Apache BasicAuth .htpasswd - apache

Issue: My requirement is to implement BasicAuth to my website when I login. Now when load my website it is asking me the credentials and after successful login I can see the landing page of my website. When I do some operation on this landing page it is not moving head rather the same landing page is coming up.
Description:
Under <VirtualHost *:443> in file INBOUND.conf I've added below config. I already have routing http to https by config mentioned below. I've created credentials with htpasswd utility and placed at '/etc/apache2/.htpasswd'
<Location />
AuthType Basic
AuthName "Restricted: Contact Content Team"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
HTTP To HTTPS Routing:
ServerName xxx
ServerAlias xxx
ServerAdmin xxx
# For non-SSL access redirect to the SSL port
RewriteEngine On
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R]
Before asking the question over here, I had went through many articles but there's no luck.
I've now figured out that there's a cookie which gets created with
some value and is not getting passed to next page. Thus, the same
page is been reloading.
During the happy flow when I remove this BasicAuth, the cookie is getting passed over to next page.
So, can someone of you please help me here?

after investigation I figured out that the client ip was falling under "X-Forwarded-For" tag and not on host/client tag so I did the following and it started working for me.
Basically we need to figure out the incoming ip is falling under which tag and we need to whitelist that tag here
<Location />
SetEnvIF X-Forwarded-For "116.50.59.202" AllowIP
SetEnvIF X-Forwarded-For "127.0.0.1" AllowIP
SetEnvIF X-Forwarded-For "0.0.0.0" AllowIP
Require env AllowIP
</Location>

Related

How to redirect to another domain But Not Show The URL redirection with .htaccess?

I am not sure if .htaccess can handling this, I do search a lot's of related topics, but find no solution.
What I need is:
when my users visit my site: www.mysite.com
actually they got content from www.otherplace.com/folder1/folder2/folder3/page.html
I would like user's browser address shows: www.mysite.com or www.mysite.com/page.html also fine for me, but not show's anything about the site: www.otherplace.com....
page.html is just single page, tiddlywiki, :)
thank you. :)
If you are using apache this can be done with proxy.
Open /etc/apache2/mods-available/proxy.conf and add your's definition
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
ProxyPass / http://www.otherplace.com/folder1/folder2/folder3/page.html
ProxyPassReverse / http://www.otherplace.com/folder1/folder2/folder3/page.html
</IfModule>
I use similar configuration to host multiple services that listen on different ports (e.g. Jenkins, codebrag e.t.c) with on http each with their own directory e.g
ProxyPass /jenkins http://localhost:8080/jenkins
ProxyPassReverse /jenkins http://localhost:8080/jenkins
and the url is http://my.domain.com/jenkins/ instead of http://my.domain.com:8080/jenkins
Remember to restart apache sudo service apache2 restart or another equivalent
Rewrite is another option but IMO proxy is easier to set up although it's not so powerful.

Apache - How to protect virtualhost directive without htaccess

I would like to password protect port 2000 of a web server by embedding a location directive inside of the virtualhost directive of the apache config file. However it didn't prompt for a password as expected. This is what I had in the apache config file:
<VirtualHost *:2000>
ServerName www.server.com
ServerAdmin email
DocumentRoot /var/www/html
ErrorLog logs/server.com-error_log
<Location / >
AuthType Basic
AuthName "Security"
AuthUserFile /var/www/s2/.htpasswd-users
Require valid-user
</Location>
</VirtualHost>
A couple reasons why I think it didn't work:
I needed a corresponding NameVirtualHost *:2000 to go with the VirtualHost directive
I was using a reverse ssh tunnel on that port so ssh was catching it before the web server. The web server that the tunnel connected to did not have password protection.
So now my question is how to password protect the server at the end of the tunnel. It is a simple server and not capable of passwords. That's why I was hoping to protect access to it via the apache server.
AuthType only works inside or in a .htaccess file:
You have it inside a and that's the rease it isn't working.

Redirect a frontend URL to another backend webserver

I'm using a framework that uses a full-stack to display all its webpages. This runs standard on port 9000. Very fine, but when going into production, the server seems to block everything except a few standard ports.
So therefore, the framework (Play framework), advises you to do this in your front-end webserver (in my case Apache2).
file: play.conf
<VirtualHost *:80>
ServerName http://avon.ugent.be
CustomLog /var/www/log/proxy-access.log common
ErrorLog /var/www/log/proxy-error.log
ProxyPreserveHost On
DocumentRoot /var/www
<Location /dev/app>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile /var/trac/htpasswd
Require valid-user
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>
This of course requires the mod_proxy module, that is being enabled with a2enmod mod_proxy. (I run this on a Debian distro)
The idea is to run two webservers, one front-end and one back-end with the application.
The reloading of the apache webserver works fine, the site is enabled and everything, but when I surf to the http://my.website.com/dev/app url, it renders a 404... Suggestions what's going wrong?
EDIT3:
After 10+ hours of trying it boils down to this:
I found the debugging command (finally :p) and this is the output:
apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server avon.ugent.be (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost avon.ugent.be (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost avon.ugent.be (/etc/apache2/sites-enabled/play.conf:1)
Syntax OK
Which indicates that the virtual server is indeed being added to the configuration.
But still, it renders a 404. Now, somewhere i've read that's because there is no index.html in that path. Is that necessary if you just want to use a reverse proxy?
For a start please try using Location instead of Directory. Directory is used for identifying directory paths on the filesystem not paths relative to the document root.
<Location '/dev/app'>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile /var/trac/htpasswd
Require valid-user
</Location>
Try the following. It should prompt for the username/password and then pass the request to http://127.0.0.1:9000. In my case, Apache gives a "Service Temporarily Unvavailable", which you should get as well if you turn off the application running on port 9000
<VirtualHost *:80>
ServerName my.website.com
<Location /dev/app>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile passwd/.htpasswd
Require valid-user
ProxyPass http://127.0.0.1:9000
ProxyPassReverse http://127.0.0.1:9000
</Location>
</VirtualHost>
If you still get a 404, can you confirm that it's not the backend server sending it?

