Apache2 反向代理到需要 BasicAuth 但希望对用户隐藏的端点

发布于 2024-07-14 02:36:33 字数 1453 浏览 14 评论 0原文

基本上我的情况是,我有一个内部网站,需要单个硬编码的用户名和密码才能访问(并且不能关闭,只能更改)。 我出于各种原因(隐藏端口、简化 url、简化 NAT 等)通过反向代理公开此网站。

但是,我想做的是能够使用 Apache 来处理身份验证,以便:

  1. 我不必向每个人提供 single 密码
  2. 我可以使用 Apache 的 BasicAuth 拥有多个用户名和密码
  3. 对于内部用户,我不必提示输入密码

编辑:有关更丰富的身份验证的第二部分已移至 < a href="https://stackoverflow.com/questions/580032">新问题

这或多或少是我现在所拥有的:

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>

Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).

However, what I would like to do is be able to use Apache to handle the authentication so that:

  1. I don't have to give out single password to everyone
  2. I can have multiple usernames and passwords using Apache's BasicAuth
  3. For internal users, I don't have to prompt for a password

EDIT: Second part about richer authentication has been moved to new question

Here's more or less what I have now:

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

寄风 2024-07-21 02:36:33

在将任何请求传递到端点之前添加或覆盖授权标头。 授权标头可以进行硬编码,它只是字符串“用户名:密码”的 Base-64 编码(不带引号)。

如果尚未启用 mod_headers 模块,请启用它。

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

要有条件地执行此操作,请启用 mod_setenvif,例如,在本地请求的情况下仍要求主密码:

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

示例

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)

Enable the mod_headers module if not already done.

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

EXAMPLE

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
最笨的告白 2024-07-21 02:36:33

好吧,我用你的例子来指向两个使用 apache proxypass 的 IP 摄像机。 当我使用语法 user:[email protected] 并通过 iPhone 访问时我收到了来自 safari(iphone 导航器)的安全消息,因此我更改了示例以使其与 iPhone 4S 配合良好,

<Location /camarafeliz1/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.39/
        ProxyPassReverse  http://192.168.0.39/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.99/
        ProxyPassReverse  http://192.168.0.99/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>

并且由于链接中的用户名和密码,iPhone 4s 不再抱怨安全性。

Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:[email protected] and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S

<Location /camarafeliz1/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.39/
        ProxyPassReverse  http://192.168.0.39/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
        # usuario admin password 123456
        ProxyPass         http://192.168.0.99/
        ProxyPassReverse  http://192.168.0.99/
        RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>

and the iphone 4s stopped complaining about security because of user and password in the link.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文