I'm running a Spotify server on my Raspberry Pi at my school's robotics shop. It's on the school wifi network and it's accessed through a webpage http://localhost:6680. I wanted to add basic HTTP authentication (username/password) because people were being malicious, so I'm using an Apache VirtualHost as a proxy with basic authentication.
In addition, the webserver requires WebSockets to function through the same port. I successfully set up a VirtualHost file and it's working fine... except it's not working on Safari or iOS. After looking in the console, all WebSocket requests in Safari are returning a 401 error:
WebSocket connection to 'ws://XX.XXX.XX.XXX/iris/ws/' failed: Unexpected response code: 401
After looking into this more, apparently it's a known bug with Safari. Here's the VirtualHost file:
<VirtualHost *:80>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy *>
Allow from all
</Proxy>
ProxyRequests On
ProxyPass /mopidy/ws/ ws://localhost:6680/mopidy/ws/
ProxyPassReverse /mopidy/ws/ ws://localhost:6680/mopidy/ws/
ProxyPass /iris/ws/ ws://localhost:6680/iris/ws/
ProxyPassReverse /iris/ws/ ws://localhost:6680/iris/ws/
<Location />
ProxyPass http://localhost:6680/
ProxyPassReverse http://localhost:6680/
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
</VirtualHost>
Is there any way we can simply remove authentication for just the websockets but not for the webpage? Considering how this is structured, that should be the case, but it isn't. Thanks!
I don't know much about WebSockets, but I do know that you should always declare the VirtualHost port you are listening to if you want to separate traffic.
Try to do so by adding two different VirtualHost in the same configuration:
<VirtualHost *:80>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/">
AllowOverride All
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
From now on I can't help further:
<VirtualHost *:6680>
somethingsomethingsomething
</VirtualHost>
Update
Traffic different from :80 is blocked in your school, I guess.
I can suggest a more radical approach which is banning all traffic from Safari (both desktop and mobile).
You can modify the config by adding a redirect to a courtesy page like "your browser is not supported".
<Location *>
SetEnvIfNoCase User-Agent .*Safari* bad_browser
Deny from env=bad_browser
</Location>
Make sure you are proxying over your websockets if needed. They might look something like this:
ProxyPass /socket.io http://localhost:6680/socket.io
ProxyPassReverse /socket.io http://localhost:6680/socket.io
Try do next, like described here:
#In your case it will be like this:
<LocationMatch /(iris|mopidy)/ws>
Allow from all
</LocationMatch>
Update: Please be aware this rule to wide as you see.
Related
I want to configure an apache Auth proxy for access to QuestDB that does not have Authentication system. I try it to VM in a first time.
I made a very simple configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
ProxyRequests Off
</VirtualHost>
I configured my QuestDB with a bind adress http://127.0.0.1:9000.
When I go to http://myipadress and give my Apache authentified user, I have :
Bad request
refresh
Content without CSS
refresh
Bad request
refresh
QuestDB opened
refresh
and looping like this forever.
Any idea ?
When I just set the ProxyPass / ProxyPassReverses lines, I got the same phenomenom.
I have enabled my Apache server mods : proxy_http, proxy, rewrite and cache and the default ones that are enabled.
The below config is working for me. I think the difference is I am not using a DocumentRoot.
<VirtualHost *:80>
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyRequests Off
ServerName 127.0.0.1:80
ServerAlias localhost
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>
I have apache2.4 set up and when visiting any apache served web sites basic authentication works great.
Now I have one more webserver running from an other service at port 8000 and I wanted to setup apache as a reverse proxy hoping that it can also impose and handle basic authentication there as well...but instead for asking for user and password it just serves the website unprotected.
my setup is:
<VirtualHost *:8000>
ProxyPreserveHost On
ProxyPass / http://192.168.0.101:8000/
ProxyPassReverse / http://192.168.0.101:8000/
<Location />
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
what am i doing wrong?
Update:
solution found by marked answer:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
Also make sure that apache is configured to listen to that port and also if the proxied server is local it is not running at the same port as listened one
The problem is that Apache doesn't 'link' Proxypass / http://example.com and <Location /> - even though they both try to work with /. This means that Proxypass is handling requests for '/' first, and the Location section is never being used.
