70

Trying to configure my reverse proxy with basic authentication before forward the traffic to my back end server. Can any one give me a solution.

Example here:

User(internet) -> reverse proxy / vhosts server (need to add basic authentication here ) -> back end server ( non authenticated )

Improve this question

3 Answers 3

Reset to default
102

You can follow the instructions here: Authentication, Authorization and Access Control. The main difference for your reverse proxy is that you'll want to put the auth stuff inside a Location block, even though the docs say that they're only allowed in Directory blocks:

<Location />
    AuthType Basic
    ...
</Location>

Outside the Location block you can put your proxy commands, such as:

ProxyPass / http://localhost:8080/
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

for the record the doc does indicate it works in this context. "directory A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, and <Proxy> containers in the server configuration files, subject to the restrictions outlined in Configuration Sections."
Thankyou! I've linked to this at this DigitalOcean tutorial: digitalocean.com/community/tutorials/…
For any other newbies like myself, _do not remove the " /" at the end of "<Location />", this is intentional and is actually a URL path and not a typo in the answer, you will get "location directive requires additional arguments" if you remove it.
52

First, check if your apache2 has the utils package

sudo apt-get install apache2-utils

Then, set the username and password.

sudo htpasswd -c /etc/apache2/.htpasswd <username>

After that, edit your reverse proxy to use the authentication

<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass / http://someaddress:1234/
    ProxyPassReverse / http://someaddress:1234/

    Timeout 5400
    ProxyTimeout 5400

    ServerName dev.mydomain.com
    ServerAlias *.dev.mydomain.com

    <Proxy *>
        Order deny,allow
        Allow from all
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>
</virtualhost>

At least, update your apache

sudo service apache2 reload
Improve this answer

3 Comments

I did exactly this, and I know it is reading the .htpasswd file (If i mistype the filename, or remove it, apache will complain). However, when I add a user with a password, the username/password will not work. Any idea why?
this is the simplest solution and this is what i followed.
@StefanHendriks - The '-c' switch with htpasswd creates the file. If you used it after you entered the first user then only the last user created would have the proper credentials.
19

Here's the config I have used to accomplish basic authentication over https against a database. My backend server is running Tomcat and I connect to it using AJP. The funny port number (4443) is because the standard port (443) was already used, and I didn't want to configure several https services on the same port.

<IfModule mod_ssl.c>
NameVirtualHost *:4443
<VirtualHost *:4443>
        ServerAdmin webmaster@localhost
        ServerName ws.myserver.se
        ServerAlias ws.myserveralias.se
        ErrorLog /var/log/apache2/ajpProxy.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel info

        CustomLog /var/log/apache2/ajpProxy.log combined

        DBDriver mysql
        DBDParams "host=127.0.0.1 port=3306 user=proxyAuthUser pass=yourDbPasswordHere dbname=yourDbName"
        DBDMin  4
        DBDKeep 8
        DBDMax  20
        DBDExptime 300        

        <Proxy *>
              # core authentication and mod_auth_basic configuration
              # for mod_authn_dbd
              AuthType Basic
              AuthName "Backend auth name"
              AuthBasicProvider dbd

             # core authorization configuration
              Require valid-user

              # mod_authn_dbd SQL query to authenticate a user
              AuthDBDUserPWQuery \
                "SELECT password FROM user WHERE emailAddress = %s"

              AddDefaultCharset Off
              Order deny,allow
              Allow from all
        </Proxy>

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/apache2/ssl/yourCertificateFile.crt
        SSLCertificateKeyFile /etc/apache2/ssl/yourPrivateKeyFile.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.