Installing Apache and Ucam Webauth on Centos/RHEL7
Apache is pretty easy:
|
|
Done.
Ucam Webauth
It is hosted on github, but won’t be much use to anyone who doesn’t have a need to authenticate users with the University of Cambridge’s single sign on which is called raven.
I downloaded the SRPM from the raven page as suggested, and compiled it. The following packages are prerequisites. I used the follwing ansible task:
|
|
httpd is Apache itself. http-devel, gcc, openssl-devel and rpm-build are required to build and package mod_ucamwebauth. These are all listed in the UcamWebAuth install documentation. mod_ldap is required because I want to look up the users who log in and make sure they are in my organisation. The two SElinux packages are needed later.
Compiling the Source RPM
I downloaded the srpm to the temporary directory. Should I download it to my Ansible files directory, so I know it is always going to be available? Not sure.
|
|
The SRPM seems to have been created for a previous version of Redhat and never updated, because it expects to find the apxs utility in a different place to where it actually lives. This is easily fixed by creating a symlink.
|
|
Building the srpm creates an RPM I can install. I use the ansible command module to do this:
|
|
And now I am ready to install it using Ansible’s yum module.
|
|
Gather required information
Now I need to configure Raven to work. As per section 3 of the install document I need to download the Raven public keys and store them in the Apache configuration. I can use Ansible’s get_url module to do this, once I have created the directory using the file module:
|
|
Now, I just need to configure Apache to use the mod_ucam_webauth module to allow authenticated users to access Jenkins as a reverse proxy. This was taken from a colleague (Thanks Abraham!), so I don’t claim to understand it.
However what I do understand is that when a user accesses the website, they get sent to Raven for authentication. If they authenticate correctly, it checks whether the user is in the UIS (InstID=UIS) and whether they are in the list (Just me - psh35 in the example below). If these checks pass, the request is forwarded on to the locally installed Jenkins, with the username in the X-Forwarded-User header.
Another important thing to remember is that mod_ucam_webauth requires a random cookie key, as per section 4 of the install guide. uuidgen promises to create a globally unique identifier. This is amazing. The manual says:
The UUIDs generated by this library can be reasonably expected to be unique within a system, and unique across all systems. They could be used, for instance, to generate unique HTTP cookies across multiple web servers without communication between the servers, and without fear of a name clash.
libuuid is part of the util-linux package since version 2.15.1 and is available from https://www.kernel.org/pub/linux/utils/util-linux/
Amazing. Anyway, I can use that to satisfy the requirement for a unique string, and it is much better than bashing the keyboard, which always seems to generate “random” strings containing “asdf”!
Here is how I generate the unique number:
|
|
It simply runs uuidgen which is installed in linux, and records the output. The changed_when: false lets Ansible know we aren’t making any changes on the server.
Installing Raven and proxy configuration
Then I install the configuration with the following task:
|
|
I have a handler to restart Apache, which is what the notify does. The configuration being deployed with the ansible template module is:
|
|
So the ravenkey.stdout is the key we generated earlier. Ansible_nodename and ansible_hostname are the fully qualified domain name and the short hostname.
It doesn’t work!
So that is Apache and raven configured. One problem, it doesn’t work. I spent a couple of days looking into this, and the reason is SELinux. By default it configures Apache without permission to access the network. It needs this access for two reasons.
- To do the LDAP lookup.
- To do it’s reverse proxy job, and forward the request on to the local Jenkins installation.
To allow this to happen I found I needed to configure SE Linux to allow this. Ansible can do this so long as the python SElinux management modules are installed, which is why they were installed at the top. I suspect I wasn’t the first person to have this problem - the example in the seboolean ansible module documentation is exactly what I want to do!
|
|
I had this problem when testing in a VM. I think my friendly sysadmin sees SElinux as a bit of a liability, so will switch it off in my production server.
We aren’t finished yet
I have installed Jenkins, and using Apache as a reverse proxy I can authenticate users and pass them on. I haven’t done any configuration of Jenkins at all. You can still access it on the URL, and it doesn’t know that it is supposed to look at the header for the username. That comes next.