Project

General

Profile

Forums » General »

TVHeadend behind apache with ldap login dont work with 4.0.8 anymore

Added by Sascha Hacker over 10 years ago

Hi I'm using tvheadend since 2013.
Today i have updated my nas to a new ubuntu version and installed a new version of tvheadend.

But my old setup dont work anymore.
My setup looks like this:

tvheadend 4.0.8 installed from repository
Apache/2.4.10 installd from ubuntu repo
Samba4 4.3.0 self compiled

Now to the config that run perfect with tvheadend 3.4/3.9

I want to secure my tvheadend server via ldap and used a apache reverse proxy.
I have created a user with no name and password, so that all users, which are accepted by apache, can access tvheadend.

Now to the problem with tvheadend 4.0.8.
Apache ask me for a username and a password, afterwards tvheadend ask me for username and password too.
After pressing enter, for the user with no name, or entering admin login data, the browser returns me to the apache login, than again to the tvheadend login and so on.

I also installed(compiled) an old version of tvheadend(3.4) on the new setup, that works.

Has anyone any idea how I can get this setup with tvheadend Version 4.0.8 to run.

Many thanks in advance

<VirtualHost *:80>

        ServerName www.tvheadend.foo.net
        ServerAlias tvheadend.foo.net
        ServerSignature Off

        RedirectMatch ^/(.*)$ https://www.tvheadend.foo.net/$1

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

</VirtualHost>

<VirtualHost *:443>
        ServerName www.tvheadend.foo.net
        ServerAlias tvheadend.foo.net
        ServerSignature Off

        # Activate SSL
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/www.tvheadend.foo.net.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.tvheadend.foo.net.key

        ProxyRequests Off
        <Proxy *>
                AuthType Basic
                AuthName "foo tvHeadend Login" 
                AuthBasicProvider ldap
                AuthLDAPURL ldap://localhost:389/DC=foo,DC=net?sAMAccountName?sub?(objectClass=*)
                AuthLDAPBindDN CN=ApacheUser,OU=ServiceUser,DC=foo,DC=net
                AuthLDAPBindPassword "testme" 
                AuthLDAPGroupAttribute member
                AuthLDAPGroupAttributeIsDN On
                require ldap-group CN=tvHeadend,OU=Sicherheitsgruppen,DC=foo,DC=net

                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass / http://localhost:9981/
        ProxyPassReverse / http://localost:9981/
        ProxyPassReverseCookieDomain localhost www.tvheadend.foo.net
        ProxyPreserveHost On
</VirtualHost>

Replies (3)

RE: TVHeadend behind apache with ldap login dont work with 4.0.8 anymore - Added by Chris Bay about 10 years ago

I am new to TVheadend but I have the same issue.
I'm using TVheadend 4.0.8 on Debian 8 with a reverse Apache proxy (2.4.10).
My goal is the same as Sascha's: I want to have authentication done by the reverse proxy and the proxy is also a SSL proxy. The proxy works nicely for many other service, but not tvheadend.
I also added an access entry to tvheadend to allow access from the same network to login without password (I tested it without the proxy and it worked without password from the same network).

My reverse proxy settings (I kept the port 9981 since I need to do the same thing for 9982):

Listen 9981
<VirtualHost *:9981>

  ...
  SSL-Options
  ...

  <Location />
   AuthType Basic
   AuthBasicProvider ldap
   AuthName "Login ..." 
   AuthLDAPURL "ldaps://XXXXXXXXXXX" 
   AuthLDAPBindDN "uid=XXXXXXXXXXX" 
   AuthLDAPBindPassword XXXXXXXXXXXX
   require valid-user
   ProxyPass http://192.168.184.13:9981/
   ProxyPassReverse http://192.168.184.13:9981/
  </Location>
</VirtualHost>

When I try to access the web interface I see the same as Sascha: The proxy asks me for the password (as expected) but then also TVheadend asks for a password (not expected since the proxy is on the same network). Entering the admin password in the TVheadend password prompt does not work, since it goes into a loop, where it will repeatingly ask for the proxy and then for the TVheadend password.

I also checked the status log in tvheadend (login in from a different machine), and I can see many of these entries:

2016-03-02 11:24:48.956 http: 192.168.184.14: HTTP/1.1 GET / -- 401

(Note that 192.168.184.14 is the proxy's IP)

Please let me know if more info is needed.

Any help is very appreciated!
Thanks, Chris

RE: TVHeadend behind apache with ldap login dont work with 4.0.8 anymore - Added by Chris Bay about 10 years ago

One more aspect I forgot to mention. When I remove all the authentication stuff in the proxy, everything works.
So I have this in the proxy:

Listen 9981
<VirtualHost *:9981>

  ...
  SSL-Options
  ...

  <Location />
   ProxyPass http://192.168.184.13:9981/
   ProxyPassReverse http://192.168.184.13:9981/
  </Location>
</VirtualHost>

So I can access TVheadend via the SSL proxy without problems and I can even log in with my admin account.

So the problems seems to be related that TVheadend gets confused by the authentication of the proxy.

RE: TVHeadend behind apache with ldap login dont work with 4.0.8 anymore - Added by Chris Bay about 10 years ago

Sorry, for the multiple posts, but here is a partial workaround:

We can tell the proxy to hide the auth information, so that TVheadend will not see it. This allows to use the TVheadend interface for normal users (that only login to the proxy and dont log into tvheadend). However, once we have the TVheadend web interface, it is still not possible to login with the TVheadend admin account from there.

For the partial workaround we just need to add a single line (RequestHeader unset Authorization) to the proxy settings:

Listen 9981
<VirtualHost *:9981>

  ...
  SSL-Options
  ...

  <Location />
   AuthType Basic
   AuthBasicProvider ldap
   AuthName "Login ..." 
   AuthLDAPURL "ldaps://XXXXXXXXXXX" 
   AuthLDAPBindDN "uid=XXXXXXXXXXX" 
   AuthLDAPBindPassword XXXXXXXXXXXX
   require valid-user

   RequestHeader unset Authorization
   ProxyPass http://192.168.184.13:9981/
   ProxyPassReverse http://192.168.184.13:9981/
  </Location>
</VirtualHost>

However, this seems still to be regression bug, since TVheadend should get along with the proxy auth.
Thanks, Chris

    (1-3/3)