I got a VM with a aplication running on it. It doenst support password protection. I connect to it like sub.domain.com:6000 (redirecting port 6000 to 80 of VM)
So i like to use apache as a Proxy with authentication.
My VirtualHost config:
<VirtualHost *:*>
DocumentRoot /var/www/html/
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass "/" "http://127.0.0.1:5000/"
ProxyPassReverse "/" "http://127.0.0.1:5000/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It redirects me, but there is no password protection.
What's wrong?
The <Directory> directive is used to enclose a group of directives that will apply only to the named directory, sub-directories of that directory, and the files within the respective directories. Proxied server is none of that, so you have to use <Location> directive which limits the scope of the enclosed directives by URL:
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
Related
I have a requirement to support both OIDC(openidc) and Mellon(Saml) in our application.We have created two apps in Okta for testing the flow.
OIDC App
SAML App
httpd.conf looks something like below :
<IfModule mod_ssl.c>
<Location />
MellonVariable "cookie"
MellonEnable "auth"
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
MellonSPCertFile /etc/apache2/saml/mellon.crt
MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
</Location>
<VirtualHost _default_:443>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
OIDCScope "openid email profile"
OIDCClientID "xxxx"
OIDCClientSecret "xxxxx"
OIDCCryptoPassphrase "xxxx"
OIDCMetadataDir "/var/cache/apache2/mod_auth_openidc/metadata"
OIDCRedirectURI "https://apachesso.example.com/callback"
OIDCResponseType "code"
<Location /uliya>
<If "%{REQUEST_URI} =~ /callback=/">
AuthType openid-connect
Require valid-user
</If>
<Else>
AuthType "Mellon"
Require valid-user
MellonEnable "auth"
</Else>
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /uliya>
AuthType openid-connect
require valid-user
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /transport>
AuthType "Mellon"
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
</IfModule>
The goal is that, the request to https://apachesso.example.com/uliya should go through openid-connect Auth Flow and request to https://apachesso.example.com/transport should go through mellon flow.
However, with above configuration all the request authentication goes to Mellon Plugin by default and below config doesnt take effect.
<Location /uliya>
AuthType openid-connect
Require valid-user
</Location>
Is it possible to get both these plugins to work together?
Just don't use any authentication directives on "/", but use mod_auth_openidc directives on "/uliya" (including setting OIDCRedirectURI to /uliya/redirect_uri" and use mod_mellon directives only on "/transport".
i am trying to configure apache as a reverse proxy with basic auth. The problem is that URL credentials should not be proxied to the service (http://localhost:8000).
For example: if the user access http://user:password#my-host.com , the URL credentials should not be passed like http://user:password#localhost:8000, it should be just http://localhost:8000
The conf file:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ProxyRequests off
<Location />
AuthType Basic
AuthName "namex"
AuthUserFile /etc/apache2/.htpasswd
Require valid-use
ProxyPass http://localhost:8000/
Order allow,deny
Allow from all
RequestHeader set Authorization "Basic base64userpass"
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How should i do that?
Thanks!
We use Apache 2.4.10 on a Debian Server. Requests are redirected from an Apache Proxy Server (same system and version) who acts as balancer (only the one balance member at the moment).
The access to the related single virtual host is generally restricted via AuthType Basic. Just one folder containing public documents should be accessable without authentication.
I tested multiple ways (new apache 2.4 syntax) to accomplish that - but no matter, which method i tried, i always stucked at the same issue: any comparison with the REQUEST_URI does not work as expected - with or without a regular expression. It seems as if the REQUEST_URI had an invalid value at the time when a comparison takes place.
I tried i.a. the following alternatives:
A)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{REQUEST_URI} =~ m#^/docs#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
B)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
<LocationMatch "^/docs">
AuthType None
Require all granted
</LocationMatch>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
C)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
SetEnvIf Request_URI /docs noAuth=1
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require env noauth
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
Every alternative seems to stuck at the same issue. The comparison with the REQUEST_URI failes or does not work properly.
An example: When i change line 16 in example A to
Require expr %{REQUEST_URI} =~ m#^/[a-z]#
(as a test) then it works (access granted without credentials).
When i change [a-z] to e.g. [d-i], it still works, but when i change [a-z] to e.g. [d-g], it does not work anymore and the user/pass dialogue appears.
The exact same behaviour appears, when i change the regular expression in the LocationMatch directive in example B accordingly.
Another hint:
Using <Location /docs> instead of <LocationMatch... (see example B) does also not work. But <Location /> works.
And:
The log-output is always identical:
When access is granted without credentials the value of the REQUEST_URI is the same as the path part of the requested URL (e.g. /docs).
But when the user/pass-dialogue appears, the value is a dash ("-") this seems to be default value that apache uses for empty or not available values.
And:
The problem does persist, even when i access the server directly (without the proxy) or when i use e.g. wget to make a request to localhost on the server.
Does anyone have an idea whats going on here!?...
I finally found a workaround by myself. I use version A) - but with the environment variable THE_REQUEST instead of REQUEST_URI. Fortunately it works!
