On 6/14/24 12:41, M Foster wrote:
> Hello,
>
> I'm struggling a bit with an issue when using Apache as a reverse proxy
> when needing to use differing Authentication. I've searched for a couple
> of days now, but nothing matching what I'm seeing has come up.
>
> The scenario is that I am using Apache as a reverse proxy, but sending a
> sub-path to different backend like so (extremely simplified):
>
> <Location "/foo/bar">
> ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> </Location>
> <Location "/foo">
> ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> </Location>
One is overriding the other, so you get an arbitrary result. You can
exclude /foo/bar from your second pass by using something like
LocationMatch instead:
<Location /foo/bar>
.. things here for /foo/bar
</Location>
<LocationMatch "^(/foo/(?!bar).*)$">
.. things here for /foo/baz but not /foo/bar
ProxyPass "http://host1.example.com/$1"
</LocationMatch>
Do note that if the Auth realm is the same, you can get the wrong
credentials showing up if they differ. These should be unique if the
credentials are.
>
> This works without issue. However, as soon as I try to put
> authentication on the second location (or more accurately different
> authentication directives), any request to "/foo/bar" triggers auth:
>
> Example:
> <Location "/foo/bar">
> ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> </Location>
> <Location "/foo">
> AuthType basic
> AuthName "Restricted"
> AuthUserFile /usr/local/apache2/.htpasswd
> Require valid-user
> ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> </Location>
>
> In the logs, set to trace8, I see that now apache is matching the
> REQUEST_URI to the wrong proxy handler:
>
> "attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
> "URI path /foo/bar' matches proxy handler 'proxy:http://
> host1.example.com/foo/bar <http://host1.example.com/foo/bar>'"
> "authorization result of Require valid-user : denied (no authenticated
> user)"
>
> Without any auth, the logs correctly show the request to `/foo/bar`
> being routed to the correct proxy handler 'proxy:http://host2:8080/foo/
> bar <http://host2:8080/foo/bar>'.
>
> If anyone has any ideas on why adding auth completely blows up the proxy
> routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> servers, just to handle each case.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx