Apache2 反向代理到需要 BasicAuth 但希望对用户隐藏的端点

发布于 2024-07-14 02:36:33 字数 1453 浏览 10 评论 0原文

基本上我的情况是，我有一个内部网站，需要单个硬编码的用户名和密码才能访问（并且不能关闭，只能更改）。我出于各种原因（隐藏端口、简化 url、简化 NAT 等）通过反向代理公开此网站。

~~但是，我想做的是能够使用 Apache 来处理身份验证，以便：~~

我不必向每个人提供 ~~single~~ 密码
~~我可以使用 Apache 的 BasicAuth 拥有多个用户名和密码~~

~~对于内部用户，我不必提示输入密码~~

编辑：有关更丰富的身份验证的第二部分已移至 < a href="https://stackoverflow.com/questions/580032">新问题

这或多或少是我现在所拥有的：

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>

原文

Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).

~~However, what I would like to do is be able to use Apache to handle the authentication so that:~~

I don't have to give out ~~single~~ password to everyone
~~I can have multiple usernames and passwords using Apache's BasicAuth~~
For internal users, I don't have to prompt for a password

EDIT: Second part about richer authentication has been moved to new question

Here's more or less what I have now:

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

寄风 2024-07-21 02:36:33

在将任何请求传递到端点之前添加或覆盖授权标头。授权标头可以进行硬编码，它只是字符串“用户名：密码”的 Base-64 编码（不带引号）。

如果尚未启用 mod_headers 模块，请启用它。

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

要有条件地执行此操作，请启用 mod_setenvif，例如，在本地请求的情况下仍要求主密码：

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

示例

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)

Enable the mod_headers module if not already done.

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

EXAMPLE

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

回复收藏 0 原文

最笨的告白 2024-07-21 02:36:33

好吧，我用你的例子来指向两个使用 apache proxypass 的 IP 摄像机。当我使用语法 user:[email protected] 并通过 iPhone 访问时我收到了来自 safari（iphone 导航器）的安全消息，因此我更改了示例以使其与 iPhone 4S 配合良好，

<Location /camarafeliz1/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.39/
        ProxyPassReverse  http://192.168.0.39/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.99/
        ProxyPassReverse  http://192.168.0.99/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>

并且由于链接中的用户名和密码，iPhone 4s 不再抱怨安全性。

Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:[email protected] and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S

<Location /camarafeliz1/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.39/
        ProxyPassReverse  http://192.168.0.39/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.99/
        ProxyPassReverse  http://192.168.0.99/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>

and the iphone 4s stopped complaining about security because of user and password in the link.

回复收藏 0 原文

~没有更多了~