Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

apache - Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user

Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).

However, what I would like to do is be able to use Apache to handle the authentication so that:

  1. I don't have to give out single password to everyone
  2. I can have multiple usernames and passwords using Apache's BasicAuth
  3. For internal users, I don't have to prompt for a password

EDIT: Second part about richer authentication has been moved to new question

Here's more or less what I have now:

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)

Enable the mod_headers module if not already done.

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:

SetEnvIf Remote_Addr "127.0.0.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

EXAMPLE

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...