Apache2的反向代理终点，需要基本验证，但想从用户隐藏此

本文介绍了Apache2的反向代理终点，需要基本验证，但想从用户隐藏此的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

基本上我的情况是，我有一个内部网站，需要访问单个硬件codeD的用户名和密码（这不能被关闭，只有改变）。我通过各种原因（隐藏端口，简化了网址，简化NAT等），反向代理暴露这个网站。

我没有供出密码大家

编辑：关于富裕认证第二部分已移至

下面或多或少什么我现在：

 ＆LT;虚拟主机*：80＆GT;
  服务器名sub.domain.com  的ProxyPass / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint  ＃端点有我想避免要求用户键入密码强制
  ＃即这样的事情将是很好（但不工作）  ＃的ProxyPass / HTTP：//用户名：[email protected]：8080 /端点
  ＃ProxyPassReverse / HTTP：//用户名：[email protected]：8080 /端点  ＃也需要能需要密码外为本地子网的人获得代理
  ＃不过这些密码会被Apache使用基本验证来控制，而不是终点的ProxyPass  ＃想法？
＆LT; /虚拟主机＆GT;

解决方案

添加或传递任何请求，到终点前覆盖Authorization头。授权头是很难codeD，它只是一个字符串的基本64编码：（不带引号）的用户名密码

启用mod_headers中模块如果尚未完成。

  RequestHeader授权设置基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==

要有条件地执行此，启用mod_setenvif，例如

：在本地请求的情况下，仍然要求主密码

  SetEnvIf之后REMOTE_ADDR127 \\ .0 \\ .0 \\ .1localrequest
RequestHeader组授权基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==ENV =！localrequest

示例

 ＃所有的远程用户始终对反向代理的身份验证
＃/ WWW / conf目录/密码的数据库
＃
＆LT;目录/ var /网页/网页/安全＆GT;
  AuthBasicProvider / WWW / conf目录/密码
  AuthType选项基本
  AuthName指令保护区
  需要有效的用户
＆LT; /目录＆GT;＃反向代理验证对主服务器：
＃阿拉丁：芝麻开门（Base64编码的连接codeD）
＃
RequestHeader授权设置基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==

Basically my scenario is that I have an internal website that requires a SINGLE hard-coded username and password to access (and this can't be turned off, only changed). I am exposing this website through a reverse proxy for various reasons (hiding the port, simplifying url, simplifying NAT, etc).

I don't have to give out password to everyone

EDIT: Second part about richer authentication has been moved to new question

Here's more or less what I have now:

<VirtualHost *:80>
  ServerName sub.domain.com

  ProxyPass        / http://192.168.1.253:8080/endpoint
  ProxyPassReverse / http://192.168.1.253:8080/endpoint

  # The endpoint has a mandatory password that I want to avoid requiring users to type
  # I.e. something like this would be nice (but does not work)

  # ProxyPass        / http://username:[email protected]:8080/endpoint
  # ProxyPassReverse / http://username:[email protected]:8080/endpoint

  # Also need to be able to require a password to access proxy for people outside local subnet
  # However these passwords will be controlled by Apache using BasicAuth, not the ProxyPass endpoint

  # Ideas?
</VirtualHost>

解决方案

Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)

Enable the mod_headers module if not already done.

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

http://en.wikipedia.org/wiki/Basic_access_authentication
http://httpd.apache.org/docs/2.0/mod/mod_headers.html
http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html

EXAMPLE

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

这篇关于Apache2的反向代理终点，需要基本验证，但想从用户隐藏此的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！