apache Apache2 反向代理到需要 BasicAuth 但希望对用户隐藏的端点
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/567814/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user
提问by Bo Jeanes
Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).
基本上我的情况是我有一个内部网站,需要一个单一的硬编码用户名和密码才能访问(并且不能关闭,只能更改)。由于各种原因(隐藏端口、简化 url、简化 NAT 等),我通过反向代理公开该网站。
However, what I would like to do is be able to use Apache to handle the authentication so that:
但是,我想做的是能够使用 Apache 处理身份验证,以便:
- I don't have to give out
singlepassword to everyone I can have multiple usernames and passwords using Apache's BasicAuthFor internal users, I don't have to prompt for a password
- 我不必给每个人
一个单一的密码 我可以使用 Apache 的 BasicAuth 拥有多个用户名和密码对于内部用户,我不必提示输入密码
EDIT: Second part about richer authentication has been moved to new question
编辑:关于更丰富的身份验证的第二部分已移至新问题
Here's more or less what I have now:
这或多或少是我现在所拥有的:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://192.168.1.253:8080/endpoint
ProxyPassReverse / http://192.168.1.253:8080/endpoint
# The endpoint has a mandatory password that I want to avoid requiring users to type
# I.e. something like this would be nice (but does not work)
# ProxyPass / http://username:[email protected]:8080/endpoint
# ProxyPassReverse / http://username:[email protected]:8080/endpoint
# Also need to be able to require a password to access proxy for people outside local subnet
# However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint
# Ideas?
</VirtualHost>
回答by vladr
Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)
在将任何请求传递到端点之前添加或覆盖 Authorization 标头。授权标头可以硬编码,它只是字符串“username:password”的 base-64 编码(不带引号。)
Enable the mod_headers module if not already done.
如果尚未完成,请启用 mod_headers 模块。
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:
要有条件地执行此操作,请启用 mod_setenvif,例如在本地请求的情况下仍然要求主密码:
SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest
- http://en.wikipedia.org/wiki/Basic_access_authentication
- http://httpd.apache.org/docs/2.0/mod/mod_headers.html
- http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
- http://en.wikipedia.org/wiki/Basic_access_authentication
- http://httpd.apache.org/docs/2.0/mod/mod_headers.html
- http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
EXAMPLE
例子
# ALL remote users ALWAYS authenticate against reverse proxy's
# /www/conf/passwords database
#
<Directory /var/web/pages/secure>
AuthBasicProvider /www/conf/passwords
AuthType Basic
AuthName "Protected Area"
Require valid-user
</Directory>
# reverse proxy authenticates against master server as:
# Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
回答by googol plex
Well I used your example to point to two IP cameras using apache proxypass. When I used the syntax user:[email protected] and accessed through an iphone I got a security message from safari (iphone navigator) so I changed the example to work well with and iPhone 4S
好吧,我使用您的示例使用 apache proxypass 指向两个 IP 摄像机。当我使用语法 user:[email protected] 并通过 iphone 访问时,我收到了来自 safari(iphone 导航器)的安全消息,因此我更改了示例以与 iPhone 4S 配合使用
<Location /camarafeliz1/ >
# usuario admin password 123456
ProxyPass http://192.168.0.39/
ProxyPassReverse http://192.168.0.39/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
<Location /camarafeliz3/ >
# usuario admin password 123456
ProxyPass http://192.168.0.99/
ProxyPassReverse http://192.168.0.99/
RequestHeader set Authorization "Basic YWRtaW46MTIzNDU2=="
</Location>
and the iphone 4s stopped complaining about security because of user and password in the link.
由于链接中的用户名和密码,iphone 4s 不再抱怨安全性。
