libapache2-mod-auth-openidc libhiredis0.14 (0.14.1-4)

[fong1999]

Hi! I am reaching out is to ask if you have any other versions of libhiredis that we can use with libapache2-mod-auth-openidc.

We are having CVE with our httpd base image. When we upgrade to the latest version of httpd image, the CVE is disappeared. However, our app will not start. The error we are getting is related to redis. From the list that we can find, libhiredis0.14 (0.14.1-4) is the only version we can see. So we had to use the earlier version - httpd:2.4.56-debian-ff which work with libhiredis0.14.

Here is what we have currently:

apt install -y libcjose0 libapache2-mod-auth-openidc libhiredis0.14

Below is what we get:

❯ apt-cache show libapache2-mod-auth-openidc|grep Depends
Depends: libapr1 (>= 1.2.7), libaprutil1 (>= 1.4.0), libc6 (>= 2.14), libcjose0 (>= 0.4.1), libcurl4 (>= 7.16.2), libhiredis0.14 (>= 0.14.0), libjansson4 (>= 2.0.1), libpcre3, libssl3 (>= 3.0.0~~alpha1), apache2-api-20120211, apache2-bin (>= 2.4.16)

It specifically wants hiredis v0.14.0. We tried to use different version of httpd base image other than httpd:2.4.56-debian-ff. But we have not found one that works yet. In order to fix the CVE, we need to be able to find a newer version of libapache2-mod-auth-openidc that works with newer version of libhiredis.

I submitted a question with redis/hiredis#1227. They do have newer version of libhiredis. I am looking for assistance from you to find out what version of httpd and libapache2-mod-auth-openidc will work with libhiredis. Any suggestions? Thanks in advance!

Thanks,
Fong

[zandbelt]

the binaries provided in the Releases assets are for stock Debian versions and they're tested with that; we don't provide builds for all possible custom container configurations out there out of the box, you'd have to build your own binaries from scratch or get it - in a supported way - through the commercial support subscriptions via [email protected]

[fong1999]

@zandbelt Hi Thank you for your reply!

Could you please be more specific? Do you mean we need to build libapache2-mod-auth-openidc ourselves to work with latest httpd debian docker image to support higher version of libhiredis?

Thanks a lot!

[hmoffatt]

The httpd:2.4.57 image is based on Debian bookworm, and bookworm has libhiredis0.14 version 0.14.1-3 (https://packages.debian.org/bookworm/libhiredis0.14), which satisfies the dependency libhiredis0.14 (>= 0.14.0).

What is the output from the apt install command? ie what is erroring?

[fong1999]

@hmoffatt Hi! Thank you for your response!

When we use httpd 2.4.57 image, after our web app was deployed to kubernetes successfully, the app shows an internal server error on the browser. In the httpd log, it shows below:

oidc_cache_get: error retrieving value from redis cache backend for encrypted key ************

Have you seen this error before?

Thanks!

[hmoffatt]

Hi @fong1999 , I don't use the redis option so I have not seen the error, I was just interesting in the dependency problem.

Can you enable extra debug logging in Apache?

I think you should perhaps ask the libhiredis folks about the specific error you see, rather than about the versions. See: XY problem.

[fong1999]

@hmoffatt Hi! Thanks for the suggestion! I am going to update apache logLevel to debug and see. I will keep you posted. Thanks!

[fong1999]

@hmoffatt @zandbelt Hi! I compared the one that works and the one that does not work.

The one works: which does not have the same auth_openidc:warn in the logs.