The adjusted version of A) - for GET requests only:
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{THE_REQUEST} =~ m#GET\s+\/docs\/[^\/]+\s+HTTP#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
Instead of using Location, you can use another directory.
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
**<Directory "/var/www/domain.name/docs/">
AuthType None
Require all granted
</Directory>**
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
The same can be accomplished through the use of .htaccess. A related question has been answered in How to remove .htaccess password protection from a subdirectory
I followed this guide step by step to set up SSL connection for my web portal. Earlier I was able to access it using http:// but now I have to specify port 80 i.e. I have to use https://:80 to access the portal. If I access https:// it shows me the default Apache test page, which says -
Testing 123..This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that this site is working properly. This server is powered by CentOS.
I need to access the portal using https:// without port. Any help is appreciated.
httpd.conf
<VirtualHost *:80>
WSGIScriptAlias / /var/www/html/portals/portals/wsgi.py
DocumentRoot /var/www/html/portals/portals
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/mysite.crt
SSLCertificateKeyFile /etc/pki/tls/private/mysite.key
SSLCertificateChainFile /etc/pki/tls/certs/mysite.crt
<Location "/mysite/authenticate">
AuthType Basic
AuthName "wsgi protected"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthGroupScript /var/www/html/portals/portals/wsgi.py
WSGIAuthUserScript /var/www/html/portals/portals/wsgi.py
</Location>
<Directory /var/www/html/portals/portals>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
Alias /media/ /var/www/html/portals/media/
Alias /static/ /var/www/html/portals/static/
<Directory /var/www/html/portals/static>
Require all granted
</Directory>
<Directory /var/www/html/portals/media>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
WSGIScriptAlias / /var/www/html/portals/portals/wsgi.py
DocumentRoot /var/www/html/portals/portals
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/mysite.crt
SSLCertificateKeyFile /etc/pki/tls/private/mysite.key
SSLCertificateChainFile /etc/pki/tls/certs/mysite.crt
<Location "/mysite/authenticate">
AuthType Basic
AuthName "wsgi protected"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthGroupScript /var/www/html/portals/portals/wsgi.py
WSGIAuthUserScript /var/www/html/portals/portals/wsgi.py
</Location>
<Directory /var/www/html/portals/portals>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
Alias /media/ /var/www/html/portals/media/
Alias /static/ /var/www/html/portals/static/
<Directory /var/www/html/portals/static>
Require all granted
</Directory>
<Directory /var/www/html/portals/media>
Require all granted
</Directory>
</VirtualHost>
I don't think you have followed the instructions correctly. The instructions say that the <VirtualHost *:80> element should be something like this:
<VirtualHost *:80>
<Directory /var/www/vhosts/yoursite.com/httpdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
ServerName yoursite.com
</VirtualHost>
and there should be a "mirror" configuration port 443.
But you seem to have added in the stuff to enable the SSL engine, etcetera to the <VirtualHost *:80> element ... which is going to make Apache configure port 80 to expect / require "https:" connections.
Review your configurations and compare them with what the instructions actually tell you to do.
Can I also recommend reading the Apache documentation for the directives that you are using in your configs. That way you can start to understand what the configs are actually saying. That will give you a better chance of diagnosing problems if the "potted" instructions are not followed correctly.
I'm trying to make a directory for my website password protected and I so far I've followed apache instructions to do that: http://httpd.apache.org/docs/current/howto/auth.html
and
http://wiki.apache.org/httpd/PasswordBasicAuth
I then created a password file using htpasswd, and then I edited my httpd.conf with
<Directory /var/www/html/project/app.project.com/Admin/>
AuthType Basic
AuthName "Restricted Area"
# (Following line optional)
AuthBasicProvider file
AuthUserFile "/var/www/html/admin/.password"
Require valid-user
Order allow,deny
Allow from all
</Directory>
But when I go to the website that supposed to ask me for the password it doesn't!
I'm just trying to figure out what I'm doing wrong.
Thanks!
The problem that I didn't think was related to this is that I was trying to access that protected directory using one of my vhosts in the configuration file so I just had to put this Directory directive inside of the correspondig vhost that was getting accessed, this is how I got my configuration at the end:
# Please note as well that I'm forcing connections from http to https:
<VirtualHost *:80>
ServerName app.project.com
ServerAlias project.com
DocumentRoot /var/www/html/project/app.project.com
Redirect permanent / https://app.project.com
ErrorLog /var/www/html/project/app.project.com/error.log
CustomLog /var/www/html/project/app.project.com/requests.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName app.project.com
DocumentRoot /var/www/html/project/app.project.com
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/40d5d69ae6a53.crt
SSLCertificateKeyFile /etc/httpd/ssl/project.key
SSLCertificateChainFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
#Adding the Directory directive to request auth access with password to the Admin directory
<Directory /var/www/html/project/app.project.com/Admin/>
AuthType Basic
AuthName "Restricted Area"
# (Following line optional)
AuthBasicProvider file
AuthUserFile "/var/www/html/admin/.password"
Require valid-user
Order allow,deny
Allow from all
</Directory>
</VirtualHost>