Getting redis integration working

[LangJV]

Is there something special or unique to getting redis integration working? I believe i have it enabled, and yet, no errors, no debug logs, no attempted connections, nothing at all. Would appreciate some assistance and guidance? I've been up and down the forums and google and stackoverflow posts, and can't seem to figure out what i'm doing wrong

[root@extwsn2aw117 conf.d]# uname -a
Linux extwsn2aw117.paychex.com 3.10.0-1160.105.1.el7.x86_64 #1 SMP Mon Nov 6 06:58:51 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@extwsn2aw117 conf.d]# rpm -qa | grep openidc
mod_auth_openidc-2.4.14.3-1.el7.x86_64
[root@extwsn2aw117 conf.d]# rpm -qa | grep redis
hiredis-0.12.1-2.el7.x86_64
[root@extwsn2aw117 conf.d]#

[root@extwsn2aw117 conf.d]# httpd -t -D DUMP_CONFIG | grep -e redis
AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
 512 servers, decreasing MaxRequestWorkers to 512.
 To increase, please see the ServerLimit directive.
Syntax OK
  OIDCCacheType redis
  OIDCRedisCacheServer myredisurl:13030
[root@extwsn2aw117 conf.d]# httpd -t -D DUMP_CONFIG | grep -e Redis
AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
 512 servers, decreasing MaxRequestWorkers to 512.
 To increase, please see the ServerLimit directive.
Syntax OK
  OIDCRedisCacheServer myredisurl:13030
  OIDCRedisCachePassword myredispassword
  OIDCRedisCacheUsername myredisusername
  OIDCRedisCacheDatabase 0
[root@extwsn2aw117 conf.d]#

[root@extwsn2aw117 conf.d]# sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─apache_limits.conf, apache_semaphores_cleanup.conf
   Active: active (running) since Tue 2024-01-16 16:46:24 EST; 23min ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 27225 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 27231 ExecStartPre=/opt/paychex/httpd/apache_semaphores_cleanup.sh (code=exited, status=0/SUCCESS)
 Main PID: 27236 (httpd)
   Status: "Total requests: 527; Current requests/sec: 0.4; Current traffic: 512 B/sec"
    Tasks: 31
   Memory: 16.0M
   CGroup: /system.slice/httpd.service
<Cut>

Jan 16 16:46:23 extwsn2aw117.paychex.com systemd[1]: Starting The Apache HTTP Server...
Jan 16 16:46:24 extwsn2aw117.paychex.com httpd[27236]: AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
Jan 16 16:46:24 extwsn2aw117.paychex.com httpd[27236]: 512 servers, decreasing MaxRequestWorkers to 512.
Jan 16 16:46:24 extwsn2aw117.paychex.com httpd[27236]: To increase, please see the ServerLimit directive.
Jan 16 16:46:24 extwsn2aw117.paychex.com systemd[1]: Started The Apache HTTP Server.
[root@extwsn2aw117 conf.d]# sudo netstat -anp | grep 13030
[root@extwsn2aw117 conf.d]# cat /var/log/httpd/
access_log              access_log-20231231.gz  access_log-20240114.gz  error_log-20231224.gz   error_log-20240107.gz
access_log-20231224.gz  access_log-20240107.gz  error_log               error_log-20231231.gz   error_log-20240114.gz
[root@extwsn2aw117 conf.d]# cat /var/log/httpd/error_log | grep redis
[root@extwsn2aw117 conf.d]#

[root@extwsn2aw117 conf.d]# cat /etc/httpd/conf/httpd.conf | grep LogLevel
# LogLevel: Control the number of messages logged to the error_log.
LogLevel debug ssl:debug
[root@extwsn2aw117 conf.d]#

I hope I'm missing something obtuse, simple, or straightforward. I can't get logs or TCP connections showing it tried to connect, logs showing it failed, heck, even if my password were wrong, it won't tell me, or seemingly do anything at all?

[zandbelt]

what about the output of cat /var/log/httpd/error_log | grep auth_openidc | grep cache

[LangJV]

@zandbelt - thanks for the tip!

Restarted apache to get a fresh look - and got this in the logs using the command you described:

[Wed Jan 17 08:33:55.537396 2024] [auth_openidc:info] [pid 124602] mod_auth_openidc-2.4.14.3 - init - cjose 0.6.1.4, OpenSSL 1.0.2k-fips  26 Jan 2017, EC=yes, GCM=yes, Memcache=yes, Redis=yes, JQ=no
[Wed Jan 17 08:33:55.574838 2024] [auth_openidc:debug] [pid 124602] src/cache/shm.c(120): oidc_cache_shm_post_config: initialized shared memory with a cache size (# entries) of: 10000, and a max (single) entry size of: 16913
[root@extwsn2aw117 conf.d]#

I decided to try and simplify things a bit. We did have our oidc Redis config buried in a site file with a lot of other OIDC settings (the other ones all are working as expected)

I moved them to a simple 99_redis.conf file in the conf.d directory:

[root@extwsn2aw117 conf.d]# cat /etc/httpd/conf.d/99_redis.conf 
# Redis Configuration

OIDCSessionCacheFallbackToCookie Off
OIDCCacheType redis
OIDCRedisCacheServer myurl:13030
OIDCRedisCachePassword mypassword
OIDCRedisCacheUsername myusername
OIDCRedisCacheDatabase 0
OIDCRedisCacheConnectTimeout 5
OIDCRedisCacheTimeout 5
[root@extwsn2aw117 conf.d]#

Confirmed that apache "sees" these config options just fine - no duplicates or anything:

