Basic auth only for specific directory - apache

I have a small envirnment where I have 3 services on one server and I want to put all three behind a reverse proxy.
Prometheus server running on port 9090
Prometheus Alert manager running on port 9093
Grafana running on port 3000
My current configuration is below
<VirtualHost *:80>
ServerName metrics.example.com
Redirect permanent / https://metrics.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName metrics.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl.crt/example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/example.key
ErrorLog /var/log/apache2/metrics.example.com-error_log
CustomLog /var/log/apache2/metrics.example.com-access_log combined
<Location "/">
ProxyPreserveHost On
ProxyPass http://localhost:9090/
ProxyPassReverse http://localhost:9090/
</Location>
<Location "/alertmanager/">
ProxyPreserveHost On
ProxyPass http://localhost:9093/
ProxyPassReverse http://localhost:9093/
</Location>
<Location "/grafana/">
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
# <Proxy *>
# AuthType Basic
# AuthName "Restricted Content"
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
# </Proxy>
</VirtualHost>
For now everything works, but Prometheus and Alertmanager don't have own auth, Grafana does. If I uncomment section Grafana stops working. The goal is to protect both Prometheus and Alertmanager with basic auth but not the Grafana instance.
Is it possible (and how) to protect root ("/") directory and /alertmanager subdirectory but with omitting /grafana subdirectory in single vhost?

Related

APACHE AUTH PROXY FOR QUESTDB

I want to configure an apache Auth proxy for access to QuestDB that does not have Authentication system. I try it to VM in a first time.
I made a very simple configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
ProxyRequests Off
</VirtualHost>
I configured my QuestDB with a bind adress http://127.0.0.1:9000.
When I go to http://myipadress and give my Apache authentified user, I have :
Bad request
refresh
Content without CSS
refresh
Bad request
refresh
QuestDB opened
refresh
and looping like this forever.
Any idea ?
When I just set the ProxyPass / ProxyPassReverses lines, I got the same phenomenom.
I have enabled my Apache server mods : proxy_http, proxy, rewrite and cache and the default ones that are enabled.
The below config is working for me. I think the difference is I am not using a DocumentRoot.
<VirtualHost *:80>
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyRequests Off
ServerName 127.0.0.1:80
ServerAlias localhost
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>

Apache proxypass https to https

here is what I tired to do:
browser -internet-> https(Apache proxypass)-intranet->(Apache https)
both Apaches are installed the ssl certs.(startssl wide card,not self-signed)
Apache error log:
[client 192.168.2.157] SSL Proxy requested for test.xxx.com:443 but not enabled [Hint: SSLProxyEngine]
[error] proxy: HTTPS: failed to enable ssl support for 192.168.2.157:443 (test.xxx.com)
Then I tried use apache(on the internet) proxy to https://google.com
and the error log is the same.
However,https to http works.
browser -internet-> https(Apache proxypass)-intranet->(Apache http)
My config:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/xxx_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxx_com.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://2w.xxx.com/
ProxyPassReverse / https://2w.xxx.com/
ServerName test.xxx.com
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ErrorLog "/var/log/apache2/error-ssl.log"
</VirtualHost>
OR:
<VirtualHost *:443>
ProxyPass / https://google.com/
ProxyPassReverse / https://google.com/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/xxx_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxx_com.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
ServerName test.xxx.com
</VirtualHost>
Seems like it's not possible for apache to handle https to https?
if apache does not support this how about nginx?
You should set "SSLProxyEngine On". The following is my example that may give you any idea.
<VirtualHost *:443>
SSLEngine On
SSLProxyEngine On
ServerName my.example.com:443
SSLCertificateFile "${SRVROOT}/conf/ssl/example.pem"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/example.key"
ErrorLog "|bin/rotatelogs.exe -l /var/logs/apache/example/error.%Y-%m-%d.log 86400"
CustomLog "|bin/rotatelogs.exe -l /var/logs/apache/example/ssl_request.%Y-%m-%d.log 86400" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyRequests Off
ProxyPass / https://www.google.com/
<Location />
ProxyPassReverse /
Options FollowSymLinks
Require all granted
</Location>
</VirtualHost>

502 Proxy Error - MeteorJS on Apache

I am new to Meteor, and I have an existing server that is hosting a few websites (CentOS). I use Apache to serve the sites and wanted to have a Meteor app running on a subdomain.
Here is what I have for the Meteor site in httpd.conf:
<VirtualHost *:80>
ServerName www.subdomain.domain.net
ServerAlias subdomain.domain.net
DocumentRoot /var/www/my_meteor_directory/testapp
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:3000
ProxyPassReverse / http://127.0.0.1:3000
</VirtualHost>
I also have this at the bottom of my httpd.conf file:
<Proxy *>
Allow from 127.0.0.1
</Proxy>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:3000/$1$2
I set the app to run on port 3000 and when I try to hit it in the browser (subdomain.domain.net) I get these 502 errors:
Any suggestions?
Try this...
<VirtualHost *:80>
ServerName meteorapp.example.com
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
</VirtualHost>
then reload the server

Can we allow unsecure websocket(ws://) over https protocol?

I have already tried using ws:// over https in firefox using some flag configuration. Is there any way to enable this configuration in IE 10 . May be by adding some reg entry it can be done but i don't know exactly which key vale to edit?
I have configured my https using apache httpd service. Which routes to my play portal URL. Is there any setting/config extra i am missing. Here is my httpd configuration:
<VirtualHost *:80>
ServerName myhost
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/ssl/certs/my.crt
SSLCertificateKeyFile /etc/ssl/private/my.key
ProxyRequests on
ProxyPreserveHost off
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
#ProxyPass /excluded !
ProxyPass / http://host-to-route:9701/
ProxyPassReverse / http://host-to-route:9701/
</VirtualHost>
Please suggest.
Thanks,
Sohan

Issues Setting up a reverse proxy in Apache

My roommate and I each have a separate webserver we are trying to set up. We are trying to use mod_proxy so that his server will forward requests to my machine (we have two seperate machines behind one router) based on the server name. I've given the basics of what we have in our apache config currently but we are getting a 403 Forbidden error when trying to access the second domain (the first, www domain, works fine).
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/www
ServerName www.<domain1>.com
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://<IP addr of other box>:80
ProxyPassReverse / http://<IP addr of other box>:80
ServerName <dummydomain>.gotdns.com
</VirtualHost>
Your mods-enabled/proxy.conf might be blocking any proxy requests (it's deny all by default). It should include the following instead:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
EDIT: Also make sure that the mod_proxy submodules are sym linked into mods-enabled (in this case, the http sub module which is mods-available/proxy_http.load)
Just put both routes:
<VirtualHost *:80>
DocumentRoot "/app/"
ProxyPreserveHost On
ProxyRequests Off
ServerName app.yourdomain.com
ProxyPass /app http://yourIP:yourPort/app/
ProxyPassReverse /app http://yourIP:yourPort/app/
ProxyPass / http://yourIP:yourPort/app/
ProxyPassReverse / http://yourIP:yourPort/app/
</VirtualHost>
<Location "/app/" >
ProxyPass "http://yourIP:yourPort/app/"
ProxyPassReverse "http://yourIP:yourPort/app/"
ProxyPassReverseCookiePath "/app/" "/app/"
ProxyHTMLEnable Off
ProxyHTMLExtended On
ProxyHTMLURLMap "/app/" "/app/"
Order allow,deny
Allow from all
</Location>
This worked form me