Configure Apache Web Agent

`AmAgent` directive to switch the agent on or off

Switch the agent on or off globally or independently for different server locations. Server locations include the global environment, a virtual host, a specific location, or a set of directory blocks. Use the following settings:

AmAgent On: The agent protects server locations. It allows or denies requests based on AM policy configuration and not-enforced rules.
AmAgent Off: Apache protects server locations; the agent plays no part in protecting the server locations.

Default: AmAgent is set to On at a global level in the /etc/httpd/conf/httpd.conf configuration file as follows:

AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/instances/agent_1/config/agent.conf
AmAuthProvider Off

The AmAgent configuration is hierarchical; when it is On or Off globally it is set for all server locations except those explicitly specified otherwise.

Consider setting AmAgent to Off for the following situations:

For server locations that need no AM authentication or policy, such as the public face of a website, or /css or /images directories.
When an Apache server is acting as a reverse proxy to AM or Identity Cloud, and you don’t want the agent to take part in protecting AM or Identity Cloud.

Example where `AmAgent` is `On` globally and `Off` for specific directories

In the following example httpd.conf, the agent is On globally and Off for the /var/www/transaction directory:

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/transaction>
    AmAgent Off
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/instances/agent_1/config/agent.conf
AmAuthProvider Off

Accessing a resource in /var/www/: The agent protects the resource, and overrides the Require all granted directive.

To access the resource, the request must match a not-enforced rule in the agent configuration or be allowed by an AM policy evaluation.
Accessing a resource in /var/www/transaction: Apache manages the access and applies the Require all granted directive. The agent plays no part in protecting the resource.

`AmAgent` is `Off` globally and `On` for specific server locations

When AmAgent configuration is Off, configure the server location /agent as On. This allows AM to redirect requests to the /agent endpoint after authentication.

In the following example httpd.conf, the agent is Off globally but On for the /var/www/transaction and /agent locations:

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/transaction>
    AmAgent On
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Location /agent>
    AmAgent On
</Location>

AmAgent Off
AmAgentConf /opt/web_agents/apache24_agent/instances/agent_1/config/agent.conf
AmAuthProvider Off

Accessing a resource in /var/www/: Apache manages the access and applies the Require all granted directive. The agent plays no part in protecting the resource.
Accessing a resource in /var/www/transaction: The agent protects the resource, and overrides the Require all granted directive.

To access the resource, the request must match a not-enforced rule in the agent configuration or be allowed by an AM policy evaluation.

`AmAuthProvider` directive to use Apache as the enforcement point

When AmAgent is On, combine AM policy with Apache Require directives to control access globally or independently for different server locations. Server locations include the global environment, a virtual host, a specific location, or a set of directory blocks.

Using multiple authorization sources increases complexity. To reduce the risk of an invalid security configuration, test and validate the directives.

Use the following settings:

AmAuthProvider Off: The agent acts as the enforcement point, allowing or denying requests based on not-enforced rules and AM policies.
AmAuthProvider On: Apache acts as the enforcement point, allowing or denying requests based on AM policy and Apache Require directives

For information about Require directives, refer to Require Directive on the Apache website. Require AmAuth is a directive specifically for Web Agent. When the directive is specified, users must be authenticated with AM. Otherwise, the agent redirects them to AM for authentication.

Default: AmAuthProvider is Off

The AmAuthProvider configuration is hierarchical; when it is On or Off globally it is set for all server locations except those explicitly specified otherwise.

For simplicity, it is recommended to leave AmAuthProvider as Off globally and set it to On for specific locations where you want Apache to act as the enforcement point.

When `AmAuthProvider` is `On` and the request doesn’t match a not-enforced rule

When a request doesn’t match a not-enforced rule, the agent does the following:

Checks that the user is authenticated with AM, and redirects the user for authentication if not.
Requests policy information from AM for the request.
Relays the policy information to the Apache Require AmAuth directive.