[Wed Oct 04 18:56:23.817612 2023] [headers:debug] [pid 14:tid 139939530389248] mod_headers.c(890): AH01503: headers: ap_headers_error_filter()
10.0.4.91 - - [04/Oct/2023:18:56:23 +0000] "GET / HTTP/1.1" 302 519

The one does not work:

[Thu Oct 05 01:28:54.334378 2023] [headers:debug] [pid 13:tid 139912712021696] mod_headers.c(890): AH01503: headers: ap_headers_error_filter()
10.0.5.75 - - [05/Oct/2023:01:28:54 +0000] "GET / HTTP/1.1" 500 531

------------------

[Thu Oct 05 01:28:39.519430 2023] [auth_openidc:warn] [pid 13:tid 139912846239424] [client 10.0.0.230:44870] oidc_cache_get: error retrieving value from redis cache backend for encrypted key 2ZRYZOXmjp1EQ75jZJxP-_0R4fwBckT9gq25Qb6sbXU
	Line 316: [Thu Oct 05 01:30:03.786967 2023] [auth_openidc:warn] [pid 13:tid 139912821061312] [client 10.0.0.230:50304] oidc_cache_get: error retrieving value from redis cache backend for encrypted key e68Y9WirYouSAvPN8av5W89El15b62HJIh-PkxFXdBc
	Line 333: [Thu Oct 05 01:30:03.788215 2023] [auth_openidc:warn] [pid 13:tid 139912821061312] [client 10.0.0.230:50304] oidc_cache_get: error retrieving value from redis cache backend for encrypted key 2ZRYZOXmjp1EQ75jZJxP-_0R4fwBckT9gq25Qb6sbXU

Any suggestions? Thanks much!

[fong1999]

@hmoffatt Hi! I noticed that the debugging error shows:

[Thu Oct 05 01:28:39.625115 2023] [auth_openidc:error] [pid 13:tid 139912846239424] [client 10.0.0.230:44870] oidc_authenticate_user: the URL scheme (https) of the configured OIDCRedirectURI does not match the URL scheme of the URL being accessed (http): the "state" and "session" cookies will not be shared between the two!
[Thu Oct 05 01:28:39.625136 2023] [headers:debug] [pid 13:tid 139912846239424] mod_headers.c(890): AH01503: headers: ap_headers_error_filter()
10.0.0.230 - - [05/Oct/2023:01:28:39 +0000] "GET / HTTP/1.1" 500 531

The working httpd image httpd:2.4.56-debian-ff does not show this error. I checked our Azure Entra ID configuration for OIDC and apache httpd.conf, the 'OIDCRedirectURI' matches. Any ideas? Thanks1

[hmoffatt]

Do you have some http URL configured somewhere?

[fong1999]

@hmoffatt Hi! Yes, we defined it in both our Azure app registration authentication Web redirect URL section and httpd.conf file. They are the same and it works for image - httpd:2.4.56-debian-ff. Not sure why it does not work for the newer image httpd:2.4.57-debian....

Azure AD

Web Redirect URIs

https://one.xxxx.com/done

httpd.conf

OIDCRedirectURI https://one..xxxx.com/done

For httpd:2.4.57-debian, below are the version of each library.

>apt show libcjose0 libapache2-mod-auth-openidc libhiredis0.14 | grep Version

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Version: 0.6.2.1-1+deb12u1
Version: 2.4.12.3-2
Version: 0.14.1-3

For httpd:2.4.56-debian-ff, below are the version of each library.

>apt show libcjose0 libapache2-mod-auth-openidc libhiredis0.14 | grep Version

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Version: 0.6.1+dfsg1-1+deb11u1
Version: 2.4.9.4-0+deb11u3
Version: 0.14.1-1

What would be the effort if I try to use alpine instead of debian? Will that work? Please advise! Thanks!

[hmoffatt]

I don't think changing your distro will help, as it's libapache2-mod-auth-openidc itself which is warning that your configuration is not valid. There is a change from March 2023 which relates to this message. You may need to post more details of your configuration and @zandbelt may see the error.

I don't know why you would now get extra redis error messages though.

[fong1999]

@hmoffatt @zandbelt Hi! That is good to know. Thanks for the suggestion!

