Topic: Reverse proxy authentication

[drhigh5]

Hi, I am running a reverse proxy on my windows 2008 r2 (64 bit) server in the UK with Apache 2.063.

I can use this proxy in my browsers in Singapore through a designated port and it works a treat.

I have locked down by IP address for security but I now want to add username and password authentication.

Is there a config script I can used in my httpd.conf or ssl.conf file or do I need a module such as mod_security?

Any help is much appreciated.

[glsmith]

http://httpd.apache.org/docs/2.0/howto/auth.html

[drhigh5]

Thank you, spot on!

[drhigh5]

Ok I have created a password file and I have tried adding the AuthType etc. to my httpd.conf file but it won't accept when I restart the service.
It says 'Error Authtype not allowed here'

So I have created a .htaccess file instead but as this is specific to a directory I am a bit stumped.

The proxy server works for all internet pages so where do I put the file?

I have tried in the root of the server c drive and the htdocs folder within the apache folders but it does nothing.

Sorry if I am being a bit dim!

[glsmith]

Authentication must be configured in the Directory context.
Or, to use from an htaccess file it must be an allowed override e.g.

AllowOverride AuthConfig

in the Directory context.

<Directory /usr/local/httpd/htdocs>
Options Indexes FollowSymLinks
AllowOverride FileInfo AuthConfig
....
</Directory>

[drhigh5]

I really appreciate your help on this but I am afraid I am still not there.

I was using the AllowOverride in the directory context. It won't let me use the command outside of a directory, the server won't start and says not allowed.

I am a little puzzled about the location of the directory.

You suggest this directory: <Directory /usr/local/httpd/htdocs>

I don't have this directory on my server. I have /users/ then either /Administrator /Default or /Public

Then under these I don't have /httpd/htdocs

Do I have to create this directory?

This is what I am trying (obviously without success!) in my httpd.conf

<Directory />
Options FollowSymLinks
AllowOverride FileInfo AuthConfig
Order deny,allow
Allow from all
</Directory>

and because this folder exists with an index.html file in it (saying 'it works') this one:

<Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs">
Options FollowSymLinks
AllowOverride FileInfo AuthConfig
</Directory>

I am putting the .htpaccess file in both directories above.

I think once I see it working the logic will click into place as to how it works but right now I am still missing a piece of the jigsaw to understand this.

[glsmith]

No, I do not suggest any directory, that was an example and pulled from the docs.

a-hah ...

.htpaccess ... if that is not simply a typo here ... that would be problematic.
there is no "p" in the filename ... just .htaccess

.htaccess
---------------------------
AuthName "Can be anything" <- make sure to quote if more than one word
AuthType Basic
AuthUserFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/.htpasswd" <- make sure to quote
Require valid-user

.htpasswd
-----------------------------
username:md5crypted_password

[drhigh5]

Grrr this is driving me mad!

Yes it was a typo I was using .htaccess

I have configured exactly as you have stipulated and the browser still works without prompting for a username and password!

Try it. In your browser use this proxy:

82.197.77.142 port: 24689

Why won't the authentication work? It just ignores it.

I restart the apache server each time I make a change.

I have used quotes, named files correctly.

The only thing I don't understand is how the proxy server feeds the webpages. How does it do it from the htdocs directory (C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs) when this folder is emtpy apart from a single index.html?

Saying that in my httpd.conf I have the line:
DocumentRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs"

Could it be that this config I am trying here is for a normal internal proxy within a LAN intranet and won't work for a WAN reverse proxy?

[glsmith]

[drhigh5]

Ah ok, now before I start should this be placed in the httpd.conf or the .htaccess file?

I presume the former and if this is the case do I now scrub .htaccess?

Also I take it where you state 'Require valid-user'
In my case if the user id is drhigh5 the line should read:
Require user drhigh5

Thanks for all your help!

[glsmith]

yes .. httpd.conf
yes .. can get rid of htaccess

It did not work for me using
Require user username ....

Require valid-user
is a valid statement, that way you do not need to require a thousand users individually.

[drhigh5]

Well we are getting there lol!

Ok I now have the authentication box pop up.

However when I type in the username and password it won't accept it. Just pops back up.

Are you using htpasswd.exe to generate your password?

[glsmith]

yes!

[drhigh5]

You are a star!

Working perfectly!

Thank you for your patience and help!

[mute]

Hello,

I hope you can help me with this, the discussion sounded like you had a similar problem. Here is what I am trying to do: I am running the application Etherpad on a vserver, the installation is fine, I can acces it from the web via a certain port like domain.org:1000

That's what I want to change: I want an authentication for users before they get the etherpad landing page, from which you can create public pads and the like.

So here is what I tried and what does not work right now:
I generated a password for a user with
htpasswd -c , renamed it to .htpasswd and put it in usr/local/pwd/.htpasswd. Then I sat up an .htaccess in the same dir with this content

AuthName "pw bitte"
AuthType Basic
AuthUserFile "/usr/local/pwd/.htpasswd"
Require valid-user

Then I edited the httpd.conf in /etc/apache2

and inserted this

<Proxy *>
AuthName "pw bitte"
AuthType Basic
AuthUserFile "/usr/local/pwd/.htpasswd"
Require user etherp
Order deny,allow
Deny from all
Allow from all
</Proxy>

I restarted Apache with
/etc/init.d/apache2 restart

But when accesing domain.org:1000 or domain.org now no authentication box pops up. Any idea? Thanks a lot!