Apache uses the Require AmAuth directive and other Require directives to allow or deny access to resources.

The following image shows the flow of requests:

When `AmAuthProvider` is `On` and the request matches a not-enforced rule

When a request matches a not-enforced rule, the agent does not require the user to be authenticated with AM or request policy information from AM. The Require AmAuth directive returns a neutral value.

Apache uses the other Require directives to allow or deny access to resources.

The following image shows the flow of requests:

Consider the following points for using not-enforced rules when AmAuthProvider is On:

Instead of using not-enforced rules to provide caveats to AM policy enforcement, use Apache Require directives.
In server locations where the agent is configured with not-enforced rules, set AmAuthProvider to Off to let the agent do the enforcement.
If you use not-enforced rules when AmAuthProvider is On, remember that the agent drops out of authorisation decisions for requests that match a rule. Apache Require directives are used to allow or deny requests.

When `AmAuthProvider` is `On` and `Require AmAuth` is not specified

When AmAuthProvider is On, the Require AmAuth directive should always be specified. If AmAuthProvider is On but the Require AmAuth directive is not specified, users are still required to authenticate with AM but Apache does not use policy information from AM in its decision.

The following image shows the flow of requests:

The following example has this configuration:

The request doesn’t match a not-enforced rule.
AmAuthProvider is On for the /var/www/transaction directory.
Require AmAuth is not specified

//Not a recommended configuration

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/transaction>
    AmAuthProvider On
    Options Indexes FollowSymLinks
    AllowOverride None
    <RequireAll>
        Require ip 19.168.2
    </RequireAll>
</Directory>

AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/instances/agent_1/config/agent.conf
AmAuthProvider Off

Accessing a resource in /var/www/transaction: Apache uses the Require ip directive to allow or deny the request. The user must be authenticated with AM and a valid user must be set, but AM policy information is ignored.

Example where `AmAuthProvider` is `Off` globally and `On` for specific directories

The example is configured as follows:

The request doesn’t match a not-enforced rule
AmAuthProvider is Off globally
AmAuthProvider is On for the /var/www/transaction directory:
Require AmAuth is specified

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/transaction>
    AmAuthProvider On
    Options Indexes FollowSymLinks
    AllowOverride None
    <RequireAll>
        Require AmAuth
        Require ip 19.168.2
    </RequireAll>
</Directory>

AmAgent On
AmAgentConf /opt/web_agents/apache24_agent/instances/agent_1/config/agent.conf
AmAuthProvider Off

Accessing a resource in /var/www/: The agent acts as the enforcement point, allowing or denying requests based on not-enforced rules and AM policies.
Accessing a resource in /var/www/transaction: The agent provides AM policy information to the Require AmAuth directive. Apache uses that and the Require ip directive to allow or deny the request.

To access the resource, the user must be authenticated with AM, and the request must meet AM policy requirements and come from the specified IP address.

Web Policy Agents 2023.6

Configure Apache Web Agent

AmAgent directive to switch the agent on or off

Example where AmAgent is On globally and Off for specific directories

AmAgent is Off globally and On for specific server locations

AmAuthProvider directive to use Apache as the enforcement point

When AmAuthProvider is On and the request doesn’t match a not-enforced rule

When AmAuthProvider is On and the request matches a not-enforced rule

When AmAuthProvider is On and Require AmAuth is not specified

Example where AmAuthProvider is Off globally and On for specific directories

`AmAgent` directive to switch the agent on or off

Example where `AmAgent` is `On` globally and `Off` for specific directories

`AmAgent` is `Off` globally and `On` for specific server locations

`AmAuthProvider` directive to use Apache as the enforcement point

When `AmAuthProvider` is `On` and the request doesn’t match a not-enforced rule

When `AmAuthProvider` is `On` and the request matches a not-enforced rule

When `AmAuthProvider` is `On` and `Require AmAuth` is not specified

Example where `AmAuthProvider` is `Off` globally and `On` for specific directories