So i have an apache forward proxy setup like this:
<VirtualHost *:8080>
AddRadiusAuth **radius server ip**:1812 **secret** 5:3
ProxyRequests On
ProxyVia On
AllowConnect 443 5601
<Proxy "*">
Order Deny,Allow
Allow from all
AuthType Basic
AuthName "Please Enter Your JumpCloud Credentials"
AuthBasicAuthoritative Off
AuthRadiusAuthoritative on
AuthBasicProvider radius
AuthRadiusActive On
Require valid-user
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy.log combined
</VirtualHost>
now whenever a user tries to connect to the radius server he is allowed to login without any issues, BUT, the user gets this message when trying to login:
this image shows what the user sees when he tries to login using his radius credentials
Now that is not exactly safe because since the proxy connection is not private if anyone is eavesdropping on the connection the attacker can see the user and pass and eventually hack our systems.
How can i make the connection private and secured. I tried enabling SSL module and using a certificate file using these
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/vpn.crt
SSLCertificateKeyFile /etc/apache2/ssl/vpn.key
outside of the proxy tags but that didnt work, if i put them inside the proxy tags i get an error saying that they're not allowed to be there, so what am i missing here?
Any help or guidance is greatly appreciated.
Regards!
Related
I am using this config with apache 2.4.53 and declaring a reverse proxy for 2 different domains, each with an identical config as shown.
<VirtualHost *:443>
ServerName www.example.com
SSLProxyEngine on
ProxyPreserveHost On
<Location "/">
Require all granted
ProxyPass http://192.168.163.10/
ProxyPassReverse http://192.168.163.10/
</Location>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/vhosts/certs/cert.pem
SSLCertificateKeyFile /etc/httpd/conf/vhosts/certs/privkey.pem
SSLCertificateChainFile /etc/httpd/conf/vhosts/certs/fullchain.pem
</VirtualHost>
The request is going down to a target server using apache 2.2.22.
There www.example.com is declared as <VirtualHost *:80>.
The content of the website delivered is shown and https is used. Nevertheless I am facing problems using the CMS-interfaces (two different CMSes) the target is providing. Both let me log in successfully but one (silverstripe) is not showing the admin interface at all, the other (modx) is showing it but if I like to save my content it will display ...saving... all the time but won't save at all. Both is working with reverse proxy when the <VirtualHost *:80> at the RP is listening http.
Maybe my general understanding about RP is wrong. Is it okay to define it like I did and hope to get a valid https connection? It is obvious that the last step (RP-> target) is not encrypted, so maybe this is a no-go?
If it is a valid config has anyone got an idea why (maybe cookies?) this behaviour appears?
Any help is very welcome.
Thanks.
I have two application one runs on Apache server, and other one is running on Windows/IIS.
By using VPN I can connect with my first which is running on Apache but I am unable to access my other application which is hosted on Windows/IIS Server.
So I want to use reverse proxy for accessing the application which is running on Windows/IIS Server.
Apache Server ip http://10.101.9.111
Window IIS Server ip http://10.101.9.112
So what I really want that when in enter http://10.101.9.111/hrms the url automatically load application which is actually available and running on http://10.101.9.112/hrms.
I have made changes in apache httpd.conf file.
ProxyRequests Off
ProxyPreserveHost On
<Proxy /hrms>
Order deny,allow
Allow from all
</Proxy>
<Location /hrms>
Order deny,allow
Allow from all
ProxyPass http://10.100.6.119/hrms/
ProxyPassReverse http://10.100.6.119/hrms/
RequestHeader unset Authorization
AuthType Basic
AuthName "businessHr"
AuthBasicProvider file
AuthUserFile c:\tmp\users
Require valid-user
</Location>
I'm new to apache so sorry if this is a newbie question. I have a reverse proxy set-up (and working) with the following code which includes a working authentication:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ProxyPass /PIZZA/ http://localhost:3636/PIZZA/
ProxyPassReverse /PIZZA/ http://localhost:3636/PIZZA/
ProxyPreserveHost On
<Location /PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
The above authentication is working if I go do my /PIZZA/ url.
However, if I type in the source IP address for the same url (ex: 192.168.1.11:3636/PIZZA/) the webpage loads without the need for authentication.
My question, is there a way to authenticate the specific source ip address? Something like the following (which doesn't work)?
<Location http://192.168.1.11:3636/PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
Any help would be very much appreciated. Thanks!
In the 2nd case, you're not even accessing Apache, so no Apache configuration is going to make any difference. If you want the backend server to only accept connections from your proxy server, you'll have to configure the backend server appropriately (or count on it being inaccessible over TCP)
Thanks for the responses. It was probably a rookie error trying to do the second authentication.
Arkascha - your answer pointed me in the right direction and I got it to work. I essentially just blocked access to the port in the firewall and that worked.
I would have never figured this out without your pointing me in the right direction so thanks!
Behaviour:
1) I access the site, enter the userID/password that's required for the site
2) The site starts to load, but when the request is made to the WMS layers being served from the GeoServer ->
3) I get a second login-prompt that only accepts users(in this case the admin user) for the GeoServer.
Obviously,
Point 3 shouldn't be happening because i can access the WMS-requests "standalone" without logging in, so I think that the Geoserver is correctly configured.
The apache-config is as follows:
<VirtualHost *:80>
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
</VirtualHost>
Any ideas why the site asks for the second login-prompt, regarding the geoserver?
This may be similar to an issue my team has had. If you add the same username and password combination as your apache user to your geoserver setup then it should stop prompting for the login.
Geoserver users.xml can be found in /data/security/usergroup/default/users.xml
Or i think you can do it through the geoserver backend.
I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!