Essentially my scenario is the fact that I've an interior website that needs just one hard-coded password to gain access to (which can not be switched off, only transformed). I'm subjecting this site via a reverse proxy for a number of reasons (hiding the main harbour, simplifying url, simplifying NAT, etc).

However, what I must do is have the ability to use Apache to handle authentication to ensure that:

  1. I do not have to hand out single password to everybody
  2. I'm able to have multiple passwords using Apache's BasicAuth
  3. For internal customers, I do not have to prompt for any password

EDIT: Second part about more potent authentication continues to be gone to live in new question

Here's pretty much things i have finally:

<VirtualHost *:80>

  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint

  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint includes a mandatory password that I wish to avoid needing customers to type

  # I.e. something similar to this is nice (but doesn't work)

  # ProxyPass        / http://username:password@192.168.1.253:8080/endpoint

  # ProxyPassReverse / http://username:password@192.168.1.253:8080/endpoint

  # Should also have the ability to need a password to gain access to proxy for individuals outdoors local subnet

  # However, these passwords is going to be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?

</VirtualHost>

Add or overwrite the Authorization header before passing any request onto the endpoint. The authorization header can be difficult coded, it is simply basics-64 encoding from the string "username:password" (with no quotes.)

Let the mod_headers module otherwise already done.

RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To do this conditionally, let the mod_setenvif, e.g. still request for that master password within the situation of local demands:

SetEnvIf Remote_Addr "127...1" localrequest

RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

EXAMPLE

# ALL remote customers ALWAYS authenticate against reverse proxy's

#  /world wide web/conf/passwords database

#

<Directory /var/web/pages/secure>

  AuthBasicProvider /world wide web/conf/passwords

  AuthType Fundamental

  AuthName "Protected Area"

  Require valid-user

</Directory>

# reverse proxy authenticates against master server as:

#  Aladdin:open sesame (Base64 encoded)

#

RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ=="