Configuration of mod_auth_gssapi w/Proxy.

[bviviano]

Hello. I am having an issue configuring mod_auth_gssapi with a Proxy to a remote host and I am hoping there is something simple on my side I am missing. If this is not the best place to ask, then please let me were I should submit my question. Thanks.

I am using Red Hat Enterprise Linux 9 w/ Apache 2.4.57 and mod_auth_gssapi 1.6.3-7. My RHEL9 system is joined to our Active Directory. mod_auth_gssapi works fine for web pages (HTML and PHP) and other resources hosted directly on the Apache Server, but I can not get the configuration correct when Proxying through Apache to a remote system.

I have a web camera on a private network attached to my Apache host. I want to proxy the live stream of the camera feed through my Apache server on the public interface, but limit who can see the live stream based on group membership. A simple proxy itself is working fine using the following:

<Location /camera>
	ProxyPreserveHost On
	ProxyPass http://camera.mgt/video1s1.mjpg
	ProxyPassReverse http://camera.mgt/video1s1.mjpg

        <RequireAny>
		Require all granted
        </RequireAny>
</Location>

I have also set it up using BasicAuth with LDAP Authentication through our Active Directory Server with no problem:

<Location /camera>
	ProxyPreserveHost On
	ProxyPass http://camera.mgt/video1s1.mjpg
	ProxyPassReverse http://camera.mgt/video1s1.mjpg

        AuthType Basic
        AuthBasicProvider ldap
        AuthName "Camera"

        AuthLDAPURL "ldap://ad.example.com?uid?sub?(objectClass=*)" TLS
        AuthLDAPRemoteUserAttribute uid
        AuthLDAPGroupAttribute member memberUid
        AuthLDAPGroupAttributeIsDN on

        <RequireAny>
               Require ldap-group cn=camera,cn=Groups,dc=example,dc=com
        </RequireAny>
</Location>

However, when I try and throw mod_auth_gssapi into the mix in place of LDAP username/password authentication, I get the following error in the web browser:

400 Bad Request
Your client has issued a malformed or illegal request.

My GSSAPI setup in Apache is

<Location /camera>
	ProxyPreserveHost On
	ProxyPass http://camera.mgt/video1s1.mjpg
	ProxyPassReverse http://camera.mgt/video1s1.mjpg

        AuthName "Camera"
        AuthType GSSAPI
        GssapiAllowedMech krb5
        GssapiLocalName On
        GssapiUseSessions On
        GssapiSSLonly On
        GssapiCredStore keytab:/etc/krb5.keytab

        Session On
        SessionCookieName gssapi_session path=/private;httponly;secure;

        AuthLDAPURL "ldap://ad.example.com?uid?sub?(objectClass=*)" TLS
        AuthLDAPRemoteUserAttribute uid
        AuthLDAPGroupAttribute member memberUid
        AuthLDAPGroupAttributeIsDN on

        <RequireAny>
               Require ldap-group cn=camera,cn=Groups,dc=example,dc=com
        </RequireAny>
</Location>

I use the above GSSAPI configuration on the same Apache server for other <Location> and <Directory> directives without any issues and mod_auth_gssapi works as expected there (so it's not an issue with verifying the KRB5 ticket with the domain controller).

There is nothing in the Apache logs that points to what the problem is.

Since a simple proxy works, Proxy w/BasicAuth (using LDAP) works, but Proxy w/mod_auth_gssapi doesn't, it seems like there is something about the GSSAPI setup that is causing the problem, but I've read through all the documentation on this site, searched the web and tried all the combinations of Gssapi* settings I thought might impact my setup, with no luck.

Thanks!