Azure AD

Web Redirect URIs

https://one.xxxx.com/done

Here are the configure in our httpd.conf:

# This section contains the configuration for the mod_auth_openidc module
# which manages authentication of our users before exposing content

OIDCProviderMetadataURL https://login.microsoftonline.com/YYYYYYYYYYYYYYYYYYYYYYYYYYYY/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXX
OIDCProviderJwksUri https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXX/discovery/v2.0/keys
OIDCRedirectURI https://one.xxxxx.com/done
OIDCCryptoPassphrase XXXXXXXXXXXXXXXXXXX
OIDCSSLValidateServer Off
OIDCCacheType redis
OIDCRedisCacheServer localhost:6379
OIDCRedisCachePassword XXXXXXXXXXXXXXX
OIDCStateMaxNumberOfCookies 10 true
OIDCUnAuthAction 401 "%{REQUEST_URI} =~ /.*static.*/"


#
# https://github.com/zmartzone/mod_auth_openidc
#

<Location />
    AuthType openid-connect
    Require valid-user
</Location>

Please let me know if you need more information. Thanks!

[fong1999]

@hmoffatt Hi! When you said this "I don't think changing your distro will help, as it's libapache2-mod-auth-openidc itself which is warning that your configuration is not valid. There is a change from March 2023 which relates to this message."

Do you mean the message?

 oidc_authenticate_user: the URL scheme (https) of the configured OIDCRedirectURI does not match the URL scheme of the URL being accessed (http): the "state" and "session" cookies will not be shared between the two!

I did notice that it was there in our splunk log before, but not any more since April or May. What changed? Does it require the app code to adjust too? That might be the place for me to make the code change? Any ideas?

Thanks!

[hmoffatt]

There's a change in 2.4.13.2, but it's internal and shouldn't make any difference to your configuration from what I can tell. Maybe there are other changes between your working 2.4.9 and the latest that are causing this.

Do you actually see any http URLs being accessed when you try to open the protected URL?

[fong1999]

@hmoffatt Hi! I tried again using 2.4.57-debian in our dev environment. Our dev env's Azure set up and httpd.conf set up is the same way as production exception different URL.

As usual, I am getting below 500 error. I don't see the URL redirects happening...

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

I am seeing log below:

[Tue Oct 10 03:13:37.507474 2023] [auth_openidc:debug] [pid 9:tid 139767387760320] src/util.c(1170): [client 10.0.5.75:57348] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Tue Oct 10 03:13:37.507484 2023] [auth_openidc:debug] [pid 9:tid 139767387760320] src/util.c(2643): [client 10.0.5.75:57348] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_7pTLojr4zgFsWstqpu0uM8tPCVQ=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0.._lwgzIUtWPH9n0wy.UjqIdK-r2z_ugPbQMbUpKvUToIFMS54hfZ5Gm26SYY_JKFhrj75sikc8f7s8c3dRUvBRVOXqMhvPyD2B-5sb_qwk7cSf00Qo5XuWGQ2rfBD-lEjuHyAGbQ9sLzvukU5TTC6q3msBkJdZiHizAfKnF3pRJujmiEWtJ8_Wd0agsBceevAD64JiYFrXls3mqFumyVodd82p8OthBJk8YsPctwyILf_Ck-isGOXY7nFE5ejEpBQWdNvF9upZosy66nRiIZ48-3fSF07hSNMY8pR_QgGCfWlMrf8jrpkLaWVx13KvPABqihfZbB36DE_mSRiNRMNLx2-6yiX1IZdUp_4hwfiIPMoedkQTB9ddZ8FgaHJN7nrZ5fxoooh7d2F-F5_bsD2N4N0Pe_ji2skOgQUeShVB3v1aqEaXLu4jMC_9nBE8J26CWqzBOmYWq2XUy9HC9BCURnLAR3-Uxzi0.-ghnNKF-ERkSjuD9oXqxqQ; Path=/; HttpOnly
[Tue Oct 10 03:13:37.507494 2023] [auth_openidc:error] [pid 9:tid 139767387760320] [client 10.0.5.75:57348] oidc_authenticate_user: the URL scheme (https) of the configured OIDCRedirectURI does not match the URL scheme of the URL being accessed (http): the "state" and "session" cookies will not be shared between the two!
[Tue Oct 10 03:13:37.507521 2023] [headers:debug] [pid 9:tid 139767387760320] mod_headers.c(890): AH01503: headers: ap_headers_error_filter()
10.0.5.75 - - [10/Oct/2023:03:13:37 +0000] "GET / HTTP/1.1" 500 531
[Tue Oct 10 03:13:37.553844 2023] [authz_core:debug] [pid 9:tid 139766892852928] mod_authz_core.c(815): [client 10.0.5.75:57356] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://adw-aws-dev.apps.net/
[Tue Oct 10 03:13:37.553865 2023] [authz_core:debug] [pid 9:tid 139766892852928] mod_authz_core.c(815): [client 10.0.5.75:57356] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://adw-aws-dev.apps.net/
[Tue Oct 10 03:13:37.553873 2023] [auth_openidc:debug] [pid 9:tid 139766892852928] src/mod_auth_openidc.c(4048): [client 10.0.5.75:57356] oidc_check_user_id: incoming request: "/favicon.ico?(null)", ap_is_initial_req(r)=1, referer: https://adw-aws-dev.apps.net/

