httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dames, Kristopher J" <Kristopher.Da...@Mercy.Net>
Subject [users@httpd] Kerberos authentication exclusion by IP address
Date Fri, 02 Jun 2017 19:51:52 GMT
System:
RHEL 7
Apache 2.4.6

Synopsis:
My site is behind an F5 load balancer. Apache sees all requests coming from 10.10.84.8. The
F5 sends the X-Forwarded-For header containing the actual client IP address. I need to attempt
Kerberos auth for the entire site (<Location />) for internal (X-Forwarded-For header
is 10.0.0.0/8) users. This is working just fine. Apache should not even attempt Kerberos for
external (X-Forwarded-For header is anything but 10.0.0.0/8) users. It _can_ attempt it as
long as the user does not see indication that Kerberos auth failed (which it always will for
external users). Instead, the external user should be redirected to /user/login where a form
awaits for authentication.

I’ve tried many combinations of RemoteIPHeader, Require all granted, Require valid-user,
Satisfy any. I need some direction on how to handle this. Thank you in advance.


This electronic mail and any attached documents are intended solely for the named addressee(s)
and contain confidential information. If you are not an addressee, or responsible for delivering
this email to an addressee, you have received this email in error and are notified that reading,
copying, or disclosing this email is prohibited. If you received this email in error, immediately
reply to the sender and delete the message completely from your computer system.
Mime
View raw message