I'm new to apache so sorry if this is a newbie question. I have a reverse proxy set-up (and working) with the following code which includes a working authentication:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ProxyPass /PIZZA/ http://localhost:3636/PIZZA/
ProxyPassReverse /PIZZA/ http://localhost:3636/PIZZA/
ProxyPreserveHost On
<Location /PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
The above authentication is working if I go do my /PIZZA/ url.
However, if I type in the source IP address for the same url (ex: 192.168.1.11:3636/PIZZA/) the webpage loads without the need for authentication.
My question, is there a way to authenticate the specific source ip address? Something like the following (which doesn't work)?
<Location http://192.168.1.11:3636/PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
Any help would be very much appreciated. Thanks!
In the 2nd case, you're not even accessing Apache, so no Apache configuration is going to make any difference. If you want the backend server to only accept connections from your proxy server, you'll have to configure the backend server appropriately (or count on it being inaccessible over TCP)
Thanks for the responses. It was probably a rookie error trying to do the second authentication.
Arkascha - your answer pointed me in the right direction and I got it to work. I essentially just blocked access to the port in the firewall and that worked.
I would have never figured this out without your pointing me in the right direction so thanks!
Related
So i have an apache forward proxy setup like this:
<VirtualHost *:8080>
AddRadiusAuth **radius server ip**:1812 **secret** 5:3
ProxyRequests On
ProxyVia On
AllowConnect 443 5601
<Proxy "*">
Order Deny,Allow
Allow from all
AuthType Basic
AuthName "Please Enter Your JumpCloud Credentials"
AuthBasicAuthoritative Off
AuthRadiusAuthoritative on
AuthBasicProvider radius
AuthRadiusActive On
Require valid-user
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy.log combined
</VirtualHost>
now whenever a user tries to connect to the radius server he is allowed to login without any issues, BUT, the user gets this message when trying to login:
this image shows what the user sees when he tries to login using his radius credentials
Now that is not exactly safe because since the proxy connection is not private if anyone is eavesdropping on the connection the attacker can see the user and pass and eventually hack our systems.
How can i make the connection private and secured. I tried enabling SSL module and using a certificate file using these
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/vpn.crt
SSLCertificateKeyFile /etc/apache2/ssl/vpn.key
outside of the proxy tags but that didnt work, if i put them inside the proxy tags i get an error saying that they're not allowed to be there, so what am i missing here?
Any help or guidance is greatly appreciated.
Regards!
Behaviour:
1) I access the site, enter the userID/password that's required for the site
2) The site starts to load, but when the request is made to the WMS layers being served from the GeoServer ->
3) I get a second login-prompt that only accepts users(in this case the admin user) for the GeoServer.
Obviously,
Point 3 shouldn't be happening because i can access the WMS-requests "standalone" without logging in, so I think that the Geoserver is correctly configured.
The apache-config is as follows:
<VirtualHost *:80>
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass /geoserver http://127.0.0.1:8080/geoserver
ProxyPassReverse /geoserver http://127.0.0.1:8080/geoserver
</VirtualHost>
Any ideas why the site asks for the second login-prompt, regarding the geoserver?
This may be similar to an issue my team has had. If you add the same username and password combination as your apache user to your geoserver setup then it should stop prompting for the login.
Geoserver users.xml can be found in /data/security/usergroup/default/users.xml
Or i think you can do it through the geoserver backend.
I am creating a cluster of tile servers for a client application, due to bandwidth costs we would like to add some sort of authentication to the mod_tiles module in apache. I would prefer a app token using either oauth, but would be fine if I had to use basic auth or something like that.
I had a similar issue and I solved it with the apache basic authentication.
First thing I've done is disabled mod_tile over insecure connection. This is necessary because basic authentication has no encryption and asking users' login/password over insecure connection is a generally bad idea.
Then, my virtual host file (in my case it's /etc/apache2/sites-available/000-default-le-ssl.conf) looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName example.com
ServerAdmin admin#example.com
# Standard dir connfiguration
<Directory /var/www/html>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Set BasicAuth on location
<Location />
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /usr/local/.tileauth
Require valid-user
</Location>
# Enable tile server
LoadTileConfigFile /usr/local/etc/renderd.conf
ModTileRenderdSocketName /var/run/renderd/renderd.sock
ModTileRequestTimeout 0
ModTileMissingRequestTimeout 30
# Specify certificate and key using letsencrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So, the thing that sets basic authentication is inside <Location> block. The password file is generated like this:
$ htpasswd -c /usr/local/.tileauth tile_server_user
Additionally to that, I would also recommend to use fail2ban to monitor basic authentication attempts, because apache itself has no brute-force attack protection. Hope this helps!
I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.
When I upgraded my VPS from Ubuntu 13.10 to 14.04 password protected directories are now giving the error below even if the correct password is entered.
Unauthorized: This server could not verify that you are authorized
to access the document requested. Either you supplied the wrong
credentials (e.g., bad password), or your browser doesn't understand
how to supply the credentials required.
Apache error.log says "No requires line available"
Files are as follows:-
/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/mysite
</VirtualHost>
<Directory /var/www/mysite>
Options -Indexes
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
/var/www/mysite/.htaccess
AuthType Basic
AuthName "Protected"
AuthUserFile /var/www/mysite/.htpasswd
require valid-user
/var/www/mysite/.htpasswd
admin:gIlFunhlCwBeY
Please will you help me to get authentication working again.
It appears apache 2.4 has added new values for the auth* modules. A grant is required now to return similar behavior. This is performed such as :
Require all granted
Some of this is outlined on the Apache HTTPd documentation site:
http://httpd.apache.org/docs/2.4/upgrading.html
I suggest referencing that if you are having similar messages in your log entries.
For Ubuntu 14.04 just edit the .htaccess file as below. It works for me:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/mysite/.htpasswd
Require valid-user