1

To authenticate users for our applications, I have a setup which can be represented with the following diagram:

Image used from Oracle OpenSSO documentation

I have a server with OpenAM running on it (OpenSSO Enterprise in the diagram), have several client servers and use an Apache2 (HTTPD) server as a reverse proxy with two agent configurations. I have a functional flow of authentication and redirection using the following virtual host configuration:

<VirtualHost *:443>
    AmAgent On
    AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf

    ProxyPreserveHost On
    ProxyPass /application1 https://server1.com:10443/application1
    ProxyPassReverse /application1 https://server1.com:10443/application1
</VirtualHost>

I connect to https://reverseproxy.com/application1, redirect for OpenAM authentication and get redirected to my landing page on server1.com after logging in. I also have a secondary configuration (agent_2) which does its correct authorization, based on the policy profile configured in OpenAM.

My issue arises when wanting to configure two different OpenAM configurations on two different ProxyPass/ProxyPassReverse instances. The snippet above uses the AmAgentConf on everything within the virtual host listening on port 443. But I want two applications, both reachable on the same reverse proxy URL, to use the correct agent configuration. Ideally, I'd like something like the following:

<VirtualHost *:443>
    ProxyPreserveHost On

    ProxyPass /application1 https://server1.com:10443/application1
    ProxyPassReverse /application1 https://server1.com:10443/application1

    ProxyPass /application2 https://server2.com:443/application2
    ProxyPassReverse /application2 https://server2.com:443/application2

    <Proxy "https://server1.com:10443/*">
        AmAgent On
        AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
    </Proxy>

    <Proxy "https://server2.com:443/*">
        AmAgent On
        AmAgentConf /opt/web_agents/apache24_agent/bin/../instances/agent_2/config/agent.conf
    </Proxy>
</VirtualHost>

But AmAgent and AmAgentConf are not allowed within the <Proxy/> directive.

centos httpd[1238]: AH00526: Syntax error on line 28 of /etc/httpd/conf.d/default-site.conf:
centos httpd[1238]: AmAgent not allowed here

I've read the OpenAM documentation about configuring OpenAM on virtual hosts, but I'm not configuring two separate DocumentRoots. The applications aren't on Apache itself, it just forwards.

I'm probably able to listen on two seperate ports (e.g. 443 and 444) and configure the agent based on the port. But that's just ridiculous. It seems like a common issue, but my configuration just won't cooperate.

So in essence, how do you configure two (or more) proxied applications to use an alternative agent configuration?

Jaims
  • 111

0 Answers0