Re: Authentication in Location blocks for reverse proxy seems to take precedence in routes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ah, that works! Great suggestion. I've never encountered this behavior before because previous iterations had the backends for each ProxyPass directive pointing to the same (Docker) host.

Thank you so much!

On Fri, Jun 14, 2024 at 12:25 PM Daniel Gruno <humbedooh@xxxxxxxxxx> wrote:
On 6/14/24 12:41, M Foster wrote:
> Hello,
>
> I'm struggling a bit with an issue when using Apache as a reverse proxy
> when needing to use differing Authentication. I've searched for a couple
> of days now, but nothing matching what I'm seeing has come up.
>
> The scenario is that I am using Apache as a reverse proxy, but sending a
> sub-path to different backend like so (extremely simplified):
>
> <Location "/foo/bar">
>    ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> </Location>
> <Location "/foo">
>    ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> </Location>

One is overriding the other, so you get an arbitrary result. You can
exclude /foo/bar from your second pass by using something like
LocationMatch instead:

<Location /foo/bar>
   .. things here for /foo/bar
</Location>
<LocationMatch "^(/foo/(?!bar).*)$">
     .. things here for /foo/baz but not /foo/bar
     ProxyPass "http://host1.example.com/$1"
</LocationMatch>

Do note that if the Auth realm is the same, you can get the wrong
credentials showing up if they differ. These should be unique if the
credentials are.

>
> This works without issue. However, as soon as I try to put
> authentication on the second location (or more accurately different
> authentication directives), any request to "/foo/bar" triggers auth:
>
> Example:
> <Location "/foo/bar">
>    ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> </Location>
> <Location "/foo">
>    AuthType basic
>    AuthName "Restricted"
>    AuthUserFile /usr/local/apache2/.htpasswd
>    Require valid-user
>    ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> </Location>
>
> In the logs, set to trace8, I see that now apache is matching the
> REQUEST_URI to the wrong proxy handler:
>
> "attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
> "URI path /foo/bar' matches proxy handler 'proxy:http://
> host1.example.com/foo/bar <http://host1.example.com/foo/bar>'"
> "authorization result of Require valid-user : denied (no authenticated
> user)"
>
> Without any auth, the logs correctly show the request to `/foo/bar`
> being routed to the correct proxy handler 'proxy:http://host2:8080/foo/
> bar <http://host2:8080/foo/bar>'.
>
> If anyone has any ideas on why adding auth completely blows up the proxy
> routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> servers, just to handle each case.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux