Cloudflare pages proxy with basic auth - cloudflare

Is there a way to write a cloudflare rewrite/proxy similar to netlify as per https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service and adjust the header with basic auth credentials?
For example I would need /api/* to redirect to a WordPress at domain.com/wp-json/* with basic auth headers (ideally not visible to client itself - not sure if this is also possible)

Related

Is there a way to add an addtional Authentication Token when using seccure Apache website

We have our Apache Websites secured using the password security which works well. Ive noticed If I add the following header to my browser requests I can bypass the security Authorization: Basicxxxxxxxxx. However, many other websites I visit use this same headers which requires me to always disble this header before visiting other sites.
Is there a way to configure Apache to recognize an additional headers to bypass security, so I can store this header in my browser settings and be able to visit other sites without having to disable it.

CloudFlare HMAC validation using cookie instead of request URI

Premise:
I have an existing application with its own ACL.
I've also implemented the CloudFlare WAF.
My client's organization has not yet implemented a VPN.
We are seeing a lot of false-positives from the WAF for normal behavior in the application's Administration panel and because there is no predictable IP or set of IPs we can whitelist, we're struggling to unblock Administrators without turning the WAF settings down too low.
I'd like to setup something like HMAC validation, but that seems to assume that the URL of every request include the MAC hash. Instead, I'd like to store that MAC has in a cookie and use something like the user's IP address as the message. It would look something like this:
User load Administration panel's login page
User authenticate's with the panels ACL
The first page load of the panel adds a cookie with the token {time}-{hash} where the {hash} is base64_encode(hash_hmac("sha256", $userIpAddress . $time, $secret, true)) (PHP)
Future requests from the Administrator's browser include this token cookie. CloudFlare's Firewall Rules check is_timed_hmac_valid_v0 [documentation] using ip.src as the message and comparing the hash to the specific cookie.
Part of the challenge I'm facing here is that I seem to only be able to use the entire cookie string like http.cookie and can't use the values of individual cookies.
How can I use the ACL of my application to inform CloudFlare that it should all requests from that user to bypass the WAF?

Sharepoint URL redirection

I am trying to achieve URL redirection i want to know different possibilities to achieve this.
Scenario: I have created sharepoint web application(2013, host header site collection) with Annonymous access enabled and NTLM(windows authentication enabled--- Both are enabled). I have bind this site to certificate also and its working as expected if i browse the site with https://test.com
but if i just browse the site with http://test.com its asking me for user name and password. This i want to avoid even if i try to access http my requirement is it should redirect to https.
I have entered username and password and returns 200 http status.
I know there are options we can achieve this
1) IIS redirect
2) Through custom code snippet (C#/Javascript)
But apart from this is there any way we can achieve this like load balance or DNS etc
Your guidence will be really help full.
Regards
Sri
I think you can achieve this by addin an AAM (Alternate Access Mapping) setting in a sharepoint site.
Try to convert an Https request to the http in that. I haven't tried it myself so I am not sure if this will work or not, but there are some examples of a reverse which you want.
For your reference this is a link to make it for http to https
https://sharepoint.stackexchange.com/questions/64484/http-to-https-redirection-using-aam
Let me know the outcome.

Why token-based authentication is better than cookie-based authentication in CORS/Cross-domain scenario?

I have seen in many places that one of the benefits of token-based authentication over cookie-based authentication is it is better suite for CORS/cross-domain scenario.
But why?
Here is a CORS scenario:
An HTML page served from http://domain-a.com makes an <img> src
request for http://domain-b.com/image.jpg.
Even if there's a token on my machine, how could the mere <img> tag know where to find and send it?
And according to here, it is suggested to store JWT as cookie, so how could that survive the CORS/cross-domain scenario?
ADD 1
Token-based authentication is easier to scale out than session-cookie one. See a related thread here: Stateless web application, an urban legend?
Just for clarification: Requests to any subdomain that you have are also considered as cross origin request (ex. you make request from www.example.com to api.example.com).
A simple <img> GET request to another origin is, indeed, cross origin request as well, but browsers are not using preflighted (OPTION) requests if you use GET, HEAD, POST requests only, and your Content-Type header is one of the followings:
application/x-www-form-urlencoded
multipart/form-data
text/plain
Therefore simple <img> request to another origin won't have problem (regardless if subdomain or totally another domain), as it won't go through preflight, unless it requires credentials, because when you add Authorization header, the request needs to go through preflight.
About storing in localstorage vs in cookie: Localstorage has single origin policy, meaning you cannot access the data you have stored from the subdomain, ie, example.com cannot access data in localstorage of api.example.com. On the other hand, using cookies, you can define which subdomains can access to the cookie. So you can access your token in stored in cookie and send it to server with your requests. Cookies also doesn't allow to access data across different domains.
Hope this helps.

Changing request and response with an Apache Proxy Server

I want to use an Apache proxy server (mod_proxy) to intercept all requests and responses to a web server. However I want to change requests and responses before redirecting them. Simply rewriting URLs is easy and documented, but the changes I want to make are more sophisticated, namely they need to inspect the request for user credentials as well as conditionally make redirects.
Is this possible in Apache's mod_rewrite, possibly in combination with other modules?
While the main goal is to implement this in Apache, I would also be happy with an alternative solution which doesn't necessarily use Apache.
Here is a more precise explanation of what I want to achieve, to give a little more context:
Check each incoming request for user credentials. If credentials are present, they are replaced by the user information which the web server can use to identify the user (Ideally in the Authorization header)
For example, let's assume a request contains a cookie which authenticates the request as beeing sent from the user "John", this cookie is removed, and the Authorization header is changed to Authorization Authenticated_by_proxy {"id":12345,"name":"John"}
Check each answer to see if it's an Error 403. If this is the case and the user is not logged in, redirect the user to a login page instead of forwarding the error