Remove URL user credentials before pass to Reverse Proxy - Apache - apache

i am trying to configure apache as a reverse proxy with basic auth. The problem is that URL credentials should not be proxied to the service (http://localhost:8000).
For example: if the user access http://user:password#my-host.com , the URL credentials should not be passed like http://user:password#localhost:8000, it should be just http://localhost:8000
The conf file:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ProxyRequests off
<Location />
AuthType Basic
AuthName "namex"
AuthUserFile /etc/apache2/.htpasswd
Require valid-use
ProxyPass http://localhost:8000/
Order allow,deny
Allow from all
RequestHeader set Authorization "Basic base64userpass"
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How should i do that?
Thanks!

Related

SOLVED: How to configure Apache2 with Reverse Proxy. Map an internal website to a folder of another (public) website on the same server

I have build a SPA and deployed it to my server. It is running on http://my-server:3000.
I then installed Apache2 and created a static page. This website is on the same server http://my-server:80 and is open to the Internet via a My-domain.
What I'm trying to accomplish now is to add a link on this static page (http://my-server/foo) which is redirected to http://my-server:3000 in such a way that the here deployed SPA can be run from this sub-folder.
I configured a new Virtual host in Apache2 with the following configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName My-domain
ProxyRequests Off
ProxyHTMLEnable On
ProxyHTMLExtended Off
ProxyPreserveHost On
ProxyPass /foo/ http://my-server:3000/
<Location /foo/>
ProxyHTMLURLMap / /foo/
ProxyPassReverse http://my-server:3000/
SetOutputFilter INFLATE;DEFLATE
</Location>
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Although the SPA is accessed and all the files are loaded the application will not start due to the error No match for URL in routes. I think it is due to the fact that the SPA is build to run in the root of a website and I'm now trying to run it in a sub-folder.
Does anyone know if this is possible? A solution would be appreciated much :-)
I found a solution which works for me :-)
Since I can use any prefix before My-domain like foo.My-domain, just found out recently, I changed the configuration for my Virtual host to this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName foo.My-domain
ProxyRequests Off
ProxyHTMLEnable On
ProxyHTMLExtended Off
ProxyPreserveHost On
ProxyPass / http://my-server:3000/
<Location />
ProxyPassReverse http://my-server:3000/
SetOutputFilter INFLATE;DEFLATE
</Location>
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
And because my SPA now is allowed to run in the root of a website it is working. :-)

Basic auth only for specific directory

I have a small envirnment where I have 3 services on one server and I want to put all three behind a reverse proxy.
Prometheus server running on port 9090
Prometheus Alert manager running on port 9093
Grafana running on port 3000
My current configuration is below
<VirtualHost *:80>
ServerName metrics.example.com
Redirect permanent / https://metrics.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName metrics.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl.crt/example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/example.key
ErrorLog /var/log/apache2/metrics.example.com-error_log
CustomLog /var/log/apache2/metrics.example.com-access_log combined
<Location "/">
ProxyPreserveHost On
ProxyPass http://localhost:9090/
ProxyPassReverse http://localhost:9090/
</Location>
<Location "/alertmanager/">
ProxyPreserveHost On
ProxyPass http://localhost:9093/
ProxyPassReverse http://localhost:9093/
</Location>
<Location "/grafana/">
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
# <Proxy *>
# AuthType Basic
# AuthName "Restricted Content"
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
# </Proxy>
</VirtualHost>
For now everything works, but Prometheus and Alertmanager don't have own auth, Grafana does. If I uncomment section Grafana stops working. The goal is to protect both Prometheus and Alertmanager with basic auth but not the Grafana instance.
Is it possible (and how) to protect root ("/") directory and /alertmanager subdirectory but with omitting /grafana subdirectory in single vhost?

APACHE AUTH PROXY FOR QUESTDB

I want to configure an apache Auth proxy for access to QuestDB that does not have Authentication system. I try it to VM in a first time.
I made a very simple configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
ProxyRequests Off
</VirtualHost>
I configured my QuestDB with a bind adress http://127.0.0.1:9000.
When I go to http://myipadress and give my Apache authentified user, I have :
Bad request
refresh
Content without CSS
refresh
Bad request
refresh
QuestDB opened
refresh
and looping like this forever.
Any idea ?
When I just set the ProxyPass / ProxyPassReverses lines, I got the same phenomenom.
I have enabled my Apache server mods : proxy_http, proxy, rewrite and cache and the default ones that are enabled.
The below config is working for me. I think the difference is I am not using a DocumentRoot.
<VirtualHost *:80>
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyRequests Off
ServerName 127.0.0.1:80
ServerAlias localhost
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>

Configure apache to redirect url to another host

Configuration: I have 2 virtual machines:
VM1: accessible from browser with https://vm1.com
VM2: accessible from browser with 10.200.200.200:8088
What I want to do:
==> If the user will enter this url: https://vm1.com/dashboard
==> The flow will be redirected to 10.200.200.200:8088
What I try to do:
<VirtualHost *:80>
ServerAdmin me#mydomain.com
DocumentRoot /var/www
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /dashboard http://10.200.200.200:8088/
ProxyPassReverse /dashboard http://10.200.200.200:8088/
<Directory /var/www/>
Options +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Problem:
This solution works only if the incoming url is /dashboard. If the incoming url is /dashboard/login, the redirect failed.

Remove basic authentication header with apache mod proxy

I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.
Make sure mod_headers is enabled. An example config:
<VirtualHost *:80>
ServerName something.example.com
ServerAdmin admin#example.com
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes On
KeepAlive Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /etc/apache2/passwd
Require valid-user
</Location>
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
ErrorLog /var/log/apache2/something.example.com-error_log
CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>
I just had the same problem with Apache in front of another Java server trying to do basic auth, adding the following to my Apache config seemed to fix it:
RequestHeader unset Authorization