config not found

[artgoldberg]

Hi Leaf guys

I'm finding that https://leaf.mssm.edu/api/config returns Not Found. I also see this in the access log:

10.254.162.92 - "" [25/May/2021:12:39:39 -0400] "GET /api/config HTTP/1.1" 404 208

It's not clear to me what aspect of the installation is incorrect. Here's the content that Apache uses:

root@omop-leaf:/data/www $ pwd
/data/www
root@omop-leaf:/data/www $ ls -l
total 20
-rw-r--r-- 1 root 1540 May 20 16:28 asset-manifest.json
drwxr-xr-x 3 root 19 May 18 12:48 images
-rw-r--r-- 1 root 3858 May 20 16:28 index.html
-rw-r--r-- 1 root 317 May 20 16:28 manifest.json
-rw-r--r-- 1 root 940 May 20 16:28 precache-manifest.a90787c92c1807eab320938f20b5afd9.js
-rw-r--r-- 1 root 1181 May 20 16:28 service-worker.js
drwxr-xr-x 4 root 27 May 18 12:48 static
drwxr-xr-x 2 root 24 May 18 12:48 styles

[ndobb]

Hmmm, @mh2727 @jprosser as Apache wizards any ideas here? My guess would be that the calls are not being reverse-proxied to the API as expected.

[mh2727]

Hi.
@artgoldberg, is it possible to look at your Apache config? That might clear up a few things. The /data/www dir you listed seems pretty standard to what we have. Perhaps we can take a look during our meeting or via email?

[artgoldberg]

Sure @mh2727 . Here it is, with IP addresses elided for security. Thanks!

Include conf.modules.d/*.conf

# Load the Shibboleth module.
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

<IfModule mime_module>
    # TypesConfig points to the file containing the list of mappings from filename extension to MIME-type.
    TypesConfig /etc/mime.types

</IfModule>

# User/Group: The name (or #number) of the user/group that runs httpd.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User apache
Group apache

Listen 443
<VirtualHost *:443>

    # configured as recommended by https://wiki.shibboleth.net/confluence/display/SP3/Apache
    ServerName leaf.mssm.edu
    UseCanonicalName On
    ServerAlias www.leaf.mssm.edu
    DocumentRoot /data/www
    HostnameLookups Off
    ErrorLog logs/leaf_ssl_error_log
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog logs/leaf_access_log common

    SSLEngine on
    # a key/cert pair with a cert signed by a trusted CA
    SSLCertificateFile "/etc/pki/tls/certs/leaf.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/leaf.key"
    # SSLProtocol all -SSLv2 -SSLv3
    # SSLHonorCipherOrder on
    # SSLCipherSuite HIGH:!aNULL:!MD5:!AECDH:!ADH

    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

    <Location /Shibboleth.sso>
      SetHandler shib
    </Location>

    # API proxy directive, overall api doesn't require user session
    <Location /api>
        ProxyPass         http://10.95.46.180:5001/api
        ProxyPassReverse  http://10.95.46.180:5001/api

        # AG: based on http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require,
        # https://wiki.shibboleth.net/confluence/display/SP3/Apache and
        # https://www.switch.ch/aai/guides/sp/access-rules/
        AuthType shibboleth
        ShibRequestSetting requireSession false
        Require shibboleth
    </Location>

    # /api/user does require user session
    <Location /api/user>

        AuthType shibboleth
        ShibRequestSetting requireSession true
        Require valid-user
    </Location>

</VirtualHost>

[artgoldberg]

Hello @ndobb @mh2727 and @jprosser

I greatly appreciate your expert and productive debugging help today!

The good news is that since I'm now part of both the users and admins group, Leaf runs.

The strange news is that Apache doesn't force a leaf user to login, and instead fails:

But if I separately login to the SAML Identity Provider, then Leaf runs, presumably because the login sets cookies & browser tabs share cookies. I presume that fixing this involves Apache and perhaps shibboleth configuration.

Arthur

[mh2727]

@artgoldberg, glad to hear things are starting to workout. Always happy to help.

One note I have regarding the login issue is that when comparing your Apache config to ours, I am noticing that you are missing the <Location /> tag. Would you mind adding it and trying it out?

Here's what we have:

<Location />
     <RequireAny>
       AuthType shibboleth
       ShibRequireSession On
       ShibUseHeaders On
       Require shibboleth
     </RequireAny>
</Location>

If this works, please let us know. Otherwise, we can troubleshoot elsewhere regarding that.

--
Mehadi Hassan

[ndobb]

This should force login when users go to /, which is the React client app. Hopefully once that's in place, the Shib headers will be present when the user calls /api/user, solving the issue.

[artgoldberg]

Thanks @ndobb and @mh2727
I find that adding the block below in the virtual host in httpd.conf works:

# enforce session on all pages
<Location />
    AuthType shibboleth
    ShibRequestSetting requireSession true
    require shib-session
</Location>

Happy to complete this before vacation.
Arthur

[jprosser]

@artgoldberg You might opt for using shib-user but only if you have your REMOTE_USER populated with a valid attribute as discussed earlier regarding your shibboleth2.xml and nameid. shib-user will require REMOTE_USER as opposed to shib-session which will not require any attributes at all and in that case Leaf won't be able to setup a user. This could only happen in a federated environment though as you (I assume) will always get the user details needed from your login provider (AzureAD I think?) but this could guarantee that assumption.

[artgoldberg]

Thanks @jprosser ; we did today.