Tuesday 4 October 2016

Securing Apache on OSX using mod_auth_openidc

mod_auth_openidc on OSX

I recently bought an Alexa, and thought it would be nice to hook that into my home automation mini projects.

The first thing I need to do therefore was to get serious on Authorization and Authentication. It's for my home, so I'm happy enough to terminate SSL at the Apache boundary and then allow everything in the DMZ to just play together. The basic was to just tweak my Apache to do the authorization and loop back to the authenticator if not authorized.

I came across this project mod_auth_openidc which looked like just what the doctor ordered. Well, not quite as it turns out.

You see I'm on OSX, and there was no distribution available. No matter, I'm a developer right, so I'll just build it!

Build it


git clone https://github.com/pingidentity/mod_auth_openidc.git

Let's just check the INSTALL

You will require development headers and tools for the following
dependencies:
 Apache (>=2.0)
 cjose (>=0.4.1)
 OpenSSL (>=0.9.8) (>=1.0.1 for Elliptic Curve support)
 Curl (>=?)
 Jansson (>=2.0) (JSON parser for C)
 pcre3 (>=?) (Regular Expressions support)
 pkg-config

Install pre-requistes

Okay, so I've got a little bit more stuff to do before configure time... not problem lets get it started

brew install curl
brew install openssl
brew install jansson
brew install pcre

I'd better get the apache stuff as well

brew install apr-util
brew install apr
brew tap homebrew/apache
brew install httpd24


Oh yeah... this is a mac so I'd better tweak my xcode links...(see here)
sw_vers -productVersion | grep -E '^10\.([89]|10)' >/dev/null && bash -c "[ -d /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain ] && sudo -u $(ls -ld /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain | awk '{print $3}') bash -c 'ln -vs XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX$(sw_vers -productVersion).xctoolchain' || sudo bash -c 'mkdir -vp /Applications/Xcode.app/Contents/Developer/Toolchains/OSX$(sw_vers -productVersion).xctoolchain/usr && for i in bin include lib libexec share; do ln -s /usr/${i} /Applications/Xcode.app/Contents/Developer/Toolchains/OSX$(sw_vers -productVersion).xctoolchain/usr/${i}; done'"

Note the httpd version - this is important - I built with httpd22 initially - don't do that!  It sounds like my initial thoughts on this were wrong! 2.2 should work fine (not checked, but I've been reliably informed it all works - I thought I had unknown symbols on 2.2, but I may have had other problems and came to the wrong conclusion)
and now for that cjose thing...

brew install cjose

ah. not present....

Oh well, I'm a developer, I'll build it...

Build pre-requisites


git clone https://github.com/cisco/cjose.git
cd cjose

now on to building it..

./configure CFLAGS="-I/usr/local/include" --with-openssl=/usr/local/opt/openssl --with-jansson=/usr/local/opt/jansson --prefix /usr/local/opt/cjose
make
make install

Note this install cjose into /usr/local/opt/cjose (that's the prefix part in configure! important!) - this is important, you'll need this for the mod_auth_openidc build!

Build mod_auth_openidc

change into your mod_auth_openidc directory,

brew install curl
export  CURL_CFLAGS=-I/usr/local/opt/curl/include
export CURL_LIBS=-L/usr/local/opt/curl/lib
./configure --with-apxs2=/usr/sbin/apxs

at this point, after doing a make and installing it to the httpd24 libexec and adding it in my config, it all went a bit wrong. Symbols and things not found. No matter, I'm a developer, right... I can do this... well... after getting some help from pings' mod_auth_openidc google group, I settled on this.

Edit the Makefile

change the CFLAGS and LIBS to...

CFLAGS=-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib -I/usr/local/opt/curl/include -I/usr/local/Cellar/jansson/2.7/include  -I/usr/local/opt/cjose/include -I/usr/local/Cellar/pcre/8.39/include  $(REDIS_CFLAGS)
LIBS=-lssl -lcrypto -lz  -L/usr/local/opt/curl/lib -lcurl -L/usr/local/Cellar/jansson/2.7/lib -ljansson  -L/usr/local/opt/cjose/lib -lcjose -L/usr/local/Cellar/pcre/8.39/lib -lpcre  $(REDIS_LIBS)

change the install directory to...
.PHONY: install
install: src/mod_auth_openidc.la
        /usr/sbin/apxs  -i -S LIBEXECDIR=/usr/local/Cellar/httpd24/2.4.23_2/libexec -n mod_auth_openidc src/mod_auth_openidc.la

now finish the build

make clean
make
make install
and we'd better check all those dependencies and things...
$ otool -L /usr/local/Cellar/httpd24/2.4.23_2/libexec/mod_auth_openidc.so 
/usr/local/Cellar/httpd24/2.4.23_2/libexec/mod_auth_openidc.so:
 /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
 /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
 /usr/local/opt/curl/lib/libcurl.4.dylib (compatibility version 9.0.0, current version 9.0.0)
 /usr/local/opt/cjose/lib/libcjose.0.dylib (compatibility version 1.0.0, current version 1.0.0)
 /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)
 /usr/local/opt/jansson/lib/libjansson.4.dylib (compatibility version 12.0.0, current version 12.0.0)
 /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
 /usr/local/opt/pcre/lib/libpcre.1.dylib (compatibility version 4.0.0, current version 4.7.0)
If you see that then I think you are good to go! now edit the httpd.conf... but we'll do that in a later blog