Board index Unix Web Servers

Apache User/Password Authentication with proxy and SSL enabled problem

Apache User/Password Authentication with proxy and SSL enabled problem

Post by Joel Shandelm » Sat, 02 Jun 2001 23:48:01



I am admittedly new to Apache, mod_proxy and mod_ssl and have the
following problem while attempting to configure username/password
access for a proxied URL for both HTTP and HTTPS.

Simplisticly put, I can cause an HTTP URL to invoke the
username/password authentication mechanism via my proxy server as
expected. If, however, I were to access the exact same URL but use
HTTPS instead, the page is accessed without asking for a
username/password. In my scenario, I access port 7177 for HTTP and
7178 for HTTPS/SSL.

I would appreciate if anyone can explain what I'm doing wrong or what
documentation explains the interactions of authentication with SSL
based URL's. I don't mind RTFM. The docs I've seen so far haven't
clarified this enough to get me around the problem.

My specific configuration is shown below.

Thanks,

   -- Joel

=====================================================================
#
# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root initially.
#
Port 80
Listen 80
Listen 8080
Listen 443
Listen 8443
=====================================================================
#
# Proxy Server directives
#
<IfModule mod_proxy.c>
    ProxyRequests On
    AllowCONNECT 443 7178
    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from .optionable.com 10.2.5
    </Directory>
</IfModule>
# End of proxy directives.
=====================================================================
##  SSL Support
##
##  Listen on standard HTTP port and HTTPS port
##
<IfDefine SSL>
Listen 10.2.5.21:443
Listen 10.2.5.21:8443
</IfDefine>
Other lines intentially left out for brevity. Nothing else was changed
however from the standard config.
=====================================================================
#
# This section of VirtualHost and Location code works well as expected
#
<VirtualHost 10.2.5.21:8080>
    ServerName http-proxy.optionable.com
    ErrorLog logs/http-proxy-error_log
    CustomLog logs/http-proxy-access_log common

    <Location http://webdev01.optionable.com:7177/index.html>
        AuthName "webdev01.optionable.com:7177"
        AuthType Basic
        AuthUserFile /usr/local/apache/auth/password.file
        AuthGroupFile /usr/local/apache/auth/group.file
        require group development
        AuthAuthoritative on
        Order deny,allow
        Deny from all
        Order deny,allow
        Allow from .optionable.com 10.2.5
    </Location>

</VirtualHost>

#
# This section of VirtualHost and Location code does not work as
expected
#
<VirtualHost 10.2.5.21:8443>
    ServerName ssl-proxy.optionable.com
    ErrorLog logs/http-proxy-error_log
    CustomLog logs/http-proxy-access_log common

    <Location https://webdev01.optionable.com:7178/index.html>
        AuthName "webdev01.optionable.com:7178"
        AuthType Basic
        AuthUserFile /usr/local/apache/auth/password.file
        AuthGroupFile /usr/local/apache/auth/group.file
        require group development
        AuthAuthoritative on
        Order deny,allow
        Deny from all
        Order deny,allow
        Allow from .optionable.com 10.2.5
    </Location>

</VirtualHost>
=====================================================================
My log file http-proxy-access_log shows the following line upon access
to http/7177
dell4100.optionable.com - - [01/Jun/2001:10:39:26 -0400] "GET
http://webdev01.optionable.com:7177/index.html HTTP/1.0" 407 495
dell4100.optionable.com - jshandel [01/Jun/2001:10:39:37 -0400] "GET
http://webdev01.optionable.com:7177/index.html HTTP/1.0" 304 0
dell4100.optionable.com - - [01/Jun/2001:10:39:37 -0400] "GET
http://webdev01.optionable.com:7177/servletimages/transparent.gif
HTTP/1.0" 200 43
dell4100.optionable.com - - [01/Jun/2001:10:39:37 -0400] "GET
http://webdev01.optionable.com:7177/servletimages/edocs_button.gif
HTTP/1.0" 200 2324
dell4100.optionable.com - - [01/Jun/2001:10:39:37 -0400] "GET
http://webdev01.optionable.com:7177/servletimages/pagetopgold.gif
HTTP/1.0" 200 16828
=====================================================================
My log file http-proxy-access_log shows the following line upon access
to https/7178:

dell4100.optionable.com - - [01/Jun/2001:10:43:34 -0400] "CONNECT
webdev01.optionable.com:7178 HTTP/1.0" 200 -
dell4100.optionable.com - - [01/Jun/2001:10:43:36 -0400] "CONNECT
webdev01.optionable.com:7178 HTTP/1.0" 200 -
dell4100.optionable.com - - [01/Jun/2001:10:43:36 -0400] "CONNECT
webdev01.optionable.com:7178 HTTP/1.0" 200 -
dell4100.optionable.com - - [01/Jun/2001:10:43:36 -0400] "CONNECT
webdev01.optionable.com:7178 HTTP/1.0" 200 -

 
 
 
Top

1. Apache proxy authentication via SSL

Hi,
        I am trying to set up Apache as a proxy server and have
people authenticate (407 Proxy-Authenticate) via SSL and basic auth
so the passwords are not sent clear text. The SSL works fine directly
as a web server and mod_proxy works for normal HTTP traffic,  but I
can't seem to get authentication to work via SSL. I am trying a bunch
of combinations, even setting the browser proxy port to 443, but for
the most part all I get failures with "Hint: speaking HTTP to HTTPS
port!" in the logs. So before I continue to work on this, I just want
to know is if it's even possible to make this work via SSL? If so,
any hints greatly appreciated. Thanks.

--
- Kyle

2. IBM0664M1H disk on Solaris 2.3

3. Netscape proxy server authentication -- change user's password

4. SPARCprinter II

5. SSL -> [Apache] -> proxy gateway -> No-SSL

6. IPSec Linux - Longhorn one way.

7. User Authentication for Proxy (reply to 407 Challenge) with Apache 1.3.x

8. ps -m

9. User Authentication Via name & Password (Apache 8.11)

10. User authentication using UNIX password file with Apache

11. Anyway for the user to change password w/ apache authentication?

12. Authentication problem in Apache+SSL

13. apache-ssl debian package proxy problem


All times are UTC
Board index