How do you combine basic auth with a reverse proxy in Apache?
I have an Apache site currently configured to use basic auth with an htpasswd file using this config:
<VirtualHost *:80>
# Requires: a2enmod proxy_http
ProxyPass / http://127.0.0.1:8010/
<Location />
AuthType Basic
AuthName "Sensitive"
AuthUserFile /usr/local/myproject/htpasswd
Require valid-user
</Location>
</VirtualHost>
Apache is acting as a wrapper around a Buildbot server being served on port :8010. However, this app has been upgraded so it now requires the use of websockets. The suggested Apache configuration is:
<VirtualHost *:80>
<Location /ws>
ProxyPass ws://127.0.0.1:8010/ws
ProxyPassReverse ws://127.0.0.1:8010/ws
</Location>
ProxyPass /ws !
ProxyPass / http://127.0.0.1:8010/
ProxyPassReverse / http://127.0.0.1:8010/
</VirtualHost>
However, this doesn't use any authentication. I tried re-adding my <Location /> section from the previous config, so I now have:
<VirtualHost *:80>
<Location />
AuthType Basic
AuthName "Sensitive"
AuthUserFile /usr/local/myproject/htpasswd
Require valid-user
</Location>
<Location /ws>
ProxyPass ws://127.0.0.1:8010/ws
ProxyPassReverse ws://127.0.0.1:8010/ws
</Location>
ProxyPass /ws !
ProxyPass / http://127.0.0.1:8010/
ProxyPassReverse / http://127.0.0.1:8010/
</VirtualHost>
and although Apache now correctly prompts for my username+password, the Buildbot still isn't given authenticated username and still renders for an anonymous user.
How do I fix this config to pass the username (I believe the REMOTE_USER header) through to the web app behind the reverse proxy?
Related
I want to configure an apache Auth proxy for access to QuestDB that does not have Authentication system. I try it to VM in a first time.
I made a very simple configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
ProxyRequests Off
</VirtualHost>
I configured my QuestDB with a bind adress http://127.0.0.1:9000.
When I go to http://myipadress and give my Apache authentified user, I have :
Bad request
refresh
Content without CSS
refresh
Bad request
refresh
QuestDB opened
refresh
and looping like this forever.
Any idea ?
When I just set the ProxyPass / ProxyPassReverses lines, I got the same phenomenom.
I have enabled my Apache server mods : proxy_http, proxy, rewrite and cache and the default ones that are enabled.
The below config is working for me. I think the difference is I am not using a DocumentRoot.
<VirtualHost *:80>
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyRequests Off
ServerName 127.0.0.1:80
ServerAlias localhost
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>
I have apache2.4 set up and when visiting any apache served web sites basic authentication works great.
Now I have one more webserver running from an other service at port 8000 and I wanted to setup apache as a reverse proxy hoping that it can also impose and handle basic authentication there as well...but instead for asking for user and password it just serves the website unprotected.
my setup is:
<VirtualHost *:8000>
ProxyPreserveHost On
ProxyPass / http://192.168.0.101:8000/
ProxyPassReverse / http://192.168.0.101:8000/
<Location />
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
what am i doing wrong?
Update:
solution found by marked answer:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
Also make sure that apache is configured to listen to that port and also if the proxied server is local it is not running at the same port as listened one
The problem is that Apache doesn't 'link' Proxypass / http://example.com and <Location /> - even though they both try to work with /. This means that Proxypass is handling requests for '/' first, and the Location section is never being used.
You need to move the Proxy config inside the Location, dropping the path, e.g.:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
I have a proxy defined in my apache, there is any way to disable security for a sub path.
In the config I have /app pointing to port localhost:8000 and I want that /app/public point to localhost:8000/public.
Here is my config file (with security for all paths):
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /app http://localhost:8000
ProxyPassReverse /app http://localhost:8000
ServerName example.com
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
</VirtualHost>
I found the solution, I used LocationMatch instead Proxy tag, this is the resulting conf file:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /app http://localhost:8000
ProxyPassReverse /app http://localhost:8000
ServerName example.com
<LocationMatch "^(?!/path/to/exclude)/[^/]+">
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</LocationMatch>
</VirtualHost>
Trying to set up Nexus 3.3.2-02 and Jetty appears to ignore the HTTPS in the base URL config. Nexus hits the landing page but hangs at "Initializing" and fails to load static content.
I have added the base path capability to Nexus and have triple checked that it is using the correct URL. However if I load up the file static/rapture/bootstrap.js it is replacing HTTPS in the base URL with HTTP.
This is where I can see the switch occurring if I load the boostrap.js directly ...
https://[removed]/nexus3/static/rapture/bootstrap.js
Ext.Loader.setConfig({
enabled: false
});
Ext.app.addNamespaces('NX.coreui');
Ext.app.addNamespaces('NX.proui');
Ext.ns('NX');
NX.global = (function() {
if (window !== undefined) {
return window;
}
if (global !== undefined) {
return global;
}
Ext.Error.raise('Unable to determine global object');
}());
Ext.ns('NX.app');
NX.app.baseUrl = 'http://[removed]/nexus3';
NX.app.urlSuffix = '_v=3.3.2-02';
etc/nexus-default.properties:
# Jetty section
application-port=8091
application-host=0.0.0.0
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-
http.xml,${jetty.etc}/jetty-requestlog.xml
nexus-context-path=/nexus3
# Nexus section
nexus-edition=nexus-oss-edition
nexus-features=\
nexus-oss-feature
The proxying here works for existing Nexus v2 and seems to be working for Nexus v3 ...
apache2.conf
<VirtualHost *:443>
########################
# SSL config
########################
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/[removed]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[removed]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[removed]/chain.pem
ServerName [removed]
########################
# Proxy config
########################
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
AllowEncodedSlashes On
<Proxy *>
Order deny,allow
Allow from all
# Use following line instead of the previous two on Apache >= 2.4
#Require all granted
</Proxy>
########################
# Nexus config
########################
<Location /nexus>
ProxyPass http://localhost:8090/nexus nocanon
ProxyPassReverse /nexus
</Location>
<Location /nexus/>
ProxyPass http://localhost:8090/nexus/ nocanon
ProxyPassReverse /nexus/
</Location>
<Location /nexus/*>
AuthType Basic
AuthName "Nexus"
Require valid-user
AuthBasicProvider file
AuthUserFile "/etc/apache2/gerrit-users"
Require valid-user
</Location>
########################
# Nexus3 config
########################
<Location /nexus3>
ProxyPass http://localhost:8091/nexus3 nocanon
ProxyPassReverse /nexus3
</Location>
<Location /nexus3/>
ProxyPass http://localhost:8091/nexus3/ nocanon
ProxyPassReverse /nexus3/
</Location>
<Location /nexus3/*>
AuthType Basic
AuthName "Nexus"
Require valid-user
AuthBasicProvider file
AuthUserFile "/etc/apache2/gerrit-users"
Require valid-user
</Location>
</VirtualHost>
You need to set the "X-Forwarded-Proto" header in Apache as described here:
http://books.sonatype.com/nexus-book/reference3/install.html#_example_reverse_proxy_ssl_termination_at_base_path
I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.
Make sure mod_headers is enabled. An example config:
<VirtualHost *:80>
ServerName something.example.com
ServerAdmin admin#example.com
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes On
KeepAlive Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /etc/apache2/passwd
Require valid-user
</Location>
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
ErrorLog /var/log/apache2/something.example.com-error_log
CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>
I just had the same problem with Apache in front of another Java server trying to do basic auth, adding the following to my Apache config seemed to fix it:
RequestHeader unset Authorization