Joost, Joost de Heer wrote:
I have a reverse proxy which needs double authentication: First thereverse proxy itself has an authentication, and then the machine that is reverse proxied to has authentication.
We're using a similar setup and using the following in our configuration. For users who need to be in a specific group (munged to protect the innocent):
<Location /secure> AuthType Basic AuthName "Unauthorised access prohibited" AuthXRadiusAddServer "192.168.1.1:1645" "secret" AuthXRadiusTimeout 2 AuthXRadiusRetries 2 AuthUserFile /dev/null AuthGroupFile /etc/httpd/conf/groups.conf AuthAuthoritative Off require group access Satisfy any </Location> And for any valid member: <Location /secure> AuthType Basic AuthName "Unauthorised access prohibited" AuthXRadiusAddServer "192.168.1.1:1645" "secret" AuthXRadiusTimeout 2 AuthXRadiusRetries 2 AuthUserFile /dev/null AuthGroupFile /etc/httpd/conf/groups.conf AuthAuthoritative Off require valid-user Satisfy any </Location>There's a group file specified for both as that chunk of configuration is actually included from a separate file. You should be able to specify /dev/null for the group file.
You will not, however, be able to perform basic authentication on both the accelerator _and_ the backend server. Because they both share the same headers it'll never work (unless the usernames and passwords are the same and you forward them from the accelerator).
HTH,
Neil.
--
Neil Hillard hillardn@xxxxxxxxx
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|