Re: Authentication in Location blocks for reverse proxy seems to take precedence in routes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/14/24 12:41, M Foster wrote:
Hello,

I'm struggling a bit with an issue when using Apache as a reverse proxy when needing to use differing Authentication. I've searched for a couple of days now, but nothing matching what I'm seeing has come up.

The scenario is that I am using Apache as a reverse proxy, but sending a sub-path to different backend like so (extremely simplified):

<Location "/foo/bar">
   ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
</Location>
<Location "/foo">
   ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
</Location>

One is overriding the other, so you get an arbitrary result. You can exclude /foo/bar from your second pass by using something like LocationMatch instead:

<Location /foo/bar>
  .. things here for /foo/bar
</Location>
<LocationMatch "^(/foo/(?!bar).*)$">
    .. things here for /foo/baz but not /foo/bar
    ProxyPass "http://host1.example.com/$1";
</LocationMatch>

Do note that if the Auth realm is the same, you can get the wrong credentials showing up if they differ. These should be unique if the credentials are.


This works without issue. However, as soon as I try to put authentication on the second location (or more accurately different authentication directives), any request to "/foo/bar" triggers auth:

Example:
<Location "/foo/bar">
   ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
</Location>
<Location "/foo">
   AuthType basic
   AuthName "Restricted"
   AuthUserFile /usr/local/apache2/.htpasswd
   Require valid-user
   ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
</Location>

In the logs, set to trace8, I see that now apache is matching the REQUEST_URI to the wrong proxy handler:

"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:http:// host1.example.com/foo/bar <http://host1.example.com/foo/bar>'" "authorization result of Require valid-user : denied (no authenticated user)"

Without any auth, the logs correctly show the request to `/foo/bar` being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ bar <http://host2:8080/foo/bar>'.

If anyone has any ideas on why adding auth completely blows up the proxy routing, I'd appreciate it. Otherwise, I'll have to create two proxy servers, just to handle each case.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux