DranSCADA Help
DranSCADA documentation / Authentication / Auth Proxy

Auth Proxy Authentication

You can configure DranSCADA to let a HTTP reverse proxy handling authentication. Popular web servers have a very extensive list of pluggable authentication modules, and any of them can be used with the AuthProxy feature. Below we detail the configuration options for auth proxy.

[auth.proxy]
# Defaults to false, but set to true to enable this feature
enabled = true
# HTTP Header name that will contain the username or email
header_name = X-WEBAUTH-USER
# HTTP Header property, defaults to `username` but can also be `email`
header_property = username
# Set to `true` to enable auto sign up of users who do not exist in DranSCADA DB. Defaults to `true`.
auto_sign_up = true
# Define cache time to live in minutes
# If combined with DranSCADA LDAP integration it is also the sync interval
sync_ttl = 60
# Limit where auth proxy requests come from by configuring a list of IP addresses.
# This can be used to prevent users spoofing the X-WEBAUTH-USER header.
# Example `whitelist = 192.168.1.1, 192.168.1.0/24, 2001::23, 2001::0/120`
whitelist =
# Optionally define more headers to sync other user attributes
# Example `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL Groups:X-WEBAUTH-GROUPS`
headers =
# Check out docs on this for more details on the below setting
enable_login_token = false

Making Apache’s auth work together with DranSCADA’s AuthProxy

I’ll demonstrate how to use Apache for authenticating users. In this example we use BasicAuth with Apache’s text file based authentication handler, i.e. htpasswd files. However, any available Apache authentication capabilities could be used.

Apache BasicAuth

In this example we use Apache as a reverse proxy in front of DranSCADA. Apache handles the Authentication of users before forwarding requests to the DranSCADA backend service.

Apache configuration

    <VirtualHost *:80>
        ServerAdmin webmaster@authproxy
        ServerName authproxy
        ErrorLog "logs/authproxy-error_log"
        CustomLog "logs/authproxy-access_log" common

        <Proxy *>
            AuthType Basic
            AuthName DranSCADAAuthProxy
            AuthBasicProvider file
            AuthUserFile /etc/apache2/dranscada_htpasswd
            Require valid-user

            RewriteEngine On
            RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
            RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
        </Proxy>

        RequestHeader unset Authorization

        ProxyRequests Off
        ProxyPass / http://localhost:3000/
        ProxyPassReverse / http://localhost:3000/
    </VirtualHost>

  • The first four lines of the virtualhost configuration are standard, so we won’t go into detail on what they do.

  • We use a <proxy> configuration block for applying our authentication rules to every proxied request. These rules include requiring basic authentication where user:password credentials are stored in the /etc/apache2/dranscada_htpasswd file. This file can be created with the htpasswd command.

    • The next part of the configuration is the tricky part. We use Apache’s rewrite engine to create our X-WEBAUTH-USER header, populated with the authenticated user.

      • RewriteRule . - [E=PROXY_USER:%{LA-U:REMOTE_USER}, NS]*: This line is a little bit of magic. What it does, is for every request use the rewriteEngines look-ahead (LA-U) feature to determine what the REMOTE_USER variable would be set to after processing the request. Then assign the result to the variable PROXY_USER. This is necessary as the REMOTE_USER variable is not available to the RequestHeader function.

      • RequestHeader set X-WEBAUTH-USER “%{PROXY_USER}e”: With the authenticated username now stored in the PROXY_USER variable, we create a new HTTP request header that will be sent to our backend DranSCADA containing the username.

  • The RequestHeader unset Authorization removes the Authorization header from the HTTP request before it is forwarded to DranSCADA. This ensures that DranSCADA does not try to authenticate the user using these credentials (BasicAuth is a supported authentication handler in DranSCADA).

  • The last 3 lines are then just standard reverse proxy configuration to direct all authenticated requests to our DranSCADA server running on port 3000.

Full walkthrough using Docker.

  • Create a file dranscada.ini with the following contents
[users]
allow_sign_up = false
auto_assign_org = true
auto_assign_org_role = Editor

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

Launch the DranSCADA container, using our custom dranscada.ini to replace /etc/dranscada/dranscada.ini. We don’t expose any ports for this container as it will only be connected to by our Apache container.

docker run -i -v $(pwd)/dranscada.ini:/etc/dranscada/dranscada.ini --name dranscada dranscada/dranscada

Apache Container

  • Create a file httpd.conf with the following contents
ServerRoot "/usr/local/apache2"
Listen 80
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin you@example.com
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/usr/local/apache2/htdocs"
ErrorLog /proc/self/fd/2
LogLevel error
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog /proc/self/fd/1 common
</IfModule>
<Proxy *>
    AuthType Basic
    AuthName DranSCADAAuthProxy
    AuthBasicProvider file
    AuthUserFile /tmp/htpasswd
    Require valid-user
    RewriteEngine On
    RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
    RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass / http://dranscada:3000/
ProxyPassReverse / http://dranscada:3000/

  • Create a htpasswd file. We create a new user anthony with the password password

    htpasswd -bc htpasswd anthony password

  • Launch the httpd container using our custom httpd.conf and our htpasswd file. The container will listen on port 80, and we create a link to the dranscada container so that this container can resolve the hostname dranscada to the DranSCADA container’s IP address.

    docker run -i -p 80:80 --link dranscada:dranscada -v $(pwd)/httpd.conf:/usr/local/apache2/conf/httpd.conf -v $(pwd)/htpasswd:/tmp/htpasswd httpd:2.4

Use dranscada.

With our DranSCADA and Apache containers running, you can now connect to http://localhost/ and log in using the username/password we created in the htpasswd file.

With enable_login_token set to true DranSCADA will, after successful auth proxy header validation, assign the user a login token and cookie. You only have to configure your auth proxy to provide headers for the /login route. Requests via other routes will be authenticated using the cookie.

Use settings login_maximum_inactive_lifetime_days and login_maximum_lifetime_days under [auth] to control session lifetime. Read more about login tokens