In my Apache 2 config I have a VirtualHost which looks something like this:
<VirtualHost *:80>
ServerName sub.domain.com
# username:password sent on to endpoint
RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=="
ProxyPass /xyz http://192.168.1.253:8080/endpoint
ProxyPassReverse /xyz http://192.168.1.253:8080/endpoint
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
# So what goes here?
</Location>
</VirtualHost>
I am using the virtual host as reverse proxy to another server (which I will call the endpoint) on the network.
I am trying to figure out a configuration that would allow users inside the network browsing to sub.domain.com to automatically be served the endpoint. However, users outside the network should be prompted for credentials
The endpoint requires a password which I have hidden by using RequestHeader (which I want). The password external users should be prompted by is DIFFERENT and will need to be BasicAuth, getting it's user list from a htpasswd file.
-
<Location /xyz> # This needs to let users through under the following circumstances # * They are in 192.168.1.0/24 # * They have a valid user in a htpasswd fileRight out of http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:
Require valid-user Order allow,deny Allow from 192.168.1 Satisfy anyOf course, you also need to include your AuthUserFile or whatever directives
AuthType basic AuthName "yadayadayada" AuthUserFile /foo/bar/blah/.htpasswd </Location>David Zaslavsky : hmm... just a random thought, does it change anything if you move the Allow directive before the Require directive?bjeanes : ah damn I removed my comment before seeing yours. I got it working by watching logs. It seems it didn't consider our requests from the local subnet but from our public static IP. I white listed this as well and now it seems to be working perfectly! Thanks a lotbjeanes : And I also had moved Allow before Require in the same step so it may have also been that. -
You could create two vhosts, one that listens on the external interface and one the local. The auth settings would be in the former.
bjeanes : There is only one bind IP and one interface. I need to base it on the Remote_Addr -
I think that David has covered Apache2 configuration pretty well, but it's also common to use split DNS to provide different services to your internal and external users. There's really no reason for your internal users to make a request from your proxy, since they (ostensibly) have direct access to the "endpoint".
There are cases where you can actually incur routing delays and congestion if your internal users are connecting to one of your public IP addresses. Originally, I was a fan of having separate hardware for the two DNS servers, but have recently switched to using bind "views" to provide different zones to my two users classes.
bjeanes : Internally the sub.domain.com resolves to the internal IP. The point of the proxy is to not have to have to give out the primary password as the endpoint only supports a single password that I don't want to distribute. Also the URL is ridiculously stupid to remember. Load is small (only 6-7 users)Steve Moyer : Sounds like you'll be golden with David's configuration then!
0 comments:
Post a Comment