Apache reverse proxy with LDAP authentication for multiple Application - apache

We have to perform Apache as a reverse proxy with LDAP Authentication (AWS EMR)for 2 different applications. Reverse Proxy and LDAP are working Fine but the Contents of Application's Web Page are not loading fully. We are getting 404 error code for some of the dependencies of the webpage through reverse proxying .
Here is our httpd.conf file:-
<VirtualHost *:80>
ServerName localhost
ProxyHTMLExtended On
RequestHeader unset Accept-Encoding
ProxyRequests off
ProxyPass /zeppelin/ http://localhost:8890/
ProxyHTMLURLMap http://localhost:8890 /zeppelin
ProxyPass /jupyter/ http://localhost:8900/
ProxyHTMLURLMap http://localhost:8900 /jupyter
<Location /zeppelin/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /zeppelin/
RequestHeader unset Accept-Encoding
</Location>
<Location /jupyter/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /jupyter/
RequestHeader unset Accept-Encoding
</Location>
DocumentRoot /var/www
<Directory /var/www>
Options -Indexes
Order allow,deny
allow from all
</Directory>
</VirtualHost>

Related

Example to support both SAML and OpenIDC

I have a requirement to support both OIDC(openidc) and Mellon(Saml) in our application.We have created two apps in Okta for testing the flow.
OIDC App
SAML App
httpd.conf looks something like below :
<IfModule mod_ssl.c>
<Location />
MellonVariable "cookie"
MellonEnable "auth"
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
MellonSPCertFile /etc/apache2/saml/mellon.crt
MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
</Location>
<VirtualHost _default_:443>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
OIDCScope "openid email profile"
OIDCClientID "xxxx"
OIDCClientSecret "xxxxx"
OIDCCryptoPassphrase "xxxx"
OIDCMetadataDir "/var/cache/apache2/mod_auth_openidc/metadata"
OIDCRedirectURI "https://apachesso.example.com/callback"
OIDCResponseType "code"
<Location /uliya>
<If "%{REQUEST_URI} =~ /callback=/">
AuthType openid-connect
Require valid-user
</If>
<Else>
AuthType "Mellon"
Require valid-user
MellonEnable "auth"
</Else>
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /uliya>
AuthType openid-connect
require valid-user
</Location>
</VirtualHost>
<VirtualHost *:443>
<Location /transport>
AuthType "Mellon"
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
</IfModule>
The goal is that, the request to https://apachesso.example.com/uliya should go through openid-connect Auth Flow and request to https://apachesso.example.com/transport should go through mellon flow.
However, with above configuration all the request authentication goes to Mellon Plugin by default and below config doesnt take effect.
<Location /uliya>
AuthType openid-connect
Require valid-user
</Location>
Is it possible to get both these plugins to work together?
Just don't use any authentication directives on "/", but use mod_auth_openidc directives on "/uliya" (including setting OIDCRedirectURI to /uliya/redirect_uri" and use mod_mellon directives only on "/transport".

Apache: Authentification before proxing

I got a VM with a aplication running on it. It doenst support password protection. I connect to it like sub.domain.com:6000 (redirecting port 6000 to 80 of VM)
So i like to use apache as a Proxy with authentication.
My VirtualHost config:
<VirtualHost *:*>
DocumentRoot /var/www/html/
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass "/" "http://127.0.0.1:5000/"
ProxyPassReverse "/" "http://127.0.0.1:5000/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It redirects me, but there is no password protection.
What's wrong?
The <Directory> directive is used to enclose a group of directives that will apply only to the named directory, sub-directories of that directory, and the files within the respective directories. Proxied server is none of that, so you have to use <Location> directive which limits the scope of the enclosed directives by URL:
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>

Apache Reverse Proxy Keeps me in the login Page

I have a problem with the apache reverse proxy configuration..
I have a service running on port 3000 and when i try to do the login even if it's succesfull it keeps me in the login page..i think it's a cookie session problem but i can't figure out a solution..
ServerAdmin webmaster#localhost
ServerName localhost
ProxyRequests Off
ProxyPreserveHost On
<proxy *>
Order Allow,Deny
Allow from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</proxy>
ProxyPass "/" "http://127.0.0.1:3000/"
ProxyPassReverse "/" "http://127.0.0.1:3000/"
ProxyPassReverseCookieDomain "http://127.0.0.1:3000/" "http:foo/"
This configuration finally works..
<VirtualHost *:*>
ServerAdmin webmaster#localhost
ServerName http://localhost
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
ProxyErrorOverride On
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
RequestHeader unset Authorization
Order Allow,Deny
Allow from all
</Location>

Exclude specific cakephp controller from http basic auth

I'm trying to exclude a path (URI) from being blocked by basic http auth.
The path is /rest (http://example.com/rest) and represents a controller of a cakephp 3 application. It is NOT a real file, but rather a path rewritten by a rewite-condition and handeled by index.php in the webroot dir.
Here's the rewrite rules:
/var/www/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
/var/www/webroot/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
I'm running apache 2.4 and tried different configurations:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
Require expr %{REQUEST_URI} =~ m#/rest/.*#
Require expr %{REQUEST_URI} =~ m#/index.php/rest/.*#
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...adapted from https://stackoverflow.com/a/33655232/1285585
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Allow from all
Satisfy any
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
... from https://serverfault.com/a/475845/229877
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Require all granted
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</Virtualhost>
... from https://www.apachelounge.com/viewtopic.php?p=30200
...
<Location "/">
SetEnvIf Request_URI ^/rest noauth=1
SetEnvIf Request_URI /rest noauth=1
SetEnvIf Request_URI ^/index.php/rest noauth=1
SetEnvIf Request_URI /index.php/rest noauth=1
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
</Location>
... from https://stackoverflow.com/a/8979889/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location ~ "/(rest|index.php/rest)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
... from https://stackoverflow.com/a/13296294/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Files "index.php/rest">
Satisfy Any
Allow from all
</Files>
<Files "rest">
Satisfy Any
Allow from all
</Files>
... from HTTP Basic Auth Exclude Single File
However, none of them seem to work. I always get error 401 using wget or an auth request from a browser.
The problem seems to be, that the path /rest passes the condition but then is rewritten to index.php, which is under control of basic auth (and has to be).
Any clues?
Finally figured it out when I stumbelled upon this answer ( https://stackoverflow.com/a/14010456/1285585 ) to a related question.
Here is my solution:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
# Default to Basic Auth protection for any stie
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
# If the request goes to a rest page: bypass basic auth
SetEnvIf Request_URI ^/rest/ noauth=1
Allow from env=REDIRECT_noauth
Allow from env=noauth
Order Deny,Allow
Satisfy any
Deny from all
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Setting up httpd authentication for a particular page

I had a script install this all for me but I am trying to configure it to how I like.
The issue is it does it at the root of the web directory I want it to a particular folder in the directory...how would I go about this...
This is what I have now
ServerName localhost
<VirtualHost *:80>
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent/
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/httpd/rutorrent.pem
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
#SCGIMount /RPC00001 127.0.0.1:23876
I want to make it so it asks for a password in /var/rutorrent/passwordarea
I also wouldn't mind having a separate password and username for /var/rutorrent so if someone could share how to do that as well I'd greatly appreciate it.
Thanks