On 6/14/24 12:41, M Foster wrote:
Hello,I'm struggling a bit with an issue when using Apache as a reverse proxy when needing to use differing Authentication. I've searched for a couple of days now, but nothing matching what I'm seeing has come up.The scenario is that I am using Apache as a reverse proxy, but sending a sub-path to different backend like so (extremely simplified):<Location "/foo/bar"> ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar> </Location> <Location "/foo"> ProxyPass http://host1.example.com/foo <http://host1.example.com/foo> </Location>
One is overriding the other, so you get an arbitrary result. You can exclude /foo/bar from your second pass by using something like LocationMatch instead:
<Location /foo/bar> .. things here for /foo/bar </Location> <LocationMatch "^(/foo/(?!bar).*)$"> .. things here for /foo/baz but not /foo/bar ProxyPass "http://host1.example.com/$1" </LocationMatch>Do note that if the Auth realm is the same, you can get the wrong credentials showing up if they differ. These should be unique if the credentials are.
This works without issue. However, as soon as I try to put authentication on the second location (or more accurately different authentication directives), any request to "/foo/bar" triggers auth:Example: <Location "/foo/bar"> ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar> </Location> <Location "/foo"> AuthType basic AuthName "Restricted" AuthUserFile /usr/local/apache2/.htpasswd Require valid-user ProxyPass http://host1.example.com/foo <http://host1.example.com/foo> </Location>In the logs, set to trace8, I see that now apache is matching the REQUEST_URI to the wrong proxy handler:"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying"URI path /foo/bar' matches proxy handler 'proxy:http:// host1.example.com/foo/bar <http://host1.example.com/foo/bar>'" "authorization result of Require valid-user : denied (no authenticated user)"Without any auth, the logs correctly show the request to `/foo/bar` being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ bar <http://host2:8080/foo/bar>'.If anyone has any ideas on why adding auth completely blows up the proxy routing, I'd appreciate it. Otherwise, I'll have to create two proxy servers, just to handle each case.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx