Menu
Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).
However, what I would like to do is be able to use Apache to handle the authentication so that:
EDIT: Second part about richer authentication has been moved to new question
Here's more or less what I have now:
<VirtualHost *:80> ServerName sub.domain.com ProxyPass / http://192.168.1.253:8080/endpoint ProxyPassReverse / http://192.168.1.253:8080/endpoint # The endpoint has a mandatory password that I want to avoid requiring users to type # I.e. something like this would be nice (but does not work) # ProxyPass / http://username:[email protected]:8080/endpoint # ProxyPassReverse / http://username:[email protected]:8080/endpoint # Also need to be able to require a password to access proxy for people outside local subnet # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint # Ideas? </VirtualHost> 
400
In addition to being a "basic" web server, and providing static and dynamic content to end-users, Apache httpd (as well as most other web servers) can also act as a reverse proxy server, also-known-as a "gateway" server.
ProxyPass is the main proxy configuration directive. In this case, it specifies that everything under the root URL ( / ) should be mapped to the backend server at the given address.
The ProxyPreserveHost directive is used to instruct Apache mod_proxy, when acting as a reverse proxy, to preserve and retain the original Host: header from the client browser when constructing the proxied request to send to the target server.
Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)
Enable the mod_headers module if not already done.
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:
SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest EXAMPLE
# ALL remote users ALWAYS authenticate against reverse proxy's # /www/conf/passwords database # <Directory /var/web/pages/secure> AuthBasicProvider /www/conf/passwords AuthType Basic AuthName "Protected Area" Require valid-user </Directory> # reverse proxy authenticates against master server as: # Aladdin:open sesame (Base64 encoded) # RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:[email protected] and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S
<Location /camarafeliz1/ > # usuario admin password 123456 ProxyPass http://192.168.0.39/ ProxyPassReverse http://192.168.0.39/ RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2==" </Location> <Location /camarafeliz3/ > # usuario admin password 123456 ProxyPass http://192.168.0.99/ ProxyPassReverse http://192.168.0.99/ RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2==" </Location> and the iphone 4s stopped complaining about security because of user and password in the link.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
