How can I protect a Tomcat webapp that's reverse proxied in an Apache2 virtual host using basic authentication?

StackOverflow https://stackoverflow.com/questions/8984880

Question

I'm having trouble figuring out how to adding basic HTTP authentication to password-protect a development testing environment running on a production web server. Both the main site and the testing environment are virtual hosts that use AJP proxying to serve separate instances of Tomcat webapps. We need to prevent the public from accessing the testing environment without making changes to web.xml in the Tomcat environment the protection must be achieved with Apache not Tomcat. However the ProxyPass and ProxyPassReverse directives in the virtual host seem to override the use of .htaccess or anything I put in a <Directory> control block, while it seems that I cannot use directives like AuthType in the main body of the <VirtualHost> control block alongside. I'm not very experienced with Apache (or Tomcat) and unsure about what directives can apply where and which might override others. Because the changes need to be made on a production server, I can't easily experiment for fear of causing any downtime.

The httpd.conf itself is very simple:

LoadModule  proxy_http_module   /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule  headers_module      /usr/lib/apache2/modules/mod_headers.so

LoadFile    /usr/lib/libxml2.so

The relevant virtual host file, /etc/apache2/sites-available/dev443 is as follows:

<IfModule mod_ssl.c>
<VirtualHost dev.mydomain.com:80443>
    ServerName  dev.mydomain.com:80443
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/dev

    ProxyPass / ajp://127.0.0.1:8010/
    ProxyPassReverse / ajp://127.0.0.1:8010/

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/dev/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All 
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    LogLevel info

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    SSLEngine on

    SSLCertificateFile    /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    SSLCACertificateFile  /etc/ssl/certs/intermediate.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

Can I move the AJP proxy configuration within a control block? I had a look at this StackOverflow Q&A that suggests it supports authentication. Would it be supported inside a control block (the solution has it in httpd.conf)?

Currently, we're filtering by IP using the firewall, but a few people involved in the project need access to the testing environment from home and they don't have fixed IP addresses for their Internet connections, so password protection would involve less maintenance in the long run and offer more flexibility for remote work.

For the record, the following versions are involved: Apache: 2.2.14 / Tomcat: 7.0.23 / Java: SE 1.6.0_26-b03 / OS: Ubuntu 10.04 LTS

Was it helpful?

Solution

A working solution, proposed by Shane Madden, can be found here. The documentation specifies that the contexts in which the relevant directives are allowed includes but there's no mention there of although it seems that and are effectively equivalent/interchangeable, except for the distinction of the source of the content. The following achieves what I wanted:

<Location />
    ProxyPass ajp://127.0.0.1:8010/
    ProxyPassReverse ajp://127.0.0.1:8010/
    AuthType Basic
    AuthName "something"
    AuthUserFile /path/to/htpasswd
    Require valid-user
</Location>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top