You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by John Hallam <jo...@yahoo.com> on 2006/09/29 22:08:49 UTC

[users@httpd] Reverse Proxy and Authentication problem.

I have a problem which I think might be a bug. I have
setup Apache as a Reverse proxy and it works fine! The
backend Web server is IIS. For some of the web pages a
user has to enter their Windows credentials to reach
the web page. This also works fine!

The Problem: What is required is first a general
authentication so that one can reach the backend
server, which means that one authenticates first at
the proxy and then a second time to access the
protected IIS web pages. The first authenticate to
grant access through the proxy works fine, but the IIS
authentication part doesn't. If I look at the error
log Apache is trying to authenticate the user instead
of passing it through. Why? Is there a simple answer?

The relevant configuration:

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName proxy.xxxxxx.com

        SSLEngine On
        SSLProxyEngine on
        SSLCertificateFile   
/etc/ssl/xxxxxxCA/www-cert.pem
        SSLCertificateKeyFile
/etc/ssl/xxxxxCA/www-key.pem

        ProxyRequests Off

        <Location />
        AuthType Basic
        AuthAuthoritative Off
        AuthName "Restricted Area - PharmaPart only"
        AuthLDAPAuthoritative Off
        AuthLDAPURL
ldap://ldap.xxxxx.net/ou=people,dc=xxxxxx,dc=com?mail?sub?(objectClass=*)
        Require valid-user
        ProxyPass http://ppzhsr02.xxxxxxx.net/
        ProxyPassReverse http://ppzhsr02.xxxxxx.net/
        </Location>

        <Proxy *>
        Order deny,allow
        Allow from all
        </Proxy>

Like I've stated - take the Authxxxx part away and the
IIS authentication works fine. It appears to me that
when I put the Authxxxx statements in place that the
Proxy wants to do all authentications rather than just
the first access authentication.

Can anyone help?

Thanx
John

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Reverse Proxy and Authentication problem.

Posted by Serge Dubrouski <se...@gmail.com>.

You set Require for your /. That means that Apache requieres
authentication for every request. Now here is simple description why
you have your problem:

1. Browser sends a request
2. Apache answers with 401 code: Authrization required
3. Browser asks user for a username and password and send it back to
the browser with each next request because HTTP is a stateless
protocol.
4. Apache check username/password for each request and grants access
if it sees it in its password file.
5. IIS send 401 for authorization
6. Browser asks for the new username/password and start to send these
with each request.
7. Apache refuses to provide access because it doesn't know these new user.

Your problem is that basic authentication is implemented on HTTP level
and both of your servers look like one to the browser.

I don't know how to fix this porblem. May be replacing Apache with
SQUID will help because SQUID send 407 when it asks for authroziation.

On 9/29/06, John Hallam <jo...@yahoo.com> wrote:
> I have a problem which I think might be a bug. I have
> setup Apache as a Reverse proxy and it works fine! The
> backend Web server is IIS. For some of the web pages a
> user has to enter their Windows credentials to reach
> the web page. This also works fine!
>
> The Problem: What is required is first a general
> authentication so that one can reach the backend
> server, which means that one authenticates first at
> the proxy and then a second time to access the
> protected IIS web pages. The first authenticate to
> grant access through the proxy works fine, but the IIS
> authentication part doesn't. If I look at the error
> log Apache is trying to authenticate the user instead
> of passing it through. Why? Is there a simple answer?
>
> The relevant configuration:
>
> <VirtualHost *:443>
>         ServerAdmin webmaster@localhost
>         ServerName proxy.xxxxxx.com
>
>         SSLEngine On
>         SSLProxyEngine on
>         SSLCertificateFile
> /etc/ssl/xxxxxxCA/www-cert.pem
>         SSLCertificateKeyFile
> /etc/ssl/xxxxxCA/www-key.pem
>
>         ProxyRequests Off
>
>         <Location />
>         AuthType Basic
>         AuthAuthoritative Off
>         AuthName "Restricted Area - PharmaPart only"
>         AuthLDAPAuthoritative Off
>         AuthLDAPURL
> ldap://ldap.xxxxx.net/ou=people,dc=xxxxxx,dc=com?mail?sub?(objectClass=*)
>         Require valid-user
>         ProxyPass http://ppzhsr02.xxxxxxx.net/
>         ProxyPassReverse http://ppzhsr02.xxxxxx.net/
>         </Location>
>
>         <Proxy *>
>         Order deny,allow
>         Allow from all
>         </Proxy>
>
> Like I've stated - take the Authxxxx part away and the
> IIS authentication works fine. It appears to me that
> when I put the Authxxxx statements in place that the
> Proxy wants to do all authentications rather than just
> the first access authentication.
>
> Can anyone help?
>
> Thanx
> John
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org