Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

duo_pam http_proxy not working on anything but port 8080 #153

Closed
sharkannon opened this issue Apr 9, 2019 · 4 comments
Closed

duo_pam http_proxy not working on anything but port 8080 #153

sharkannon opened this issue Apr 9, 2019 · 4 comments

Comments

@sharkannon
Copy link

Summary

When setting up duo_pam on my centos 7 environment. I'd originally setup DUO_AUTH_PROXY as an http_proxy for duo_pam, and everything worked fine (DUO_AUTH_PROXY defaults to 8080 as the port for proxying).

I then tried to setup tinyproxy (defaults to 8888) and squid (on 8888), configured duo_pam to listen on the new port, and things just didn't want to work. I couldn't even see the inbound (or outbound) connection on wireshark.

So on a hunch, I changed the port for tinyproxy and squid to 8080 and updated and wow they started working.

Steps to reproduce

  1. Install Duo Pam on a Centos 7 host
  2. Install tinyproxy (https://tinyproxy.github.io/) using port 8080
  3. Configure /etc/duo/pam_duo.conf with "http_proxy = http://proxyip:8888"
  4. Try logging in.

Specs

  • Centos 7
  • x86_64
  • pam_duo 1.11.1
@xdesai
Copy link
Contributor

xdesai commented Apr 9, 2019

Hi!
This is almost certainly to do with you SELinux policy.
Pam Duo has policy rules to allow it to use http_port and http_cache_port. If 8888 is not in those lists then you need to either disable SELinux or add 8888 to one of the lists

How to view the ports

$ semanage port -l | grep http_cache_port_t
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
$ semanage port -l | grep http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443

This is on a vanilla system and as you can see 8888 is not in either list.

To add 8888 to your SELinux policy (http_cache_port is meant for proxies so I would recommend that type)

$ semanage port -a -t http_cache_port_t -p tcp 8888

Or to disable SELinux instead

$ setenforce 0

@sharkannon
Copy link
Author

Ohhhh.. that makes sense.. I hate selinux, tends to cause way to many problems.

@sharkannon
Copy link
Author

Maybe want to update the documentation to mention something like that?

@xdesai
Copy link
Contributor

xdesai commented Apr 9, 2019

That's good feedback. I'll take a note that we should consider adding this to our FAQ somewhere.
Since we think this is resolved I'm gonna go ahead and close out this issue. Thanks for using Duo and good luck with the rest of your setup!

@xdesai xdesai closed this as completed Apr 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sharkannon @xdesai