I've an Apache HTTP server that is used as a proxy (over https) for JBoss-deployed webapp. I've the following entry in a conf file:
<Location "/app">
ProxyPass http://localhost:8080/app
ProxyPassReverse http://localhost:8080/app
AuthType Basic
AuthName "Private Documentation Repository"
AuthUserFile <path-to-file>
Require valid-user
</Location>
As You can see, a valid user is required to access /app.
The question is: how to write a directive that will exclude one particular file from JBoss webapp, so that access to this file won't require a valid user e.g.:
<Location "/app/some-file.xyz">
ProxyPass http://localhost:8080/app/some-file.xyz
ProxyPassReverse http://localhost:8080/app/some-file.xyz
</Location>
I mean: when user requests anything (app/) but /app/some-file.xyz he/she will be prompted for the password, otherwise Apache will enable the user to download some-file.xyz. Any help would be greatly appreciated.
<Location "/app/*.xyz">
allow from all
satisfy any
ProxyPass http://localhost:8080/app/*.xyz
ProxyPassReverse http://localhost:8080/app/*.xyz
</Location>
Related
I have apache2.4 set up and when visiting any apache served web sites basic authentication works great.
Now I have one more webserver running from an other service at port 8000 and I wanted to setup apache as a reverse proxy hoping that it can also impose and handle basic authentication there as well...but instead for asking for user and password it just serves the website unprotected.
my setup is:
<VirtualHost *:8000>
ProxyPreserveHost On
ProxyPass / http://192.168.0.101:8000/
ProxyPassReverse / http://192.168.0.101:8000/
<Location />
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
what am i doing wrong?
Update:
solution found by marked answer:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
Also make sure that apache is configured to listen to that port and also if the proxied server is local it is not running at the same port as listened one
The problem is that Apache doesn't 'link' Proxypass / http://example.com and <Location /> - even though they both try to work with /. This means that Proxypass is handling requests for '/' first, and the Location section is never being used.
You need to move the Proxy config inside the Location, dropping the path, e.g.:
<VirtualHost *:8000>
ProxyPreserveHost On
<Location />
ProxyPass http://192.168.0.101:8000/
ProxyPassReverse http://192.168.0.101:8000/
AuthType Basic
AuthName "Authorization"
AuthUserFile /etc/htpasswd/.htpasswd
require valid-user
</Location>
</VirtualHost>
I have a webapp hidden behind Apache 2.4 which is set as a proxy
My configuration goes like this:
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
Recently, I was asked to prevent anyone but whitelisted IPs to access to myapp API which is accessible through /myapp/api/
I am failing to achieve proper configuration within Apache to make it so
Here is what I've tried so far :
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
So what I need is for http://mysite/myapp/ to be accessible to anyone, but to restrict calls to http://mysite/myapp/api/* to a bunch of whitelised IP
Do you know how I may be able to achieve this?
Best Regards
Because of Overlapping Webspace, you should reverse the order of Location directives
<Location /myapp>
Proxypass ajp://localhost:8009/myapp
Require all granted
</Location>
<Location /myapp/api>
Proxypass ajp://localhost:8009/myapp/api
Require local
Require 1.2.3.4
</Location>
I am working on a reverse proxy solution (CentOS 7 + Apache w/ pcs + Pacemaker + Corosync for HA), which is working wonderfully.
I need to add authentication which gets passed to one of the proxied servers. Using basic LDAP Authentication, I can get this to work:
Listen 10.2.0.11:80
<VirtualHost 10.2.0.11:80>
<Proxy balancer://authweb>
BalancerMember http://win-web01
</Proxy>
ServerName authweb
DocumentRoot "/var/www/html"
ProxyPreserveHost On
<Location />
SetEnv proxy-chain-auth On
AuthName "Password Protected. Enter AD User & Password."
AuthType Basic
AuthBasicProvider ldap
AuthBasicAuthoritative Off
AuthLDAPURL "ldap://10.2.0.7:3268/dc=domain,dc=test?userPrincipalName?sub?(objectClass=*)"
AuthLDAPBindDN "administrator#DOMAIN.TEST"
AuthLDAPBindPassword "P#ssw0rd"
Session On
SessionCookieName session path=/
Require valid-user
</Location>
ProxyPass / balancer://authweb/
ProxyPassReverse / balancer://authweb/
</VirtualHost>
This configuration works nicely. An Auth dialog box pops up, accepts the credentials, and passes the credentials to the server behind the proxy - in this case, an IIS server.
What we want to do is to use a nice looking form for the login, instead of the Auth pop-up dialog. However, I am struggling to get it to work. Here what I have:
Listen 10.2.0.11:80
<VirtualHost 10.2.0.11:80>
<Proxy balancer://authweb>
BalancerMember http://win-web01
</Proxy>
ServerName authweb
ProxyRequests Off
ProxyPreserveHost On
SetEnv proxy-chain-auth On
<Location />
SetEnv proxy-chain-auth On
AuthName "Password Protected. Enter AD User & Password."
AuthType form
AuthFormProvider ldap
AuthFormAuthoritative Off
AuthFormLoginRequiredLocation "/login.html"
AuthLDAPURL "ldap://10.2.0.7:3268/dc=domain,dc=test?userPrincipalName?sub?(objectClass=*)"
AuthLDAPBindDN "administrator#DOMAIN.TEST"
AuthLDAPBindPassword "P#ssw0rd"
Session On
SessionCookieName session path=/
Require valid-user
ErrorDocument 401 "/login.html"
</Location>
<Location /login.html>
SetEnv proxy-chain-auth On
AuthType None
AuthName "Login"
Require all granted
ProxyPass !
