Apache reverse proxy with digest auth prevents stylesheets from Amazon S3

StackOverflow https://stackoverflow.com/questions/18686570

Question

I have a site that uses apache reverse proxy to combine an old IIS system with some new rails functionality (same database). This works fine.

For staging I have created a beta site same as above except that I use ip address and digest-authorization to only allow developers access. This works fine for ip addresses.

However, when I use digest-authorization my reverse proxied /stylesheets folder (which points to an Amazon S3 bucket) is blocked with an error like the following:

InvalidArgumentUnsupported Authorization TypeDigest username="danv", realm="BETA-ACCESS", nonce="ZiudHuLlBAA=d9fa13adaa4f0bd37e3faa7b30ed6bd60a5570b2", uri="/stylesheets/default/screen.css", algorithm=MD5, response="7e1bc11912474647756537bb0bd3e488", qop=auth, nc=00000007, cnonce="ed4a08fc70364cb9"Authorization0E3F4E27386E0A00BTZfZ5Uv4PwuMzOCoIYhorPEuPOdNusLZjTDowqlZXImxZ0bLjt22B9Y5v7wc8+4

I have searched the web but cannot find anything about this behavior.

Here are the relevant parts of the virtual host file:

# IP and DIGEST ACCESS
<Proxy *>
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Include "D:\wamp\admin-allow.inc"
    AuthType Digest
    # realm associated with digest passwd
    AuthName "BETA-ACCESS"
    AuthDigestDomain /
    AuthUserFile "D:/wamp/digest"
    Require valid-user
    Satisfy Any
</Proxy>

# Reverse proxy pointing to CNAME that points to:
#  http://lib.decdynamics.com.s3.amazonaws.com/stylesheets
ProxyPass /stylesheets http://lib.decdynamics.com/stylesheets
ProxyPassReverse /stylesheets http://lib.decdynamics.com/stylesheets

Here is an URL showing direct access to a stylesheet:
http://lib.decdynamics.com/stylesheets/default/screen.css

Here the same stylesheet accessed via digest-authorization (of course login required):
http://beta.decdynamics.com/stylesheets/default/screen.css

What I am doing wrong?

Is it possible to exclude the /stylesheets folder from authorization?

Was it helpful?

Solution 2

Thanks drco for the inspiration.

I decided to create a working example based on my real website (domain names and ip addresses are not real).

Note I had to use Location elements to isolate the /stylesheets, /images and /javascript folders. In future I will use a single /assets folder to DRY this up a bit.

I have a WAMP based apache server acting as reverse proxy to blend Windows IIS server subfolders with a linux based RAILS server with RAILS assets coming from Amazon S3. Now when I do development with this site it is protected using Digest Authorization. Which also allows me the ability to let a small number of clients directly access the beta.

#========================
# B E T A . E X A M P L E . C O M
#
<VirtualHost *:80>
  ServerAdmin admin@example.com
  ServerName    beta.example.com
  ServerAlias   www.beta.example.com
  DocumentRoot "D:/wamp/www_proxy"
  ErrorLog "D:/wamp/logs/beta.example.com-error.log"
  CustomLog "D:/wamp/logs/beta.example.com-access.log" combined

  ProxyRequests Off
  <Proxy *>
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Include "D:\wamp\admin-allow.inc"
    AuthType Digest
    # realm associated with digest passwd
    AuthName "BETA-ACCESS"
    AuthDigestDomain /
    AuthUserFile "D:/wamp/digest"
    Require valid-user
    Satisfy Any
  </Proxy>

  # I I S
  ProxyPass /ddaps http://localhost:8104/ddaps
  ProxyPassReverse /ddaps http://localhost:8104/ddaps

  ProxyPass /admin http://localhost:8104/admin
  ProxyPassReverse /admin http://localhost:8104/admin

  ProxyPass /themes http://localhost:8104/themes
  ProxyPassReverse /themes http://localhost:8104/themes

  # RAIL ASSETS
  ProxyPass /stylesheets http://lib.example.com/stylesheets
  ProxyPassReverse /stylesheets http://lib.example.com/stylesheets
  <Location /stylesheets>
    RequestHeader unset Authorization
  </Location>

  ProxyPass /images http://lib.example.com/images
  ProxyPassReverse /images http://lib.example.com/images
  <Location /images>
    RequestHeader unset Authorization
  </Location>

  ProxyPass /javascripts http://lib.example.com/javascripts
  ProxyPassReverse /javascripts http://lib.example.com/javascripts
  <Location /javascripts>
    RequestHeader unset Authorization
  </Location>

  # R A I L S
  ProxyPass / http://xxx.xxx.xxx.xxx:8104/
  ProxyPassReverse / http://xxx.xxx.xxx.xxx:8104/

</VirtualHost>

.

OTHER TIPS

My guess is that your proxy is sending the Authorization header to S3 and S3 responds with that error. This is because S3 uses the same Authorization header to authorize API requests and it does not support basic or digest authentication on it's own.

Do a test towards a local backend and verify what request headers are being sent by the proxy. If the Authorization header is indeed present, rewrite the request on the proxy to remove it before it's sent to the S3 backend.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top