35
Avg mile: 8:07

pretty happy with my results.

Next race this year: Riverwood Sprint Triathlon

A couple weeks ago my church had the pleasure of Bob Kauflin visiting and teaching us. My family had a stomach bug that week so I’ve been listening to the recording. On the way into work this morning I finished it up and was really blessed by Kaufiln’s message. My 10,000 ft view looks like this:

No matter what happens, a Christian always has a hope in our saviour. A saviour that has shed his blood for our sins and will return one day to take us from this life to eternal life.

No matter how rotten of a day or how grim your circumstances seem. Rejoice. Give praise to your Lord. You are living his will and your purpose is to praise him.

Bob Kauflin: Living Like A Psalmist

I’m working on a feature for a project that I’m getting ready to open source. (more to come on it being open sourced when it happens) I’ve never taken the time to try and use pdb to debug a python program. I fell into a situation that seemed plausible to try it.

Found this post and was quite delighted to be able to dive right into debugging my app. Also of worth to note, the post references this link which once you have the basics of using pdb expands a little on what else you can do.

<3 pdb

At work we got talking about Dvorak a little while back. I’ve been picking through this tutorial as I get time and really enjoying it. Just google Dvorak to read up on what so different about it. The main point I like is that people claim it reduces stress on your wrists. I figure with how much I’m on a computer it’s worth a try. I haven’t found any scientific evidence that it actually helps. Maybe I’ll get to the point of using it full time one day and have my own claim.

You can reconfigure your keyboard to use this layout regardless of it’s labelling. I’ve got my fedora and mac configured so I can swap between qwerty and dvorak very easily. There’s plenty of info on google on how to set this up. Once it’s setup on a mac just select your layout from the keyboard notification icon near the date/time on your menu bar. On fedora I use L-shift+Caps-Lock and it switches in and out of dvorak. I assume you can do it on windows too, but I don’t have a windows machine to try it on.

Still on lesson 17 in the tutorial so I can’t really do anything with it other than the tutorial yet… but I’m sure I’ll post a blog post in dvorak when I get to that level

ABCD: A Basic Course in Dvorak :: http://gigliwood.com/abcd/

I started a project a while ago that was managing buildbots. It was a cli application that used sqlalchemy and func to manage buildbots across multiple machines. After some experience at work with build systems I realized that this setup was far to complex to expect someone to setup and use and it was fairly tied to a fedora/redhat infrastructure.

Well, I’ve started over. The new application is based on django and for now only installs bots on a single machine. I have plans to support a distributed configuration in the future. For now I just needed a decent interface to get some bots up and running fast.

I also have recorded a screencast to so a simple quick start. The screencast assumes you have some basic buildbot knowledge.

You can get more information, docs, the screencast and the code at https://fedorahosted.org/loki

Just a couple thoughts to chew on from this morning.

¹⁶ For you will not delight in sacrifice, or I would give it;
you will not be pleased with a burnt offering.
¹⁷The sacrifices of God are a broken spirit;
a broken and contrite heart, O God, you will not despise.

Psalm 51:16-17 (ESV)

⁴ Blessed is the one you choose and bring near,
to dwell in your courts!
We shall be satisfied with the goodness of your house,
the holiness of your temple!

Psalm 65:4 (ESV)

I’ve been having trouble with on particular flash drive while trying to make my dad a Fedora Live USB sitck. Tonight briefly tried to fiddle with it to try and figure out what I was doing wrong. Not paying attention I fdisked my laptop drive and wiped out my drive partition. Kudos to Back In Time. I had a snapshot from december 14th of all my data. Most of anything I hadent backedup was pushed to a code repo elsewhere, so I just reinstalled. A few additional packages, email, VPN and kerb configs later I was back into a dec 14th state.

Back up you’re data!

I’ve been reflecting this past week about Christ’s birth and how this time of the year “the reason for the season” often references Luke chapter 2. Last weekend I spent time in this passage and Romans 3:10-18, John 3:16 and Matthew 7:21-23. These last three versus are the ones God seemed to press on me at the time to depict our sin, need for a saviour, God’s Love, the provision he sent and the requirement to know and follow him for salvation. In this New Testament era this gospel presentation seems like a great explanation of the reason for the reason for the season. Though, today Romans 11 was taught at church and I’ve also been preparing for leading worship at youth group at the January youth group meeting where Romans 12:1-2 will be taught. These passages seemed to open up a gospel message into some theology to chew on.

In college the phrase “what’s the therefore there for?” was burned into my brain for all eternity. Whenever I read Romans 12:1 that phrase pops into my head. Though, I hardly ever take the time to go back to Romans 11 and remind myself of it. It was nice to have just been taught on Romans 11 this morning as I was meditating on Romans 12:1 in preparation for the youth group meeting.

Enter the therefore, helping us understand God’s mercy.

²⁵ Lest you be wise in your own sight, I want you to understand this mystery, brothers: a partial hardening has come upon Israel, until the fullness of the Gentiles has come in. ²⁶And in this way all Israel will be saved, as it is written,
“The Deliverer will come from Zion,
he will banish ungodliness from Jacob”;

²⁷“and this will be my covenant with them when I take away their sins.”²⁸As regards the gospel, they are enemies of God for your sake. But as regards election, they are beloved for the sake of their forefathers. ²⁹For the gifts and the calling of God are irrevocable. ³⁰For just as you were at one time disobedient to God but now have received mercy because of their disobedience, ³¹so they too have now been disobedient in order that by the mercy shown to you they also may now receive mercy. ³²For God has consigned all to disobedience, that he may have mercy on all.

³³Oh, the depth of the riches and wisdom and knowledge of God! How unsearchable are his judgements and how inscrutable his ways!

³⁴“For who has known the mind of the Lord,
or who has been his counselor?”
³⁵“Or who has given a gift to him
that he might be repaid?”

³⁶For from him and through him and to him are all things. To him be glory forever. Amen.

Romans 11:25-36 (ESV)

I think the meat of where we can understand the mercy 12:1 is referencing is in versus 27-32. Israel was disobedient and enemies of God so that we could receive mercy, that is, Christ’s sacrifice for our sins. Now by the mercy shown to us, because of their disobedience, they too can receive mercy for their disobedience. Christ is the reason for the season. The reason he came was just not just to save sinners. The reason he came was so that God could have mercy on all (Rom 11:32).

I often get wrapped up in my sinful self-centred-ness. God is quick to remind me that his plan is much bigger than my simple mind can comprehend. After reminding me this, again, a response to this understanding has been so eloquently placed just following the text at the end of chapter 11 with an appeal to begin chapter 12:

¹ I appeal to you therefore, brothers, by the mercies of God, to present your bodies as a living sacrifice, holy and acceptable to God, which is your spiritual worship. ² Do not be conformed to this world, but be transformed by the renewal of your mind, that by testing you may discern what is the will of God, what is good and acceptable and perfect.

Merry Christmas

Tobacco Road Marathon is a new marathon in Cary, NC. I just signed up for the half marathon, it will be my first. Part of the route is on the American Tobacco Trail. It’s an old railway that has been re-purposed as a recreation trail in Wake and Chatham Counties in North Carolina.