Essentially my scenario is the fact that I've an interior website that needs just one hard-coded password to gain access to (which can not be switched off, only transformed). I'm subjecting this site via a reverse proxy for a number of reasons (hiding the main harbour, simplifying url, simplifying NAT, etc).
However, what I must do is have the ability to use Apache to handle authentication to ensure that:
- I do not have to hand out
singlepassword to everybody I'm able to have multiple passwords using Apache's BasicAuth
- For internal customers, I do not have to prompt for any password
EDIT: Second part about more potent authentication continues to be gone to live in new question
Here's pretty much things i have finally:
<VirtualHost *:80> ServerName sub.domain.com ProxyPass / http://192.168.1.253:8080/endpoint ProxyPassReverse / http://192.168.1.253:8080/endpoint # The endpoint includes a mandatory password that I wish to avoid needing customers to type # I.e. something similar to this is nice (but doesn't work) # ProxyPass / http://username:firstname.lastname@example.org:8080/endpoint # ProxyPassReverse / http://username:email@example.com:8080/endpoint # Should also have the ability to need a password to gain access to proxy for individuals outdoors local subnet # However, these passwords is going to be controlled by Apache using BasicAuth, not the ProxyPass endpoint # Ideas? </VirtualHost>
Add or overwrite the Authorization header before passing any request onto the endpoint. The authorization header can be difficult coded, it is simply basics-64 encoding from the string "username:password" (with no quotes.)
Let the mod_headers module otherwise already done.
RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
To do this conditionally, let the mod_setenvif, e.g. still request for that master password within the situation of local demands:
SetEnvIf Remote_Addr "127...1" localrequest RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest
# ALL remote customers ALWAYS authenticate against reverse proxy's # /world wide web/conf/passwords database # <Directory /var/web/pages/secure> AuthBasicProvider /world wide web/conf/passwords AuthType Fundamental AuthName "Protected Area" Require valid-user </Directory> # reverse proxy authenticates against master server as: # Aladdin:open sesame (Base64 encoded) # RequestHeader set Authorization "Fundamental QWxhZGRpbjpvcGVuIHNlc2FtZQ=="