I noticed that it shows message about referer: https://adw-aws-dev.apps.net/ which does not show up in the log if I deployed httpd:2.4.56-debian-ff... Does it mean anything? ; ) Any suggestions?

Thanks much!

[fong1999]

@hmoffatt Hi! I was trying to use alpline just to see. I am not sure what those libraries are.

Dockerfile:

FROM ntr.nwie.net/library/httpd:2.4.57-alpine

# Install mod_auth_openidc module for authentication
RUN apk add libcjose mod-auth-openidc libhiredis && \
    apk cache clean

But getting the error below:

Status: Downloaded newer image for ntr.nwie.net/library/httpd:2.4.57-alpine
 ---> 82edae179866
Step 12/23 : RUN apk add libcjose mod-auth-openidc libhiredis &&     apk cache clean
 ---> Running in 57b5d013fc14
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
ERROR: unable to select packages:
  libcjose (no such package):
    required by: world[libcjose]
  libhiredis (no such package):
    required by: world[libhiredis]
  mod-auth-openidc (no such package):
    required by: world[mod-auth-openidc]
The command '/bin/sh -c apk add libcjose mod-auth-openidc libhiredis &&     apk cache clean' returned a non-zero code: 3

Reference:

• mod_auth_openidc/releases
• apache-mod-auth-openidc-2.4.14.3-r0.log

Please advise. Thanks!

[hmoffatt]

There's a cjose package but I don't see an Alpine package for mod-auth-openidc, so you would have to build that from source.

[fong1999]

@hmoffatt I see. Thanks for the info!

[zandbelt]

there's a lot of different moving parts in this thread by now; I'd advise you to start from the latest version (download the .deb from the Releases/Assets page), deploy on both 2.4.56 (this is likely based on bullseye) and 2.4.57 (likely based on bookworm) to check the differences and avoid accessing the protected pages over plain HTTP, i.e. use HTTPs everywhere

[fong1999]

@zandbelt Hi! Thank you for the suggestion! Which github repo do you refer to? Could you please share the URL? Thanks!

I see this one:

https://github.com/OpenIDC/mod_auth_openidc/tags

Thanks!

[zandbelt]

https://github.com/OpenIDC/mod_auth_openidc/releases

[fong1999]

@zandbelt Thank you for the info! I will try it out.

@hmoffatt @zandbelt Thank you all very much for your inputs here! I really appreciated it! I will keep you posted. Thanks!

[fong1999]

@zandbelt @hmoffatt Hi! Good afternoon! I have a few of follow up questions.

Which team is responsible for building the docker image? How often will that being pushed to Docker hub?

https://hub.docker.com/_/httpd

Thank you!