[users at bb.net] How do you pass through authentication from Apache?

Chris Spencer chrisspen at gmail.com
Wed Feb 15 20:46:55 UTC 2017


I think the fix was to simply add:

        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)$
        RewriteRule . - [E=RU:%1,NS]
        RequestHeader set REMOTE_USER %{RU}e

to my <Location/> section. Now Buildbot shows I'm logged in, although none
of the other content changes.

On Wed, Feb 15, 2017 at 3:12 PM, Chris Spencer <chrisspen at gmail.com> wrote:

> Ok, now I understand. So Buildbot *will* always show a login form
> regardless of auth method used, which is what I'm seeing. I misread what
> you said earlier. Yes, Apache will block the request if basic auth fails. I
> was asking how Buildbot by itself should behave, and I thought you meant
> Buildbot wouldn't render anything when using RemoteUserAuth().
>
> Buildbot and Apache seem to be working just fine on their own. Buildbot's
> running builds and Apache's authenticating and passing me through to
> Buildbot. The problem is Buildbot's either ignoring or not receiving the
> REMOTE_USER header from Apache. For reference, this is my non-working
> Apache config:
>
> <VirtualHost *:80>
>
>     <Location />
>         AuthType Basic
>         AuthName "Buildbot"
>         AuthUserFile /usr/local/myproject/buildbot/htpasswd
>         Require valid-user
>     </Location>
>
>     <Location /ws>
>       ProxyPass ws://127.0.0.1:8010/ws
>       ProxyPassReverse ws://127.0.0.1:8010/ws
>     </Location>
>
>     ProxyPass /ws !
>     ProxyPass / http://127.0.0.1:8010/
>     ProxyPassReverse / http://127.0.0.1:8010/
>
> </VirtualHost>
>
> I'll ask for help on one of the StackExchange sites.
>
> Thanks for your help.
>
>
>
> On Wed, Feb 15, 2017 at 12:51 PM, Pierre Tardy <tardyp at gmail.com> wrote:
>
>>
>> It won't show a login form if apache is correctly configured as there
>> should be no way to pass through apache if you are not authenticated.
>>
>> As the auth code is shared with all the other authentication mechanisms,
>> and is already complex enough, there is nothing in the UI that manage that
>> case.
>> In that case of apache misconfiguration, it will just show the login form.
>>
>> Pierre
>>
>> Le mer. 15 févr. 2017 à 18:29, Chris Spencer <chrisspen at gmail.com> a
>> écrit :
>>
>>> I'm still confused. You said if I used RemoteUserAuth, Buildbot won't
>>> show a login form, but it is. Even if Apache isn't correctly passing
>>> through the username, should that not be happening? Does Buildbot render a
>>> login form for anonymous users, regardless of the auth method?
>>>
>>> On Wed, Feb 15, 2017 at 12:01 PM, Pierre Tardy <tardyp at gmail.com> wrote:
>>>
>>> From what I see, the buildbot config looks good.
>>>
>>> I guess the issue you have is more about how to configure apache to
>>> enforce authentication of a proxy
>>>
>>> Perhaps you can get more help in an apache forum.
>>>
>>> Pierre
>>>
>>> Le mer. 15 févr. 2017 à 17:55, Chris Spencer <chrisspen at gmail.com> a
>>> écrit :
>>>
>>> The example Apache config doesn't include basic auth. I'm unfamiliar
>>> with using websockets and basic auth together. How would I do that? Would I
>>> add the auth settings to the <Location /ws> section or a separate <Location
>>> /> section?
>>>
>>> On Wed, Feb 15, 2017 at 11:09 AM, Pierre Tardy <tardyp at gmail.com> wrote:
>>>
>>> The goal of RemoteUserAuth is to disable completely the login UI of
>>> buildbot, and let apache handle the authentication alone.
>>>
>>> Buildbot will get a header from Apache telling it which user is actually
>>> logged in.
>>>
>>> If you configured your apache correctly, you should never achive to get
>>> the buildbot UI unless you get a browser-based login prompt.
>>>              Require valid-user  is if I understand correctly what is
>>> need to implement such thing
>>>
>>> Also, please note that apache requires a specific configuration to allow
>>> websocket to work correctly
>>> http://docs.buildbot.net/latest/manual/cfg-www.html#reverse-
>>> proxy-configuration
>>>
>>>
>>>
>>> Le mer. 15 févr. 2017 à 17:02, Chris Spencer <chrisspen at gmail.com> a
>>> écrit :
>>>
>>> I'm not sure I understand. Anonymous users can definitely still see the
>>> site from Apache in 0.9.*. I'm looking at my Buildbot server right now as
>>> an anonymous user. It seems to hide a lot of details for anonymous users,
>>> but it's still rendering the basic site, listing builders and recent
>>> builds. By "show no output" I mean it should only render a login page and
>>> nothing else if the user is not authenticated.
>>>
>>> I tried the util.RemoteUserAuth but it doesn't seem to do anything.
>>> Buildbot still requires I login via the on-screen user login dropdown, and
>>> ignores the basic Http login I give to Apache.
>>>
>>> Oddly, it also seems to ignore util.HTPasswdAuth(). If I enter a
>>> username/password that I added to my htpasswd file into Buildbot's login
>>> form, Buildbot still won't let me login through its web interface. Is there
>>> some trick to getting an htpasswd file to work with Buildbot? There are no
>>> errors reported in the twistd.log.
>>>
>>> This is my Apache config:
>>>
>>>     <VirtualHost *:80>
>>>
>>>         ProxyPass / http://127.0.0.1:8010/
>>>
>>>         <Location />
>>>             AuthType Basic
>>>             AuthName "Buildbot"
>>>             AuthUserFile /usr/local/myproject/src/buildbot/htpasswd
>>>             Require valid-user
>>>         </Location>
>>>
>>>     </VirtualHost>
>>>
>>>
>>> On Wed, Feb 15, 2017 at 3:50 AM, Pierre Tardy <tardyp at gmail.com> wrote:
>>>
>>> Hi Chris,
>>> What you are looking for is theRemoteUserAuth plugin
>>> http://buildbot.readthedocs.io/en/latest/manual/cfg-www.html
>>> #buildbot.www.auth.RemoteUserAuth
>>>
>>> There is no more support for combination useHttpHeader + HTPasswdAprAuth,
>>> which allowed apache authentication + anonymous access.
>>> I am not sure exactly if this is what you mean by "show no output to an
>>> anonymous user"
>>>
>>> Pierre
>>>
>>> Le mer. 15 févr. 2017 à 07:21, Chris Spencer <chrisspen at gmail.com> a
>>> écrit :
>>>
>>> In 0.8.*, I was using http authentication in Apache to collect the
>>> username/password and pass that through to Buildbot. I was doing that with:
>>>
>>>     authz_cfg=authz.Authz(
>>>         auth=auth.HTPasswdAprAuth('.htpasswd')),
>>>         useHttpHeader=True,
>>>         ...
>>>     )
>>>
>>> However, in 0.9.*, there doesn't appear to be a HTPasswdAprAuth class or
>>> a useHttpHeader option. Is there still a way to setup this type of
>>> authentication?
>>>
>>> My goal is to show no output to an anonymous user.
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at buildbot.net
>>> https://lists.buildbot.net/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170215/5be27ba2/attachment.html>


More information about the users mailing list