Apache - How to protect virtualhost directive without htaccess - apache

I would like to password protect port 2000 of a web server by embedding a location directive inside of the virtualhost directive of the apache config file. However it didn't prompt for a password as expected. This is what I had in the apache config file:
<VirtualHost *:2000>
ServerName www.server.com
ServerAdmin email
DocumentRoot /var/www/html
ErrorLog logs/server.com-error_log
<Location / >
AuthType Basic
AuthName "Security"
AuthUserFile /var/www/s2/.htpasswd-users
Require valid-user
</Location>
</VirtualHost>

A couple reasons why I think it didn't work:
I needed a corresponding NameVirtualHost *:2000 to go with the VirtualHost directive
I was using a reverse ssh tunnel on that port so ssh was catching it before the web server. The web server that the tunnel connected to did not have password protection.
So now my question is how to password protect the server at the end of the tunnel. It is a simple server and not capable of passwords. That's why I was hoping to protect access to it via the apache server.

AuthType only works inside or in a .htaccess file:
You have it inside a and that's the rease it isn't working.

Related

Apache VirtualHost configuration & Subversion

I'm trying to configure a sub-domain for my subversion repository.
I have a VH example.fr pointing to my personal website, and I want another VH svn.example.fr to point to the repository.
However, when I try to connect to svn.example.fr, I get the front page of my website...
Here is my Apache configuration file:
<VirtualHost *:80>
DocumentRoot /srv/example.fr
ServerName example.fr
ServerAlias www.example.fr
<Directory /srv/example.fr>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName svn.example.fr
<Location />
DAV svn
SVNPath /srv/svn/repo
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /srv/svn/repo/conf/passwd
AuthzSVNAccessFile /srv/svn/repo/conf/authz
Require valid-user
</Location>
</VirtualHost>
I don't see any problem here, but I'm sure there is.
Thanks for your help !
EDIT : The configuration file is correct. I should precise that I'm running Apache inside a Docker container. Just after creating the conf file, I restarted Apache by restarting the container. This is not the right way to do it: restarting the container does not restart the server.
So Lazy Badger was right finally, thanks.
This is question for SU
After creating VirtualHost section you have to restart Apache
(Not related to network|Apache config, future trouble) Plain-text /srv/svn/repo/conf/passwd, used by svnserve, can't be used as Apache user-file, i.e. you have to have
...
AuthUserFile /path/to/htpasswd/file
...
DocumentRoot for VirtualHost must be defined, svn.example.fr miss it

My server IP + all subdirectories are pointing to Subversion (SVN)

I installed a subversion on my server and it's working properly. All my repositories are located at /var/svn/repo1 /var/svn/repo2 etc... My /etc/apache2/sites-available/svn looks this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName svn.myhostname.com
DocumentRoot /var/svn
<Directory /var/svn/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Location />
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName "Subversion"
AuthUserFile /etc/subversion/svn-auth
Require valid-user
</Location>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/svn.error.log
CustomLog ${APACHE_LOG_DIR}/svn.access.log combined
</VirtualHost>
The problem is that when I open a browser and type my IP address or hostname they both point to SVN for some reason. For example, when I type only my IP the browser says "A username and password are being requested by MYIPADDRESS. The site says: "Subversion"". I think the only address that should be pointed to SVN would be svn.myipaddress.com, right??
When I type svn.myipaddress/repo1 it shows the repository normally though.
This causes me hard times as I cannot access my IP and open html/php-files there because it asks for SVN password every time.
Any thoughts on this?
Your initial <VirtualHost *:80> is redirecting all requests on port 80 (the standard http port) to the subversion directories. If you change that to something like <VirtualHost *:3690> then standard web requests should work as normal, though you'll need to add the port when accessing the repositories from the client, i.e. svn co http://repository.url:3690/repo1 in order for subversion commands to work.

