apache Apache2 - 使用 BasicAuth 针对某个位置授权用户,但仅适用于本地子网之外的用户
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/580032/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Apache2 - authorize users against a Location using BasicAuth but ONLY for users outside local subnet
提问by Bo Jeanes
In my Apache 2 config I have a VirtualHostwhich looks something like this:
在我的 Apache 2 配置中,我有一个VirtualHost看起来像这样的:
<VirtualHost *:80>
ServerName sub.domain.com
# username:password sent on to endpoint
RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=="
ProxyPass /xyz http://192.168.1.253:8080/endpoint
ProxyPassReverse /xyz http://192.168.1.253:8080/endpoint
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
# So what goes here?
</Location>
</VirtualHost>
I am using the virtual host as reverse proxy to another server (which I will call the endpoint) on the network.
我将虚拟主机用作网络上另一台服务器(我将其称为端点)的反向代理。
I am trying to figure out a configuration that would allow users inside the network browsing to sub.domain.comto automatically be served the endpoint. However, users outside the network should be prompted for credentials
我试图找出一种配置,允许网络浏览中的sub.domain.com用户自动为端点提供服务。但是,应提示网络外的用户输入凭据
The endpoint requires a password which I have hidden by using RequestHeader (which I want). The password external users should be prompted by is DIFFERENT and will need to be BasicAuth, getting it's user list from a htpasswdfile.
端点需要一个密码,我使用 RequestHeader(我想要)隐藏了该密码。应提示外部用户的密码是不同的,并且需要是 BasicAuth,从htpasswd文件中获取它的用户列表。
回答by David Z
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
Right out of http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:
出自http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:
Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy any
Of course, you also need to include your AuthUserFile or whatever directives
当然,您还需要包含您的 AuthUserFile 或任何指令
AuthType basic
AuthName "yadayadayada"
AuthUserFile /foo/bar/blah/.htpasswd
</Location>
回答by Dana the Sane
You could create two vhosts, one that listens on the external interface and one the local. The auth settings would be in the former.
您可以创建两个虚拟主机,一个侦听外部接口,一个侦听本地。身份验证设置将在前者中。
回答by Steve Moyer
I think that David has covered Apache2 configuration pretty well, but it's also common to use split DNS to provide different services to your internal and external users. There's really no reason for your internal users to make a request from your proxy, since they (ostensibly) have direct access to the "endpoint".
我认为 David 已经很好地介绍了 Apache2 配置,但使用拆分 DNS 为您的内部和外部用户提供不同的服务也很常见。您的内部用户确实没有理由从您的代理发出请求,因为他们(表面上)可以直接访问“端点”。
There are cases where you can actually incur routing delays and congestion if your internal users are connecting to one of your public IP addresses. Originally, I was a fan of having separate hardware for the two DNS servers, but have recently switched to using bind "views" to provide different zones to my two users classes.
在某些情况下,如果您的内部用户连接到您的公共 IP 地址之一,您实际上可能会导致路由延迟和拥塞。最初,我很喜欢为两个 DNS 服务器使用单独的硬件,但最近转而使用绑定“视图”为我的两个用户类提供不同的区域。
