On Thu, Jul 28, 2011 at 1:06 PM, Tim Watts <tw@xxxxxxxxxx> wrote: > On 28/07/11 19:23, Joel Donahue wrote: >> >> I am setting up a reverse proxy to an internal webserver from an >> apache server with a public IP. I want to use Basic Auth and SSL on >> the public apache server which then forwards standard http, non-ssl >> traffic, to the internal webserver. Basic auth with ProxyPass works >> perfectly without using ssl but when using ssl the browser prompts me >> for the credentials but apache never accepts them as valid. Accessing >> the internal site with ssl and ProxyPass WITHOUT basic auth required >> works as well. >> >> This configuration works great without using ssl: >> >> <VirtualHost *:80> >> >> ProxyPass / http://site.internal/ retry=0 >> ProxyPassReverse / http://site.internal/ >> ProxyPreserveHost On >> >> <Location /> >> AuthType Basic >> AuthName "Restricted Area" >> AuthUserFile /usr/local/apache/access-file >> Require valid-user >> </Location> >> >> </VirtualHost> >> >> However this configuration does not work, however if I remove basic >> auth I can get through: >> >> <VirtualHost *:443> >> >> ProxyPass / http://site.interal/ retry=0 >> ProxyPassReverse / http://site.internal/ >> ProxyPreserveHost On >> >> <Location /> >> AuthType Basic >> AuthName "AFC Restricted Access" >> AuthUserFile /user/local/apache/access-file >> Require valid-user >> </Location> >> >> <VirtualHost> >> >> What am I missing? >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See<URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > > Anything in the apache logs? > > I can't see anything straight off that's wrong. > > Here's the recipe I use which is known to work: > > http://squiddy.blog.dionic.net/2011/06/apache-22-pam-authentication-and-ssl.html > > That breaks it down a bit, and does more (always does an SSL redirect for an > auth'd location for security) but it should work for you if you change the > Auth* lines in /etc/apache2/snippets/auth > > I tend to dispense with ProxyPass in favour of Rewrite rules with the Proxy > flag - just for my sanity, as then I can be sure of the order of execution > of the various rewrites. > > But I do a lot of what you are doing (in my case, proxy through to various > tomcat servers) mixed with PAM (ultimately LDAP) auth - but any auth method > will work with the recipe above... > > It looks fiddly, but there is an explanation and the snippets/* files are > invariant across sites/servers (unless you need different auth methods or > files of course). > > Sorry - in a rush, supper cooked - I'll come back later if anything doesn;t > make sense... > > Cheers > > Tim > > -- > Tim Watts > Personal Blog: http://www.dionic.net/tim/ > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > I got it working now. I didn't see anything in the logs to start with because I wasn't checking the ssl logs. It was a simple typo. I used 'user' and not 'usr' AuthUserFile /user/local/apache/access-file changed to AuthUserFile /usr/local/apache/access-file Thanks for your help Tim. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|