</Location>
ProxyPass / balancer://authweb/
ProxyPassReverse / balancer://authweb/
</VirtualHost>
This almost works. The Apache server displays the Auth form and accepts the post and proxies to the IIS server. However, it is not passing the credentials to IIS, so I am prompted with an Auth pop-up dialog for the IIS credentials. I'm not sure what I'm missing. I have done a lot of web searching and haven't found anything yet.
I know that functionality like this is possible with solutions from places like F5 and Kemp, but we don't have the budget for that, nor do we need that big of a system. However, I'm not sure exactly how they do it. It's possible that they have built custom modules for handling it and I'm chasing my tail, but I hope not.
Any help is greatly appreciated.
Eric
How do you combine basic auth with a reverse proxy in Apache?
I have an Apache site currently configured to use basic auth with an htpasswd file using this config:
<VirtualHost *:80>
# Requires: a2enmod proxy_http
ProxyPass / http://127.0.0.1:8010/
<Location />
AuthType Basic
AuthName "Sensitive"
AuthUserFile /usr/local/myproject/htpasswd
Require valid-user
</Location>
</VirtualHost>
Apache is acting as a wrapper around a Buildbot server being served on port :8010. However, this app has been upgraded so it now requires the use of websockets. The suggested Apache configuration is:
<VirtualHost *:80>
<Location /ws>
ProxyPass ws://127.0.0.1:8010/ws
ProxyPassReverse ws://127.0.0.1:8010/ws
</Location>
ProxyPass /ws !
ProxyPass / http://127.0.0.1:8010/
ProxyPassReverse / http://127.0.0.1:8010/
</VirtualHost>
However, this doesn't use any authentication. I tried re-adding my <Location /> section from the previous config, so I now have:
<VirtualHost *:80>
<Location />
AuthType Basic
AuthName "Sensitive"
AuthUserFile /usr/local/myproject/htpasswd
Require valid-user
</Location>
<Location /ws>
ProxyPass ws://127.0.0.1:8010/ws
ProxyPassReverse ws://127.0.0.1:8010/ws
</Location>
ProxyPass /ws !
ProxyPass / http://127.0.0.1:8010/
ProxyPassReverse / http://127.0.0.1:8010/
</VirtualHost>
and although Apache now correctly prompts for my username+password, the Buildbot still isn't given authenticated username and still renders for an anonymous user.
How do I fix this config to pass the username (I believe the REMOTE_USER header) through to the web app behind the reverse proxy?
I am trying to configure gerrit with http baisc authentication , my httpd config is
<VirtualHost *:8081>
ServerName localhost
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location "/login/">
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Location>
ProxyPass / http://localhost:8081/
</VirtualHost>
and my gerrit.config is
[gerrit]
basePath = git
canonicalWebUrl = http://localhost:8081/
[database]
type = mysql
hostname = localhost
database = reviewdb
username = gerrit
[auth]
type = HTTP
[sendemail]
smtpServer = localhost
smtpUser = gerrit
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8081/
[cache]
directory = cache
i am not sure where am i going wrong but the accessing http://x.x.x.x:8081 says
The HTTP server did not provide the username in the Authorization header when it forwarded the request to Gerrit Code Review.
If the HTTP server is Apache HTTPd, check the proxy configuration includes an authorization directive with the proper location, ensuring it ends with '/':
my gerrit runs on the inbuild jetty countainer and my OS is centos 6.4
where am i going wrong.?
Okay. Actually I was creating a virtual host on port 8081 and my Jetty (that comes along with gerrit) was also listening to the same port,my configuration remained almost the same but these are the additional steps :-
Add a new port to your selinux (which has some basic ports defined initially) or you can disable it if security is not an issue.
tell httpd to listen to this port(in my case i added 8082) ,so add the line listen <port-no> in your http conf file
Change the virtual host to your port number
now your virtualhost is set on port 8082
<VirtualHost *:8082>
ServerName localhost
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location "/login/">
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Location>
ProxyPass / http://localhost:8081/
</VirtualHost>
change the canonical url to port 8082 (so that it redirects it to same port)
finally restart the apache and Gerrit (access your-host:8082).
Gerrit it expecting the authentication to be provided. It does not allow anonymous access when you use HTTP authentication.
For this to work you need to authenticate at the root and your Location block should look like this:
<Location "/">
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Location>
There are a few issues with your configuration:
Apache and try to listen on the same port 8081, this is not possible
You ProxyPass is not the best, it will create some small issues. These issues are:
Unable to to create projects names with a slash in it like: main/sub
When reviewing files the check mark will not appear next to the file to show it as reviewed, again this is related to the forward slash not being properly processed
It is most common to use a subfolder and not the root, I guess that works better with the reverse proxy
This is my recommended configuration for you:
<VirtualHost *:80>
ServerName localhost
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location "/">
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Location>
AllowEncodedSlashes On
ProxyPass /r http://localhost:8081/r nocanon
</VirtualHost>
Ofcourse don't forget to amend the gerrit.config, the canonicalWebUrl is what you type in the address bar, not what apache uses to find gerrit.
[gerrit]
basePath = git
canonicalWebUrl = http://localhost:8082/r
To prevent the apache default page from showing add a index.php in your root folder that will redirect your browser to the sub path:
<?php
header('Location: http://localhost:8082/r/');
?>