Apache - Setup basic authentication when Apache is behind a cache server?
To set a basic authentication for a directory in Apache, add the following lines to your Apache config file (usually in /etc/apache2/site-available/default):
<Directory "/var/www/myapp/">
Order deny,allow
Allow from 172.0.0.0/8
Deny from all
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/pwd-reset.conf"
Require valid-user
</Directory>
With the above setting, apache will only allow internal IP address access /var/www/myapp/ directory, and deny all request from outside that IP range (172.0.0.0/8).
For more options, read the Apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html
But, the question is:
If there is a proxy or cache server placed between users and the apache, all the requests come to apache will be recognized as proxy/cache server requests (proxy/cache server IP). It means that the above setting will not function as desired.
So, thing we have to do here is to make Apache recognize the real IP addresses of clients from http requests instead of proxy/cache server IP. And with the real IP addresses, Apache authentication filter IP range base can function correctly.
I will make a simulation demo and update this blog post later when I have chance.
For now, you can read the following links:
http://serverfault.com/questions/340500/varnish-forward-client-ip-address-to-backend
http://easyos.net/articles/bsd/freebsd/getting_real_ip_through_varnish_for_apache_and_php
<Directory "/var/www/myapp/">
Order deny,allow
Allow from 172.0.0.0/8
Deny from all
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/pwd-reset.conf"
Require valid-user
</Directory>
For more options, read the Apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html
But, the question is:
what if Apache stands behind a cache server (e.g. Varnish)?
If there is a proxy or cache server placed between users and the apache, all the requests come to apache will be recognized as proxy/cache server requests (proxy/cache server IP). It means that the above setting will not function as desired.
So, thing we have to do here is to make Apache recognize the real IP addresses of clients from http requests instead of proxy/cache server IP. And with the real IP addresses, Apache authentication filter IP range base can function correctly.
I will make a simulation demo and update this blog post later when I have chance.
For now, you can read the following links:
http://serverfault.com/questions/340500/varnish-forward-client-ip-address-to-backend
http://easyos.net/articles/bsd/freebsd/getting_real_ip_through_varnish_for_apache_and_php
Comments
Post a Comment