Apache2 password protected Vhost configuration

I have a problem with a password protected vhost on apache2 and debian (7).
It's a server which hosts several vhost. They are all online for now. I need to restrict access only for one of them. (www.acticia.net)
I do not want to use .htaccess while it is not the correct way for apache.
Here is my vhost conf in site-available :
<VirtualHost *:80>
ServerAdmin admin#acticia.net
ServerName acticia.net
ServerAlias www.acticia.net
DocumentRoot /var/www/acticia.net/
<Directory /var/www/acticia.net/>
AuthType Basic
AuthName "Authentication required"
AuthUserfile "/etc/htpasswd/.htpasswd"
Require valide-user
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/acticia.net-error_log
TransferLog /var/log/apache2/acticia.net-access_log
/etc/htpasswd/.htpasswd has been generated by htpasswd (from apache2)
The site claims that "Authentication required", ask for a login and a password then, ask it again, and again and again ...
Tested under chorimum and iceweasel (up to date for a deb7).
I read apache2 wiki, apache2 docs and a certain part of the www for this subject, didn't understood my mistake !
Thanks for the helps guys !
Require valide-user should be Require valid-user

Multiple Apache Location directives for same path

I have a web application currently being served on two HTTPS ports - let's say 443 and 8443. The application has an Apache HTTP server as the front end and I am running into trouble setting up Apache config to exclude certain paths on one of the ports. I have my config set up as below in Apache
<Location /MyApp>
AuthType SOME_AUTH_MODULE
require user valid-user
</Location>
<Location ~ "/MyApp/(Login.html|Welcome.html)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
I have my virtual hosts setup in Apache as below
<VirtualHost _default_:443>
DocumentRoot /path/to/my/files
Servername www.example.com:443
Other details go here
</VirtualHost>
<VirtualHost _default_:8443>
DocumentRoot /path/to/my/files
Servername www.example.com:8443
Other details go here
</VirtualHost>
What are the expected problems with above configuration, considering that Location directive doesn't take host and port information? Does Location directive use the first matching entry OR will it use one of after the other?
More details for folks who know Shibboleth
The first Location entry allows users to access the application in an SSO (Single Sign On) environment. The second entry is designed to allow users to access the same virtual host on a different port (8443) without going through SSO. What we are seeing is, the request headers are lost towards the end of the processing chain. When I remove the second Location entry all works fine.
Put the /Location directive inside the vhost directive you want to secure.
<VirtualHost _default_:443>
DocumentRoot /path/to/my/files
Servername www.example.com:443
<Location /MyApp>
AuthType SOME_AUTH_MODULE
require user valid-user
</Location>
Other details go here
</VirtualHost>
<VirtualHost _default_:8443>
DocumentRoot /path/to/my/files
Servername www.example.com:8443
Other details go here
</VirtualHost>

Redirect a frontend URL to another backend webserver

I'm using a framework that uses a full-stack to display all its webpages. This runs standard on port 9000. Very fine, but when going into production, the server seems to block everything except a few standard ports.
So therefore, the framework (Play framework), advises you to do this in your front-end webserver (in my case Apache2).
file: play.conf
<VirtualHost *:80>
ServerName http://avon.ugent.be
CustomLog /var/www/log/proxy-access.log common
ErrorLog /var/www/log/proxy-error.log
ProxyPreserveHost On
DocumentRoot /var/www
<Location /dev/app>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile /var/trac/htpasswd
Require valid-user
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>
This of course requires the mod_proxy module, that is being enabled with a2enmod mod_proxy. (I run this on a Debian distro)
The idea is to run two webservers, one front-end and one back-end with the application.
The reloading of the apache webserver works fine, the site is enabled and everything, but when I surf to the http://my.website.com/dev/app url, it renders a 404... Suggestions what's going wrong?
EDIT3:
After 10+ hours of trying it boils down to this:
I found the debugging command (finally :p) and this is the output:
apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server avon.ugent.be (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost avon.ugent.be (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost avon.ugent.be (/etc/apache2/sites-enabled/play.conf:1)
Syntax OK
Which indicates that the virtual server is indeed being added to the configuration.
But still, it renders a 404. Now, somewhere i've read that's because there is no index.html in that path. Is that necessary if you just want to use a reverse proxy?
For a start please try using Location instead of Directory. Directory is used for identifying directory paths on the filesystem not paths relative to the document root.
<Location '/dev/app'>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile /var/trac/htpasswd
Require valid-user
</Location>
Try the following. It should prompt for the username/password and then pass the request to http://127.0.0.1:9000. In my case, Apache gives a "Service Temporarily Unvavailable", which you should get as well if you turn off the application running on port 9000
<VirtualHost *:80>
ServerName my.website.com
<Location /dev/app>
AuthType Basic
AuthName "Test Omgeving"
AuthUserFile passwd/.htpasswd
Require valid-user
ProxyPass http://127.0.0.1:9000
ProxyPassReverse http://127.0.0.1:9000
</Location>
</VirtualHost>
If you still get a 404, can you confirm that it's not the backend server sending it?