A SAML 2.0 authentication module for the Apache Httpd Server
c5b1e8c345
Resolves: RHEL-35898 Resolves: RHEL-33585 |
||
---|---|---|
tests | ||
.gitignore | ||
10-auth_mellon.conf | ||
0001-Prevent-redirect-to-URLs-that-begin-with.patch | ||
auth_mellon.conf | ||
gating.yaml | ||
mellon_create_metadata.sh | ||
mod_auth_mellon.conf | ||
mod_auth_mellon.spec | ||
README.redhat.rst | ||
sources |
Red Hat Specific mod_auth_mellon Information ============================================ This README contains information specific to Red Hat's distribution of ``mod_auth_mellon``. Diagnostic Logging ------------------ Diagnostic logging can be used to collect run time information to help diagnose problems with your ``mod_auth_mellon`` deployment. Please see the "Mellon Diagnostics" section in the Mellon User Guide for more details. How to enable diagnostic logging on Red Hat systems ``````````````````````````````````````````````````` Diagnostic logging adds overhead to the execution of ``mod_auth_mellon``. The code to emit diagnostic logging must be compiled into ``mod_auth_mellon`` at build time. In addition the diagnostic log file may contain security sensitive information which should not normally be written to a log file. If you have a version of ``mod_auth_mellon`` which was built with diagnostics you can disable diagnostic logging via the ``MellonDiagnosticsEnable`` configuration directive. However given human nature the potential to enable diagnostic logging while resolving a problem and then forget to disable it is not a situation that should exist by default. Therefore given the overhead consideration and the desire to avoid enabling diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's ship with two versions of the ``mod_auth_mellon`` Apache module. 1. The ``mod_auth_mellon`` RPM contains the normal Apache module ``/usr/lib*/httpd/modules/mod_auth_mellon.so`` 2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic version of the Apache module. It is available in the CRB repository. ``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so`` Because each version of the module has a different name both the normal and diagnostic modules can be installed simultaneously without conflict. But Apache will only load one of the two modules. Which module is loaded is controlled by the ``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which has a line in it which looks like this:: LoadModule auth_mellon_module modules/mod_auth_mellon.so To load the diagnostics version of the module you need to change the module name so it looks like this:: LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so **Don't forget to change it back again when you're done debugging.** You'll also need to enable the collection of diagnostic information, do this by adding this directive at the top of your Mellon conf.d config file or inside your virtual host config (diagnostics are per server instance):: MellonDiagnosticsEnable On .. NOTE:: Some versions of the Mellon User Guide have a typo in the name of this directive, it incorrectly uses ``MellonDiagnosticEnable`` instead of ``MellonDiagnosticsEnable``. The difference is Diagnostics is plural. The Apache ``error_log`` will contain a message indicating how it processed the ``MellonDiagnosticsEnable`` directive. If you loaded the standard module without diagnostics you'll see a message like this:: MellonDiagnosticsEnable has no effect because Mellon was not compiled with diagnostics enabled, use ./configure --enable-diagnostics at build time to turn this feature on. If you've loaded the diagnostics version of the module you'll see a message in the ``error_log`` like this:: mellon diagnostics enabled for virtual server *:443 (/etc/httpd/conf.d/my_server.conf:7) ServerName=https://my_server.example.com:443, diagnostics filename=logs/mellon_diagnostics