63

Trying to configure my reverse proxy with basic authentication before forward the traffic to my back end server. Can any one give me a solution.

Example here:

User(internet) -> reverse proxy / vhosts server (need to add basic authentication here ) -> back end server ( non authenticated )

Vincent P
  • 761
  • 1
  • 5
  • 6

3 Answers3

94

You can follow the instructions here: Authentication, Authorization and Access Control. The main difference for your reverse proxy is that you'll want to put the auth stuff inside a Location block, even though the docs say that they're only allowed in Directory blocks:

<Location />
    AuthType Basic
    ...
</Location>

Outside the Location block you can put your proxy commands, such as:

ProxyPass / http://localhost:8080/
Nico
  • 3,430
  • 4
  • 20
  • 27
Lawrence Kesteloot
  • 4,149
  • 2
  • 31
  • 28
  • 5
    for the record the [doc](http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context) does indicate it works in this context. "directory A directive marked as being valid in this context may be used inside , , , and containers in the server configuration files, subject to the restrictions outlined in Configuration Sections." – Pete Apr 23 '14 at 18:30
  • 1
    Thankyou! I've linked to this at this DigitalOcean tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-16-04?comment=76154 – Nikhil VJ Dec 30 '18 at 13:57
  • 2
    For any other newbies like myself, _do not remove the " /" at the end of "", this is intentional and is actually a URL path and not a typo in the answer, you will get "location directive requires additional arguments" if you remove it. – Josh Mc Jan 26 '21 at 02:54
46

First, check if your apache2 has the utils package

sudo apt-get install apache2-utils

Then, set the username and password.

sudo htpasswd -c /etc/apache2/.htpasswd <username>

After that, edit your reverse proxy to use the authentication

<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass / http://someaddress:1234/
    ProxyPassReverse / http://someaddress:1234/

    Timeout 5400
    ProxyTimeout 5400

    ServerName dev.mydomain.com
    ServerAlias *.dev.mydomain.com

    <Proxy *>
        Order deny,allow
        Allow from all
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>
</virtualhost>

At least, update your apache

sudo service apache2 reload
Community
  • 1
  • 1
Thiago Mata
  • 2,825
  • 33
  • 32
  • 1
    I did exactly this, and I know it is reading the .htpasswd file (If i mistype the filename, or remove it, apache will complain). However, when I add a user with a password, the username/password will not work. Any idea why? – Stefan Hendriks Apr 12 '18 at 15:18
  • 3
    this is the simplest solution and this is what i followed. – Christian Noel Jun 19 '18 at 03:00
  • @StefanHendriks - The '-c' switch with htpasswd creates the file. If you used it after you entered the first user then only the last user created would have the proper credentials. – rabinnh Nov 28 '18 at 15:10
19

Here's the config I have used to accomplish basic authentication over https against a database. My backend server is running Tomcat and I connect to it using AJP. The funny port number (4443) is because the standard port (443) was already used, and I didn't want to configure several https services on the same port.

<IfModule mod_ssl.c>
NameVirtualHost *:4443
<VirtualHost *:4443>
        ServerAdmin webmaster@localhost
        ServerName ws.myserver.se
        ServerAlias ws.myserveralias.se
        ErrorLog /var/log/apache2/ajpProxy.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel info

        CustomLog /var/log/apache2/ajpProxy.log combined

        DBDriver mysql
        DBDParams "host=127.0.0.1 port=3306 user=proxyAuthUser pass=yourDbPasswordHere dbname=yourDbName"
        DBDMin  4
        DBDKeep 8
        DBDMax  20
        DBDExptime 300        

        <Proxy *>
              # core authentication and mod_auth_basic configuration
              # for mod_authn_dbd
              AuthType Basic
              AuthName "Backend auth name"
              AuthBasicProvider dbd

             # core authorization configuration
              Require valid-user

              # mod_authn_dbd SQL query to authenticate a user
              AuthDBDUserPWQuery \
                "SELECT password FROM user WHERE emailAddress = %s"

              AddDefaultCharset Off
              Order deny,allow
              Allow from all
        </Proxy>

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/apache2/ssl/yourCertificateFile.crt
        SSLCertificateKeyFile /etc/apache2/ssl/yourPrivateKeyFile.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Daniel Wahlberg
  • 221
  • 2
  • 5