Help with allowing rt-mailgate past shibboleth in rt.conf (apache 2.4)

I’m setting up a new RT 5 server, and I have basic web access work with shibboleth. However, it doesn’t appear that rt-mailgate is working with this setup, and I haven’t been able to figure out why.

Running a rt-mailgate test against my domain returns a 400 error, and running a ‘wget --spider’ against the same domain shows that it is connecting to the Shibboleth IdP and failing.

I need any RT API connections from localhost or the servers’s public to bypass the Shibboleth authentication so that rt-mailgate can import emails without dealing with authentication (but still requiring it for standard users, obviously).

My rt.conf is based on a version that is working on RT4.4.0/apache 2.2 in the same environment, so I’m pretty sure the issue is a difference in how apache 2.2 and 2.4 interpret the config file.

Here’s my rt.conf (with the real domain names and IP changed):

<VirtualHost *:80>
        ServerAdmin iadmin@domain.com
        Redirect / https://my.domain.com/

        ErrorLog logs/my.domain.com-error.log
        CustomLog logs/my.domain.com-access.log combined

</VirtualHost>


<VirtualHost *:443>
        # Request Tracker
        ServerName my.domain.com
        AddDefaultCharset UTF-8

#       DocumentRoot /opt/rt4/share/html

#       FcgidMaxRequestLen 50000000 # This is the previous number, changed 20181115
        FcgidMaxRequestLen 1073741824
        Alias /NoAuth/images/ /opt/rt5/share/html/NoAuth/images/
        ScriptAlias /rt /opt/rt5/sbin/rt-server.fcgi/

#       <Location />
#               Require all granted
#       </Location>
        <Location /rt/REST/1.0/NoAuth>
                Order Allow,Deny
                Allow from 127.0.0.1
                Allow from 22.22.22.22 #example public IP
        </Location>

        <Directory "/opt/rt5/sbin">
                SSLOptions +StdEnvVars
        </Directory>

        ErrorLog logs/my.domain.com-ssl.error.log
        CustomLog logs/my.domain.com-ssl.access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        ## my.domain.com certs
        SSLCertificateFile    /etc/pki/tls/certs/my.domain.com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/my.domain.com.key
        SSLCertificateChainFile /etc/ssl/certs/InCommon.pem

        <Directory />
                AuthType Shibboleth
                ShibRequireSession On
                ShibUseHeaders On
                Require shibboleth

                Order allow,deny
                Allow from 22.22.22.22 #example public IP
                Allow from 127.0.0.1
                Satisfy Any
        </Directory>
</VirtualHost>

Have you tried putting a AuthType None directive in your <location> block?

We use Shibboleth here, but rather more complicated as we wanted have the option local RT users as well. This involved quite a bit local specific of /opt/rt4/local/html hackery so that we can have LocalHeader and LocalLogin that redirect to the Apache Shibboleth SP module if there is no user logged in, but which we can bypass and use the RT built-in authentication if required. Unfortunately not the sort of code that can be shared publicly though!

I ended up getting it to work by removing the “Directory” entries and using only “Location”… I made one that is for the whole RT with shibboleth enabled:

<Location /rt>
        AuthType Shibboleth
        ShibRequireSession On
        ShibUseHeaders On
        Require shibboleth
        Options +ExecCGI
        Addhandler fcgid-script fcgi
</Location>

And a second that applies specifically to the API location and limits access to my localhost and public IP:

 <Location /rt/REST/1.0/NoAuth>
                Require ip  127.0.0.1 22.22.22.22 #example of public IP
                Satisfy any
        </Location>

Putting it all together, this is the working rt.conf (with RT served off /rt and Shibboleth auth enabled):

<VirtualHost *:80>
        ServerAdmin iadmin@domain.com
        Redirect / https://my.domain.com/

        ErrorLog logs/my.domain.com-error.log
        CustomLog logs/my.domain.com-access.log combined

</VirtualHost>


<VirtualHost *:443>
        # Request Tracker
        ServerName my.domain.com
        AddDefaultCharset UTF-8

#        FcgidMaxRequestLen 1073741824 #added to fcgid.conf instead
        Alias /NoAuth/images/ /opt/rt5/share/html/NoAuth/images/
        ScriptAlias /rt /opt/rt5/sbin/rt-server.fcgi/

        <Location /rt>
                AuthType Shibboleth
                ShibRequireSession On
                ShibUseHeaders On
                Require shibboleth
                Options +ExecCGI
                Addhandler fcgid-script fcgi
        </Location>
        <Location /rt/REST/1.0/NoAuth>
                Require ip  127.0.0.1 22.22.22.22 #example of public IP
                Satisfy any
        </Location>

        ErrorLog logs/my.domain.com-ssl.error.log
        CustomLog logs/my.domain.com-ssl.access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        ## my.domain.com certs
        SSLCertificateFile    /etc/pki/tls/certs/my.domain.com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/my.domain.com.key
        SSLCertificateChainFile /etc/ssl/certs/InCommon.pem

</VirtualHost>