You need to move the Proxy config inside the Location, dropping the path, e.g.:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
here is my setup, I'm using 1 server to accept connections externally then redirects to one of my two websites, i am currently trying out reverse proxy, when i try to access www.example1.com i can successfully load the site, but when i go to my pages, my url displays x.x.x.1/page,what i want is www.example1.com/page I have been reading .htaccess notes also, but have not yet tried any of it, I need suggestions on how to solve this
Additional: my 2 websites are on different servers
if anyone experience a setup similar to mine, here is what i did
<VirtualHost *:80>
DocumentRoot "\x.x.x.x\var\www\example1"
ServerName www.example1.com
ServerAlias example1.com
<Proxy *>
AllowOverride All
Order deny,allow
Allow from all
</Proxy>
<Location / >
ProxyPreserveHost On
ProxyPass "http://x.x.x.x/"
ProxyPassReverse "http://x.x.x.x/"
</Location>
</VirtualHost>
I need to hook up my Mercurial server cgi script through an Apache VirtualHost subdomain along with authorization.
My apache is running on 80 and 91.
Apache is serving Mercurial through
C:\wamp\bin\apache\Apache2.2.21\cgi-bin\hgweb.cgi
and is accessable through
http://my.com/cgi-bin/hgweb.cgi
and
http://localhost/cgi-bin/hgweb.cgi
All well and good, it serves perfectly there. My target is to subdomain it as:
http://hg.my.com/
with no trailing cgi-bin/hgweb.cgi
I have gotten the following URL to work with the config given below:
http://hg.my.com/cgi-bin/hgweb.cgi
... but it doesn't access the css and images properly (unlike above perfect service)
My config so far:
ScriptAlias /hg "/cgi-bin/hgweb.cgi"
<VirtualHost *:80>
ServerName hg.my.com
ServerAlias hg.my.com
#ScriptAlias / "/cgi-bin/hgweb.cgi"
# <Directory />
# Order Deny,Allow
# Allow from all
# </Directory>
# ProxyPass /stylesheets !
# ProxyPass /javascripts !
# ProxyPass /images !
ProxyPassMatch ^.*/static(/.*\.css)$ http://localhost:91/cgi-bin/hgweb.cgi/static/$1
ProxyPassMatch ^.*/static(/.*\.js)$ http://localhost:91/cgi-bin/hgweb.cgi/static/$1
ProxyPassMatch ^.*/static(/.*\.png)$ http://localhost:91/cgi-bin/hgweb.cgi/static/$1
ProxyPassMatch ^.*/static(/.*\.gif)$ http://localhost:91/cgi-bin/hgweb.cgi/static/$1
ProxyPreserveHost On
ProxyPass / http://localhost:91/cgi-bin/hgweb.cgi
ProxyPassReverse / http://localhost:91/cgi-bin/hgweb.cgi
<Proxy *>
#DirectoryIndex hgweb.cgi
#ScriptAlias / /hgweb.cgi
# # Order Allow,Deny
# # Allow from all
Order Deny,Allow
Allow from 127.0.0.1
AuthUserFile C:\wamp\.htpasswd
AuthName "Please Log In"
AuthType Basic
require user admin
require user dev
</Proxy>
</VirtualHost>
Obviously I am using the time honored google-trial-and-error approach and am out of my depth here.
Thus, my energetic egos mindless determinination for self-reliance, which otherwise seems to serve so well, now exhausted and filled with animosity toward the problem at hand -- brings me here, hat in hand, to ask:
"Brother, can you spare a dime?"
Why run apache on both 80 and 91? Is 91 just to serve up the static content? Unless I'm missing one of your requirements you shoudl be able to do whatever you need with something like this:
<VirtualHost *:80>
ServerName hg.my.com
ScriptAlias / "/cgi-bin/hgweb.cgi"
<Location />
Order Deny,Allow
AuthUserFile C:\wamp\.htpasswd
AuthName "Please Log In"
AuthType Basic
require user admin
require user dev
</Location>
</VirtualHost>
You shouldn't need a proxy, or separate rules for static (Mercurial will serve them up just fine).
Just put a slash after the script:
ScriptAlias /hg "/cgi-bin/hgweb.cgi/"
I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.
Make sure mod_headers is enabled. An example config:
<VirtualHost *:80>
ServerName something.example.com
ServerAdmin admin#example.com
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes On
KeepAlive Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /etc/apache2/passwd
Require valid-user
</Location>
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
ErrorLog /var/log/apache2/something.example.com-error_log
CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>
I just had the same problem with Apache in front of another Java server trying to do basic auth, adding the following to my Apache config seemed to fix it:
RequestHeader unset Authorization