[root@extwsn2aw117 conf.d]# httpd -t -D DUMP_CONFIG | grep -e Redis
OIDCRedisCacheServer myurl:13030
OIDCRedisCachePassword mypassword
OIDCRedisCacheUsername myusername
OIDCRedisCacheDatabase 0
OIDCRedisCacheConnectTimeout 5
OIDCRedisCacheTimeout 5
AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
 512 servers, decreasing MaxRequestWorkers to 512.
 To increase, please see the ServerLimit directive.
Syntax OK
[root@extwsn2aw117 conf.d]# httpd -t -D DUMP_CONFIG | grep -e redis
# In file: /etc/httpd/conf.d/99_redis.conf
OIDCCacheType redis
AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
 512 servers, decreasing MaxRequestWorkers to 512.
 To increase, please see the ServerLimit directive.
Syntax OK
[root@extwsn2aw117 conf.d]#

I then restarted HTTPD with this simplfied setup - it didn't indicate it was loading the "shm" method this time - but also didn't do anything else beyond show an "init" message either. I let it idle for a few minutes to confirm.

[root@extwsn2aw117 conf.d]# sudo service httpd status | grep "Active: "
Redirecting to /bin/systemctl status httpd.service
   Active: active (running) since Wed 2024-01-17 08:50:08 EST; 2min 51s ago
[root@extwsn2aw117 conf.d]# cat /var/log/httpd/error_log | grep auth_openidc
...
[Wed Jan 17 08:50:06.629552 2024] [auth_openidc:debug] [pid 126292] src/cache/common.c(194): oidc_cache_mutex_destroy: apr_global_mutex_destroy returned :0
[Wed Jan 17 08:50:06.629711 2024] [auth_openidc:info] [pid 126292] mod_auth_openidc-2.4.14.3 - shutdown
[Wed Jan 17 08:50:08.895038 2024] [auth_openidc:info] [pid 126858] mod_auth_openidc-2.4.14.3 - init - cjose 0.6.1.4, OpenSSL 1.0.2k-fips  26 Jan 2017, EC=yes, GCM=yes, Memcache=yes, Redis=yes, JQ=no
[root@extwsn2aw117 conf.d]#

Here's a dump of "every" OIDC parameter we have set. Would one of these somehow override the cache settings or something?

[root@extwsn2aw117 conf.d]# httpd -t -D DUMP_CONFIG | grep -e OIDC
OIDCSessionCacheFallbackToCookie Off
OIDCCacheType redis
OIDCRedisCacheServer <myserver>:13030
OIDCRedisCachePassword <mypassword>
OIDCRedisCacheUsername <myuser>
OIDCRedisCacheDatabase 0
OIDCRedisCacheConnectTimeout 5
OIDCRedisCacheTimeout 5
      RequestHeader set Authorization "Bearer %{OIDC_access_token}e"
  OIDCClientID <myid>
  OIDCProviderIssuer https://<myurl>
  OIDCProviderAuthorizationEndpoint https://<myurl>/oauth/authorize
  OIDCProviderTokenEndpoint "https://<myurl>/oauth/token"
  OIDCProviderJwksUri "https://<myurl>/oauth/jwk"
  OIDCOAuthVerifyJwksUri "https://<myurl>/oauth/jwk"
  OIDCRedirectURI /openid-login
  OIDCResponseType code
  OIDCResponseMode query
  OIDCProviderTokenEndpointAuth none
  OIDCScope "openid flex-ui profile"
  OIDCAuthRequestParams audience=<myurl>&prompt=none
  OIDCSessionType client-cookie
  OIDCCookie _pyxapsession
  OIDCCookieDomain .<mydomain>
  OIDCStripCookies <space separated list of cookies to strip>
  OIDCCookiePath /
  OIDCCryptoPassphrase <mypassphrase>
  OIDCSessionInactivityTimeout 600
  OIDCSessionMaxDuration 1800
  OIDCPassIDTokenAs claims
  OIDCBlackListedClaims jti aud iat iss nonce exp
  OIDCWhiteListedClaims preferred_username sub
  OIDCClaimPrefix OIDC-
  OIDCPassClaimsAs environment
  OIDCRemoteUserClaim http://<myurl>/sub
  OIDCAuthNHeader <myheader>
AH00180: WARNING: MaxRequestWorkers of 768 exceeds ServerLimit value of
 512 servers, decreasing MaxRequestWorkers to 512.
 To increase, please see the ServerLimit directive.
Syntax OK
[root@extwsn2aw117 conf.d]#

[zandbelt]

if there's no activity there's no logging output; if you access the server and authenticate users the var/log/httpd/error_log | grep auth_openidc | grep cache command would show you what cache is used

[zandbelt]

using OIDCSessionType client-cookie would obsolete the need for a session cache at least, not using OIDCProviderMetadataURL obsolets the Provider metadata caching, etc.; what are you expecting to be cached?

[LangJV]

Thanks for the information and context @zandbelt !!

I'm working on "how" to actually authenticate to our test site now - hope to be able to test that shortly. I had imagined/expected (incorrectly) that a server startup, it would establish a connection pool of redis connections, create a base/empty "schema" in the redis database, and be ready to connect/handle authentications should they happen, but wasn't seeing that.

Regarding your notes on OIDCProviderMetaDataURL and OIDCSessionType, thanks for mentioning that! Reading over the config file notes on OIDCSessionType - it looks like we want it set to server-cache in order to allow redis to handle the caching of the sessions to begin with, so working on setting that as well. Im fine skipping the caching of the MetaData info for now, my hope here is to simply "get it working" and then circle back on the optimal/best configuration before implementing past our test environment.

Thanks again for the guidance! Ill report back soon on what the logs look like when i authenticate into it with this configuration.