Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user
https://stackoverflow.com/questions/567814
-
05-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).
However, what I would like to do is be able to use Apache to handle the authentication so that:
- I don't have to give out
singlepassword to everyone I can have multiple usernames and passwords using Apache's BasicAuthFor internal users, I don't have to prompt for a password
EDIT: Second part about richer authentication has been moved to new question
Here's more or less what I have now:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://192.168.1.253:8080/endpoint
ProxyPassReverse / http://192.168.1.253:8080/endpoint
# The endpoint has a mandatory password that I want to avoid requiring users to type
# I.e. something like this would be nice (but does not work)
# ProxyPass / http://username:password@192.168.1.253:8080/endpoint
# ProxyPassReverse / http://username:password@192.168.1.253:8080/endpoint
# Also need to be able to require a password to access proxy for people outside local subnet
# However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint
# Ideas?
</VirtualHost>
Solution
Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)
Enable the mod_headers module if not already done.
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:
SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest
- http://en.wikipedia.org/wiki/Basic_access_authentication
- http://httpd.apache.org/docs/2.0/mod/mod_headers.html
- http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
EXAMPLE
# ALL remote users ALWAYS authenticate against reverse proxy's
# /www/conf/passwords database
#
<Directory /var/web/pages/secure>
AuthBasicProvider /www/conf/passwords
AuthType Basic
AuthName "Protected Area"
Require valid-user
</Directory>
# reverse proxy authenticates against master server as:
# Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
OTHER TIPS
Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:password@camarafeliz3.compufiber.com and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S
<Location /camarafeliz1/ >
# usuario admin password 123456
ProxyPass http://192.168.0.39/
ProxyPassReverse http://192.168.0.39/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
# usuario admin password 123456
ProxyPass http://192.168.0.99/
ProxyPassReverse http://192.168.0.99/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
and the iphone 4s stopped complaining about security because of user and password in the link.
