[SOLVED] mod_auth + mod_proxy problems
Added by jbaans over 5 years ago
Hi there,
I am trying to let lighty do the encryption and authentication for a local mqtt broker which runs a websockets service, however mod_auth seems to not let my browser talk to the broker.
Running a Raspberry Pi Zero with Arch ARM (Linux 4.14.67-1-ARCH armv6l), with mosquitto mqtt broker (websockets, no authentication required, on port 9003), firewall disabled and configured lighty (lighttpd/1.4.50 (ssl)) according to your mod_auth and mod_proxy documents to serve a javascript mqtt websockets client.
I've been banging my head against the wall for over a week now not being able to figure out why requiring authentication makes the page load after authentication but makes the mqtt connection fail (401 not authorised). This happens both on Firefox and Safari. Please help!
Here are relevant log entries (fake names):
mod_auth disabled with [ include "conf.d/auth.conf" ] commented out, connection to mqtt broker works:
Sep 05 13:59:24 archarm lighttpd[660]: 192.168.1.5 192.168.1.23 - [05/Sep/2018:13:59:24 +0200] "GET / HTTP/1.1" 200 3251 "-" Sep 05 13:59:24 archarm lighttpd[660]: 192.168.1.5 192.168.1.23 - [05/Sep/2018:13:59:24 +0200] "GET /css/stylesheet.css HTTP/1.1" 200 1657 "http://192.168.1.23/" Sep 05 13:59:26 archarm lighttpd[660]: 192.168.1.5 192.168.1.23 - [05/Sep/2018:13:59:26 +0200] "GET /favicon.ico HTTP/1.1" 404 345 "-" Sep 05 14:00:15 archarm lighttpd[660]: 192.168.1.5 192.168.1.23:9001 - [05/Sep/2018:14:00:15 +0200] "GET /mqtt HTTP/1.1" 101 664 "-"
mod_auth enabled, getting not authorised (401) and sending to mqtt broker does not work:
Sep 05 14:21:15 archarm lighttpd[678]: 192.168.1.5 192.168.1.23 - [05/Sep/2018:14:21:15 +0200] "GET / HTTP/1.1" 401 351 "-" Sep 05 14:21:26 archarm lighttpd[678]: 192.168.1.5 192.168.1.23 archarm [05/Sep/2018:14:21:26 +0200] "GET / HTTP/1.1" 200 3251 "-" Sep 05 14:21:26 archarm lighttpd[678]: 192.168.1.5 192.168.1.23 archarm [05/Sep/2018:14:21:26 +0200] "GET /scripts/mqtt-client.js HTTP/1.1" 200 3032 "http://192.168.1.23/" Sep 05 14:21:27 archarm lighttpd[678]: 192.168.1.5 192.168.1.23:9001 - [05/Sep/2018:14:21:27 +0200] "GET /mqtt HTTP/1.1" 401 351 "-" Sep 05 14:21:27 archarm lighttpd[678]: 192.168.1.5 192.168.1.23:9001 - [05/Sep/2018:14:21:27 +0200] "GET /mqtt HTTP/1.1" 401 351 "-" Sep 05 14:21:42 archarm lighttpd[678]: 192.168.1.5 192.168.1.23:9001 - [05/Sep/2018:14:21:42 +0200] "GET /mqtt HTTP/1.1" 401 351 "-" Sep 05 14:21:42 archarm lighttpd[678]: 192.168.1.5 192.168.1.23:9001 - [05/Sep/2018:14:21:42 +0200] "GET /mqtt HTTP/1.1" 401 351 "-"
Here is my configuration:
lighttpd.conf
server.port = 80
server.username = "http"
server.groupname = "http"
server.document-root = "/srv/http"
dir-listing.activate = "disable"
index-file.names = ( "index.php" )
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".css" => "text/css",
".js" => "application/x-javascript",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".gif" => "image/gif",
".png" => "image/png",
"" => "application/octet-stream",
)
server.modules += ( "mod_redirect", "mod_openssl", "mod_access", "mod_accesslog", )
accesslog.use-syslog = "enable"
# deny access to private dir
$HTTP["url"] =~ "^/private/" {
url.access-deny = ( "" )
}
# require authentication
include "conf.d/auth.conf"
# forward to mosquitto server
include "conf.d/forward.conf"
# enable fastcgi
include "conf.d/fastcgi.conf"
auth.conf:
server.modules += ( "mod_auth", "mod_authn_file" )
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/lighttpd.user"
auth.require = ( "" =>
(
"method" => "digest",
"realm" => "Login required",
"require" => "user=archarm"
)
)
forward.conf:
server.modules += ( "mod_proxy" )
# forward mqtt traffic
$SERVER["socket"] == ":9001" {
proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "9003" ) ) )
proxy.header = ( "upgrade" => "enable" )
}
Any pointers much appreciated,
JB
Replies (1)
RE: mod_auth + mod_proxy problems - Added by jbaans over 5 years ago
In reply to myself, after enabling all debug logging options, I could see the "GET /mqtt HTTP/1.1" request did not include Authorization headers, so it got a response 401 Not Authorized as expected with Digest Authorization, but then no second request was done to actually do the authentication and thus the request would not be authorized after all.
This makes me blame the PAHO MQTT JS plugin to not handle digest authorization.
(edited to clarify)