A SAML 2.0 authentication module for the Apache Httpd Server
Go to file
2021-08-24 13:48:25 +02:00
tests Fix git repo used to pull gating tests 2021-06-29 07:42:25 -05:00
.gitignore RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
10-auth_mellon.conf RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
0001-Prevent-redirect-to-URLs-that-begin-with.patch Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs 2021-08-24 13:48:25 +02:00
auth_mellon.conf RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
gating.yaml Enable gating for RHEL9. 2021-06-28 16:35:42 -05:00
mellon_create_metadata.sh RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
mod_auth_mellon.conf RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
mod_auth_mellon.spec Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs 2021-08-24 13:48:25 +02:00
README.redhat.rst RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00
sources RHEL 9.0.0 Alpha bootstrap 2020-10-15 19:52:16 +02:00

Red Hat Specific mod_auth_mellon Information
============================================

This README contains information specific to Red Hat's distribution of
``mod_auth_mellon``.

Diagnostic Logging
------------------

Diagnostic logging can be used to collect run time information to help
diagnose problems with your ``mod_auth_mellon`` deployment. Please see
the "Mellon Diagnostics" section in the Mellon User Guide for more
details.

How to enable diagnostic logging on Red Hat systems
```````````````````````````````````````````````````

Diagnostic logging adds overhead to the execution of
``mod_auth_mellon``. The code to emit diagnostic logging must be
compiled into ``mod_auth_mellon`` at build time. In addition the
diagnostic log file may contain security sensitive information which
should not normally be written to a log file. If you have a
version of ``mod_auth_mellon`` which was built with diagnostics you
can disable diagnostic logging via the ``MellonDiagnosticsEnable``
configuration directive. However given human nature the potential to
enable diagnostic logging while resolving a problem and then forget to
disable it is not a situation that should exist by default. Therefore
given the overhead consideration and the desire to avoid enabling
diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
ship with two versions of the ``mod_auth_mellon`` Apache module.

1. The ``mod_auth_mellon`` RPM contains the normal Apache module
   ``/usr/lib*/httpd/modules/mod_auth_mellon.so`` 

2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
   version of the Apache module
   ``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``

Because each version of the module has a different name both the
normal and diagnostic modules can be installed simultaneously without
conflict. But Apache will only load one of the two modules. Which
module is loaded is controlled by the
``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
has a line in it which looks like this::

    LoadModule auth_mellon_module modules/mod_auth_mellon.so

To load the diagnostics version of the module you need to change the
module name so it looks like this::

    LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so

**Don't forget to change it back again when you're done debugging.**

You'll also need to enable the collection of diagnostic information,
do this by adding this directive at the top of your Mellon conf.d
config file or inside your virtual host config (diagnostics are per
server instance)::

    MellonDiagnosticsEnable On

.. NOTE::
   Some versions of the Mellon User Guide have a typo in the name of
   this directive, it incorrectly uses ``MellonDiagnosticEnable``
   instead of ``MellonDiagnosticsEnable``. The difference is
   Diagnostics is plural.

The Apache ``error_log`` will contain a message indicating how it
processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
standard module without diagnostics you'll see a message like this::

    MellonDiagnosticsEnable has no effect because Mellon was not
    compiled with diagnostics enabled, use
    ./configure --enable-diagnostics at build time to turn this
    feature on.

If you've loaded the diagnostics version of the module you'll see a
message in the ``error_log`` like this::

    mellon diagnostics enabled for virtual server *:443
    (/etc/httpd/conf.d/my_server.conf:7)
    ServerName=https://my_server.example.com:443, diagnostics
    filename=logs/mellon_diagnostics