Integrating Google Apps with Apache module

Recently, we’ve been using https://github.com/epotocko/apache-google-apps-sso to implement single-sign-on for a lot of our Apache-based resources for Google Apps/OpenID integration. The documentation are pretty clear and discuss how to go about protecting certain URL paths, but what if you want to require authentication to occur for the entire site?

The trick is to use a RewriteRule and mod_rewrite to basically stop Auth_memCookie from being needed for /auth/ logins, which is where the PHP code will be executed to perform the authentication. The ‘L’ flag in the RewriteRule will stop the rest of the rulesets from executing.

RewriteEngine on
RewriteRule ^/auth/(.*)$ /auth/$1 [L]

<IfModule mod_auth_memcookie.c>
<Location />
AuthType Cookie
.
.
.
ProxyPass http://127.0.0.1:9999/
ProxyPassReverse http://127.0.0.1:9999/

</Location>
</IfModule>
The ProxyPass is used to proxy traffic to an internal webserver host, and the ProxyPassReverse rewrites Location: headers. If you are using Django, an HttpResponseRedirect() function call will usually set the Location: header based on the X-Forwarded-Host but because if you are not using mod_wsgi(), the header may not be correctly set. The ProxyPassReverse provides a way to rewrite redirection requests for this reason.
The other thing is to make sure that your base URL is also set with this /auth/ path:

// Base url to protect
GApps_Session::$BASE_URL = 'https://myhost.com/auth/';

X-Forwarded-Host to X_FORWARDED_HOST in mod_wsgi..

Ever wondered how the parameters in Django’s request.META, such as X-Forwarded-Host or X-Forwarded-For get set in the os.environ objects? The headers often get transformed to entire upper-case and the dashes get replaced by underscores (i.e. X-Forwarded-Host becomes X_FORWARDED_HOST). Most of the work gets done inside mod_wsgi.c using the wsgi_http2env() function.


static PyObject *Auth_environ(AuthObject *self, const char *group)
{
PyDict_SetItemString(vars, wsgi_http2env(r->pool, hdrs[i].key),
object);

The wsgi_http2env() function basically performs this conversion to HTTP environment variables:


static char *wsgi_http2env(apr_pool_t *a, const char *w)
{
char *res = (char *)apr_palloc(a, sizeof("HTTP_") + strlen(w));
char *cp = res;
char c;

*cp++ = 'H';
*cp++ = 'T';
*cp++ = 'T';
*cp++ = 'P';
*cp++ = '_';

while ((c = *w++) != 0) {
if (!apr_isalnum(c)) {
*cp++ = '_';
}
else {
*cp++ = apr_toupper(c);
}
}
*cp = 0;

return res;
}

Tricks of using the SGE2010 switch

1. Telnet to the IP address.

2. Enable the SSH server.

3. SSH into the switch.

4. Hit Ctrl-Z. You will then be dropped into the shell. Type ‘lcli’.

5. You can now access the Cisco switch using the CLI interface. To save config changes, type “copy running-config startup-config”.