Re: Basic Auth with ProxyPass Through SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 28/07/11 19:23, Joel Donahue wrote:

I am setting up a reverse proxy to an internal webserver from an
apache server with a public IP. I want to use Basic Auth and SSL on
the public apache server which then forwards standard http, non-ssl
traffic, to the internal webserver. Basic auth with ProxyPass works
perfectly without using ssl but when using ssl the browser prompts me
for the credentials but apache never accepts them as valid. Accessing
the internal site with ssl and ProxyPass WITHOUT basic auth required
works as well.

This configuration works great without using ssl:

<VirtualHost *:80>

ProxyPass / http://site.internal/ retry=0
ProxyPassReverse / http://site.internal/
ProxyPreserveHost On

<Location />
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/access-file
Require valid-user
</Location>

</VirtualHost>

However this configuration does not work, however if I remove basic
auth I can get through:

<VirtualHost *:443>

ProxyPass / http://site.interal/ retry=0
ProxyPassReverse / http://site.internal/
ProxyPreserveHost On

<Location />
AuthType Basic
AuthName "AFC Restricted Access"
AuthUserFile /user/local/apache/access-file
Require valid-user
</Location>

<VirtualHost>

What am I missing?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



Anything in the apache logs?

I can't see anything straight off that's wrong.

Here's the recipe I use which is known to work:

http://squiddy.blog.dionic.net/2011/06/apache-22-pam-authentication-and-ssl.html
That breaks it down a bit, and does more (always does an SSL redirect for an auth'd location for security) but it should work for you if you change the Auth* lines in /etc/apache2/snippets/auth
I tend to dispense with ProxyPass in favour of Rewrite rules with the Proxy flag - just for my sanity, as then I can be sure of the order of execution of the various rewrites.
But I do a lot of what you are doing (in my case, proxy through to various tomcat servers) mixed with PAM (ultimately LDAP) auth - but any auth method will work with the recipe above...
It looks fiddly, but there is an explanation and the snippets/* files are invariant across sites/servers (unless you need different auth methods or files of course).
Sorry - in a rush, supper cooked - I'll come back later if anything doesn;t make sense... 

Cheers

Tim

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux