Apache reverse proxy with basic authentication
ApacheAuthenticationProxyReverseReverse ProxyApache Problem Overview
Trying to configure my reverse proxy with basic authentication before forward the traffic to my back end server. Can any one give me a solution.
Example here:
User(internet) -> reverse proxy / vhosts server (need to add basic authentication here ) -> back end server ( non authenticated )
Apache Solutions
Solution 1 - Apache
You can follow the instructions here: Authentication, Authorization and Access Control. The main difference for your reverse proxy is that you'll want to put the auth stuff inside a Location block, even though the docs say that they're only allowed in Directory blocks:
<Location />
AuthType Basic
...
</Location>
Outside the Location block you can put your proxy commands, such as:
ProxyPass / http://localhost:8080/
Solution 2 - Apache
First, check if your apache2 has the utils package
sudo apt-get install apache2-utils
Then, set the username and password.
sudo htpasswd -c /etc/apache2/.htpasswd <username>
After that, edit your reverse proxy to use the authentication
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://someaddress:1234/
ProxyPassReverse / http://someaddress:1234/
Timeout 5400
ProxyTimeout 5400
ServerName dev.mydomain.com
ServerAlias *.dev.mydomain.com
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
</virtualhost>
At least, update your apache
sudo service apache2 reload
Solution 3 - Apache
Here's the config I have used to accomplish basic authentication over https against a database. My backend server is running Tomcat and I connect to it using AJP. The funny port number (4443) is because the standard port (443) was already used, and I didn't want to configure several https services on the same port.
<IfModule mod_ssl.c>
NameVirtualHost *:4443
<VirtualHost *:4443>
ServerAdmin webmaster@localhost
ServerName ws.myserver.se
ServerAlias ws.myserveralias.se
ErrorLog /var/log/apache2/ajpProxy.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/ajpProxy.log combined
DBDriver mysql
DBDParams "host=127.0.0.1 port=3306 user=proxyAuthUser pass=yourDbPasswordHere dbname=yourDbName"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Proxy *>
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "Backend auth name"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery \
"SELECT password FROM user WHERE emailAddress = %s"
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/yourCertificateFile.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourPrivateKeyFile.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>