Custom error page in Apache2 for 401

Here's the relevant part of the .htaccess file:
AuthUserFile /var/www/mywebsite/.htpasswd
AuthGroupFile /dev/null
AuthName protected
AuthType Basic
Require valid-user
ErrorDocument 400 /var/www/errors/index.html
ErrorDocument 401 /var/www/errors/index.html
ErrorDocument 403 /var/www/errors/index.html
ErrorDocument 404 /var/www/errors/index.html
ErrorDocument 500 /var/www/errors/index.html
Docuement root is set to /var/www/mywebsite/web, it's on of many vhosts. I can navigate to the index.html page.
All I'm seeing is the generic Apache 401 page, any thoughts.
EDIT: This is the error message in my browser:
Authorization Required
This server could not verify that you
are authorized to access the document
requested. Either you supplied the
wrong credentials (e.g., bad
password), or your browser doesn't
understand how to supply the
credentials required.
Additionally, a 401 Authorization
Required error was encountered while
trying to use an ErrorDocument to
handle the request. Apache/2.2.9
(Debian) PHP/5.2.6-1+lenny8 with
Suhosin-Patch Server at www.dirbe.com
Port 80
Make sure that /var/www/errors is readable by the apache user and include this in your apache configuration:
<Directory /var/www/errors>
Order allow,deny
Allow from all
</Directory>
ErrorDocument takes in a absolute URL path instead of a file path. So it should be:
ErrorDocument 404 /error/error.html
Assuming under your document root is a /error/error.html file.
This question (and answers and comments) helped me a bunch, thanks much!
I solved a slightly different way, and wanted to share. In this case, we needed to provide a custom 401 error document and the root path needed to be proxied to a backend app.
So, for example, http://example.com needed to serve content from http://internal-server:8080/. Also, http://example.com needed to be protected using Basic Auth with a custom 401 error document.
So, I created a directory named "error" in the DocumentRoot. Here's the relevant lines from the vhost:
ErrorDocument 401 /error/error401.html
# Grant access to html files under /error
<Location "/error">
Options -Indexes
Order Deny,Allow
Allow from all
</Location>
# restrict proxy using basic auth
<Proxy *>
Require valid-user
AuthType basic
AuthName "Basic Auth"
AuthUserFile /etc/apache2/.htpasswd
</Proxy>
# Proxy everything except for /error
ProxyRequests Off
ProxyPass /error !
ProxyPass / http://internal:8080/
ProxyPassReverse / http://internal:8080/

Use HTTP Auth only if accessing a specific domain

I've got several sites: example.com, example1.com, and example2.com. All of them point to my server's /public_html folder, which is my Apache root folder.
What do I need to add to my .htaccess file to use http authentication only if the user is coming from example2.com? example.com and example1.com should NOT use authentication.
I know I need something like
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
But I only want to require a password if the user is visiting example2.com.
Edit
Using an approach suggested in an answer, I have the following in my .htaccess file:
SetEnvIfNoCase Host ^(.*)$ testauth
<IfDefine testauth>
RewriteRule ^(.*)$ index2.php?q=$1 [L,QSA]
</IfDefine>
I know that the mod_setenvif.c module is enabled (I verified with an <IfModule> block), but it would appear that "testauth" is never getting defined, because my test to verify (redirecting to index2.php) is not executing (whereas it was getting executed in my <IfModule> block). Any ideas why?
How about something along the lines of this in the htaccess file in the document root:
# set the "require_auth" var if Host ends with "example2.com"
SetEnvIfNoCase Host example2\.com$ require_auth=true
# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This will make it so authentication is not required unless the host ends with example2.com (e.g. www.example2.com, dev.example2.com, etc). The expression can be tweaked if needed. Any other host will cause the require_auth var not to get set so authentication is not required. If this needs to be the other way around, the last line could be changed to: Allow from env=require_auth, removing the !.
Apache 2.4 offers a semantic alternative with the If directive:
<If "req('Host') == 'example2.com'">
AuthUserFile /path/to/htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
</If>
<Else>
Require all granted
</Else>
Here is one recommendation:
Create a file called common.conf and save in an accessible location
In this file place the Apache configuration common to all sites (hosts).
The remove the current single VirtualHost entry an replace with VirtualHost entries as follows:
# These are the password protected hosts
<VirtualHost *:80>
ServerName example.com
ServerAlias example1.com
Include /path-to-common-configuration/common.conf
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</VirtualHost>
# These are hosts not requiring authentication
<VirtualHost *:80>
ServerName example2.com
ServerAlias example3.com
Include /path-to-common-configuration/common.conf
</VirtualHost>
I wonder if DanH would be helped by an approach that allows access per IP address?
Something like
SetEnvIf Remote_Addr 1\.2\.3\.4 AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.ok\.com AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.also\.ok\.com AllowMeIn
and then in your Drupal "container"
Order Allow,Deny
Allow from env=AllowMeIn
should do the trick.
Any host that is "live" should be configured to "AllowMeIn", or else you have to come from a known IP address (ie you and other developers).
You shouldn't be putting per-vhost configuration into .htaccess. Instead, put the config block in the VirtualHost block in the proper config file in /etc/apache/sites-enabled/*.