You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joel Donahue <jo...@gmail.com> on 2011/07/28 20:23:47 UTC
[users@httpd] Basic Auth with ProxyPass Through SSL
I am setting up a reverse proxy to an internal webserver from an
apache server with a public IP. I want to use Basic Auth and SSL on
the public apache server which then forwards standard http, non-ssl
traffic, to the internal webserver. Basic auth with ProxyPass works
perfectly without using ssl but when using ssl the browser prompts me
for the credentials but apache never accepts them as valid. Accessing
the internal site with ssl and ProxyPass WITHOUT basic auth required
works as well.
This configuration works great without using ssl:
<VirtualHost *:80>
ProxyPass / http://site.internal/ retry=0
ProxyPassReverse / http://site.internal/
ProxyPreserveHost On
<Location />
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/access-file
Require valid-user
</Location>
</VirtualHost>
However this configuration does not work, however if I remove basic
auth I can get through:
<VirtualHost *:443>
ProxyPass / http://site.interal/ retry=0
ProxyPassReverse / http://site.internal/
ProxyPreserveHost On
<Location />
AuthType Basic
AuthName "AFC Restricted Access"
AuthUserFile /user/local/apache/access-file
Require valid-user
</Location>
<VirtualHost>
What am I missing?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Basic Auth with ProxyPass Through SSL
Posted by Tim Watts <tw...@dionic.net>.
On 28/07/11 20:28, Joel Donahue wrote:
> I got it working now. I didn't see anything in the logs to start with
> because I wasn't checking the ssl logs.
> It was a simple typo. I used 'user' and not 'usr'
>
> AuthUserFile /user/local/apache/access-file
> changed to
> AuthUserFile /usr/local/apache/access-file
>
> Thanks for your help Tim.
Ha - that's the sort of stuff I can never see either - don't feel bad...
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Basic Auth with ProxyPass Through SSL
Posted by Joel Donahue <jo...@gmail.com>.
On Thu, Jul 28, 2011 at 1:06 PM, Tim Watts <tw...@dionic.net> wrote:
> On 28/07/11 19:23, Joel Donahue wrote:
>>
>> I am setting up a reverse proxy to an internal webserver from an
>> apache server with a public IP. I want to use Basic Auth and SSL on
>> the public apache server which then forwards standard http, non-ssl
>> traffic, to the internal webserver. Basic auth with ProxyPass works
>> perfectly without using ssl but when using ssl the browser prompts me
>> for the credentials but apache never accepts them as valid. Accessing
>> the internal site with ssl and ProxyPass WITHOUT basic auth required
>> works as well.
>>
>> This configuration works great without using ssl:
>>
>> <VirtualHost *:80>
>>
>> ProxyPass / http://site.internal/ retry=0
>> ProxyPassReverse / http://site.internal/
>> ProxyPreserveHost On
>>
>> <Location />
>> AuthType Basic
>> AuthName "Restricted Area"
>> AuthUserFile /usr/local/apache/access-file
>> Require valid-user
>> </Location>
>>
>> </VirtualHost>
>>
>> However this configuration does not work, however if I remove basic
>> auth I can get through:
>>
>> <VirtualHost *:443>
>>
>> ProxyPass / http://site.interal/ retry=0
>> ProxyPassReverse / http://site.internal/
>> ProxyPreserveHost On
>>
>> <Location />
>> AuthType Basic
>> AuthName "AFC Restricted Access"
>> AuthUserFile /user/local/apache/access-file
>> Require valid-user
>> </Location>
>>
>> <VirtualHost>
>>
>> What am I missing?
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See<URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> Anything in the apache logs?
>
> I can't see anything straight off that's wrong.
>
> Here's the recipe I use which is known to work:
>
> http://squiddy.blog.dionic.net/2011/06/apache-22-pam-authentication-and-ssl.html
>
> That breaks it down a bit, and does more (always does an SSL redirect for an
> auth'd location for security) but it should work for you if you change the
> Auth* lines in /etc/apache2/snippets/auth
>
> I tend to dispense with ProxyPass in favour of Rewrite rules with the Proxy
> flag - just for my sanity, as then I can be sure of the order of execution
> of the various rewrites.
>
> But I do a lot of what you are doing (in my case, proxy through to various
> tomcat servers) mixed with PAM (ultimately LDAP) auth - but any auth method
> will work with the recipe above...
>
> It looks fiddly, but there is an explanation and the snippets/* files are
> invariant across sites/servers (unless you need different auth methods or
> files of course).
>
> Sorry - in a rush, supper cooked - I'll come back later if anything doesn;t
> make sense...
>
> Cheers
>
> Tim
>
> --
> Tim Watts
> Personal Blog: http://www.dionic.net/tim/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
I got it working now. I didn't see anything in the logs to start with
because I wasn't checking the ssl logs.
It was a simple typo. I used 'user' and not 'usr'
AuthUserFile /user/local/apache/access-file
changed to
AuthUserFile /usr/local/apache/access-file
Thanks for your help Tim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Basic Auth with ProxyPass Through SSL
Posted by Tim Watts <tw...@dionic.net>.
On 28/07/11 19:23, Joel Donahue wrote:
> I am setting up a reverse proxy to an internal webserver from an
> apache server with a public IP. I want to use Basic Auth and SSL on
> the public apache server which then forwards standard http, non-ssl
> traffic, to the internal webserver. Basic auth with ProxyPass works
> perfectly without using ssl but when using ssl the browser prompts me
> for the credentials but apache never accepts them as valid. Accessing
> the internal site with ssl and ProxyPass WITHOUT basic auth required
> works as well.
>
> This configuration works great without using ssl:
>
> <VirtualHost *:80>
>
> ProxyPass / http://site.internal/ retry=0
> ProxyPassReverse / http://site.internal/
> ProxyPreserveHost On
>
> <Location />
> AuthType Basic
> AuthName "Restricted Area"
> AuthUserFile /usr/local/apache/access-file
> Require valid-user
> </Location>
>
> </VirtualHost>
>
> However this configuration does not work, however if I remove basic
> auth I can get through:
>
> <VirtualHost *:443>
>
> ProxyPass / http://site.interal/ retry=0
> ProxyPassReverse / http://site.internal/
> ProxyPreserveHost On
>
> <Location />
> AuthType Basic
> AuthName "AFC Restricted Access"
> AuthUserFile /user/local/apache/access-file
> Require valid-user
> </Location>
>
> <VirtualHost>
>
> What am I missing?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Anything in the apache logs?
I can't see anything straight off that's wrong.
Here's the recipe I use which is known to work:
http://squiddy.blog.dionic.net/2011/06/apache-22-pam-authentication-and-ssl.html
That breaks it down a bit, and does more (always does an SSL redirect
for an auth'd location for security) but it should work for you if you
change the Auth* lines in /etc/apache2/snippets/auth
I tend to dispense with ProxyPass in favour of Rewrite rules with the
Proxy flag - just for my sanity, as then I can be sure of the order of
execution of the various rewrites.
But I do a lot of what you are doing (in my case, proxy through to
various tomcat servers) mixed with PAM (ultimately LDAP) auth - but any
auth method will work with the recipe above...
It looks fiddly, but there is an explanation and the snippets/* files
are invariant across sites/servers (unless you need different auth
methods or files of course).
Sorry - in a rush, supper cooked - I'll come back later if anything
doesn;t make sense...
Cheers
Tim
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org