You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Yungwei Chen <yu...@resolvity.com> on 2009/11/13 17:00:05 UTC

[users@httpd] Authenticate each user once for multiple applications

Hi,

I have a reverse proxy server that forwards to requests to an internal apache server. Here's the configuration on how the reverse proxy server works.
    <Location /rpt >
       Order Deny,Allow
       Deny from all
       Allow from ...
       ProxyPass        https://111.111.111.111/rpt
       ProxyPassReverse https://111.111.111.111/rpt
       ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
       AuthName "Restricted Access"
       AuthType Basic
       AuthUserFile /etc/httpd/passwd/htpasswd.users
       Require valid-user
   </Location>

Then I added the following to the same conf file on the reverse proxy server for another application.
I first accessed the rpt application in a web browser, and then I was asked to enter id and password as expected.
Then I hit rpt2 in the same browser session, and then I was asked to enter id and password again.
My question is: How can I tell the reverse proxy server to authenticate each user just once in this case?
    <Location /rpt2 >
       Order Deny,Allow
       Deny from all
       Allow from ...
       ProxyPass        https://111.111.111.111/rpt2
       ProxyPassReverse https://111.111.111.111/rpt2
       ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
       AuthName "Restricted Access"
       AuthType Basic
       AuthUserFile /etc/httpd/passwd/htpasswd.users
       Require valid-user
   </Location>

Thanks.

[users@httpd] RE: Authenticate each user once for multiple applications

Posted by Yungwei Chen <yu...@resolvity.com>.

I just found that using the same value of AuthName for each application seems to solve my problem. Is it the right way to go?

From: Yungwei Chen [mailto:yungwei@resolvity.com]
Sent: Friday, November 13, 2009 10:00 AM
To: users@httpd.apache.org
Subject: [users@httpd] Authenticate each user once for multiple applications

Hi,

I have a reverse proxy server that forwards to requests to an internal apache server. Here's the configuration on how the reverse proxy server works.
    <Location /rpt >
       Order Deny,Allow
       Deny from all
       Allow from ...
       ProxyPass        https://111.111.111.111/rpt
       ProxyPassReverse https://111.111.111.111/rpt
       ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
       AuthName "Restricted Access"
       AuthType Basic
       AuthUserFile /etc/httpd/passwd/htpasswd.users
       Require valid-user
   </Location>

Then I added the following to the same conf file on the reverse proxy server for another application.
I first accessed the rpt application in a web browser, and then I was asked to enter id and password as expected.
Then I hit rpt2 in the same browser session, and then I was asked to enter id and password again.
My question is: How can I tell the reverse proxy server to authenticate each user just once in this case?
    <Location /rpt2 >
       Order Deny,Allow
       Deny from all
       Allow from ...
       ProxyPass        https://111.111.111.111/rpt2
       ProxyPassReverse https://111.111.111.111/rpt2
       ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
       AuthName "Restricted Access"
       AuthType Basic
       AuthUserFile /etc/httpd/passwd/htpasswd.users
       Require valid-user
   </Location>

Thanks.

Re: [users@httpd] Authenticate each user once for multiple applications

Posted by Peter Schober <pe...@univie.ac.at>.

* Yungwei Chen <yu...@resolvity.com> [2009-11-13 17:39]:
> The proxy server also needs to forward some requests (/nagios) to
> another internal apache server. Any suggestions in this case?

Exclude those from the proxy pass?
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Authenticate each user once for multiple applications

Posted by Yungwei Chen <yu...@resolvity.com>.

The proxy server also needs to forward some requests (/nagios) to another internal apache server. Any suggestions in this case?

-----Original Message-----
From: Peter Schober [mailto:peter.schober@univie.ac.at] 
Sent: Friday, November 13, 2009 10:18 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Authenticate each user once for multiple applications

* Yungwei Chen <yu...@resolvity.com> [2009-11-13 17:00]:
>     <Location /rpt >
>        Order Deny,Allow
>        Deny from all
>        Allow from ...
>        ProxyPass        https://111.111.111.111/rpt
>        ProxyPassReverse https://111.111.111.111/rpt
>        ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
>        AuthName "Restricted Access"
>        AuthType Basic
>        AuthUserFile /etc/httpd/passwd/htpasswd.users
>        Require valid-user
>    </Location>
[...]
>     <Location /rpt2 >
>        Order Deny,Allow
>        Deny from all
>        Allow from ...
>        ProxyPass        https://111.111.111.111/rpt2
>        ProxyPassReverse https://111.111.111.111/rpt2
>        ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
>        AuthName "Restricted Access"
>        AuthType Basic
>        AuthUserFile /etc/httpd/passwd/htpasswd.users
>        Require valid-user
>    </Location>

If this indeed is representative of your site's structure you could
simply have one <Location /foo> (or just '/') proxying to
https://111.111.111.111/ and you should be able to access /foo/rpt,
/foo/rpt2. etc.
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Authenticate each user once for multiple applications

Posted by Peter Schober <pe...@univie.ac.at>.

* Yungwei Chen <yu...@resolvity.com> [2009-11-13 17:00]:
>     <Location /rpt >
>        Order Deny,Allow
>        Deny from all
>        Allow from ...
>        ProxyPass        https://111.111.111.111/rpt
>        ProxyPassReverse https://111.111.111.111/rpt
>        ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
>        AuthName "Restricted Access"
>        AuthType Basic
>        AuthUserFile /etc/httpd/passwd/htpasswd.users
>        Require valid-user
>    </Location>
[...]
>     <Location /rpt2 >
>        Order Deny,Allow
>        Deny from all
>        Allow from ...
>        ProxyPass        https://111.111.111.111/rpt2
>        ProxyPassReverse https://111.111.111.111/rpt2
>        ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
>        AuthName "Restricted Access"
>        AuthType Basic
>        AuthUserFile /etc/httpd/passwd/htpasswd.users
>        Require valid-user
>    </Location>

If this indeed is representative of your site's structure you could
simply have one <Location /foo> (or just '/') proxying to
https://111.111.111.111/ and you should be able to access /foo/rpt,
/foo/rpt2. etc.
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Authenticate each user once for multiple applications

Posted by Eric Covener <co...@gmail.com>.

On Fri, Nov 13, 2009 at 11:00 AM, Yungwei Chen <yu...@resolvity.com> wrote:
> My question is: How can I tell the reverse proxy server to authenticate each
> user just once in this case?

It authenticates you on every request, but your browser doesn't bother
to prompt you when something is a sub-location of where you previously
authenticated. Can you put these two URL's under a common root? Your
browser would stop prompting.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org