如何使用基本身份验证保护在 Apache2 虚拟主机中反向代理的 Tomcat Web 应用程序?
我无法弄清楚如何添加基本 HTTP 身份验证来对生产 Web 服务器上运行的开发测试环境进行密码保护。主站点和测试环境都是虚拟主机,它们使用 AJP 代理来为 Tomcat Web 应用程序的单独实例提供服务。我们需要防止公众在Tomcat环境中不更改web.xml的情况下访问测试环境,必须使用Apache而不是Tomcat来实现保护。然而,虚拟主机中的 ProxyPass 和 ProxyPassReverse 指令似乎覆盖了 .htaccess 或我放在
httpd.conf 本身非常简单:
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadFile /usr/lib/libxml2.so
相关的虚拟主机文件 /etc/apache2/sites-available/dev443 如下:
<IfModule mod_ssl.c>
<VirtualHost dev.mydomain.com:80443>
ServerName dev.mydomain.com:80443
ServerAdmin webmaster@localhost
DocumentRoot /var/www/dev
ProxyPass / ajp://127.0.0.1:8010/
ProxyPassReverse / ajp://127.0.0.1:8010/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/dev/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel info
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
我可以在控制块内移动 AJP 代理配置吗?我查看了 这个 StackOverflow 问答,表明它支持验证。控制块内部是否支持它(解决方案在 httpd.conf 中有它)?
目前,我们使用防火墙按 IP 进行过滤,但参与该项目的少数人员需要在家中访问测试环境,并且他们没有固定的 IP 地址用于 Internet 连接,因此密码保护将需要较少的维护从长远来看,并为远程工作提供更大的灵活性。
根据记录,涉及以下版本: Apache:2.2.14 / Tomcat:7.0.23 / Java:SE 1.6.0_26-b03 / OS:Ubuntu 10.04 LTS
I'm having trouble figuring out how to adding basic HTTP authentication to password-protect a development testing environment running on a production web server. Both the main site and the testing environment are virtual hosts that use AJP proxying to serve separate instances of Tomcat webapps. We need to prevent the public from accessing the testing environment without making changes to web.xml in the Tomcat environment the protection must be achieved with Apache not Tomcat. However the ProxyPass and ProxyPassReverse directives in the virtual host seem to override the use of .htaccess or anything I put in a <Directory> control block, while it seems that I cannot use directives like AuthType in the main body of the <VirtualHost> control block alongside. I'm not very experienced with Apache (or Tomcat) and unsure about what directives can apply where and which might override others. Because the changes need to be made on a production server, I can't easily experiment for fear of causing any downtime.
The httpd.conf itself is very simple:
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadFile /usr/lib/libxml2.so
The relevant virtual host file, /etc/apache2/sites-available/dev443 is as follows:
<IfModule mod_ssl.c>
<VirtualHost dev.mydomain.com:80443>
ServerName dev.mydomain.com:80443
ServerAdmin webmaster@localhost
DocumentRoot /var/www/dev
ProxyPass / ajp://127.0.0.1:8010/
ProxyPassReverse / ajp://127.0.0.1:8010/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/dev/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel info
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Can I move the AJP proxy configuration within a control block? I had a look at this StackOverflow Q&A that suggests it supports authentication. Would it be supported inside a control block (the solution has it in httpd.conf)?
Currently, we're filtering by IP using the firewall, but a few people involved in the project need access to the testing environment from home and they don't have fixed IP addresses for their Internet connections, so password protection would involve less maintenance in the long run and offer more flexibility for remote work.
For the record, the following versions are involved: Apache: 2.2.14 / Tomcat: 7.0.23 / Java: SE 1.6.0_26-b03 / OS: Ubuntu 10.04 LTS
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Shane Madden 提出的可行解决方案可以在 此处。 文档指定允许相关指令的上下文包括但没有提到,尽管看起来 和 是有效等同/可互换的,除了内容来源的区别。以下实现了我想要的:
A working solution, proposed by Shane Madden, can be found here. The documentation specifies that the contexts in which the relevant directives are allowed includes but there's no mention there of although it seems that and are effectively equivalent/interchangeable, except for the distinction of the source of the content. The following achieves what I wanted: