CODEWITHSUNDEEP
linuxapachehttpconfigurationproxy
ZZ9
ZZ9

Reputation: 2237

Stop apache from forwarding Basic Auth headers to reverse proxied tomcat site

How do I stop Apache 2.4 from forwarding Basic Auth headers to reverse proxied tomcat site. The destination application tries to use the headers to login the user to the app which breaks the app.

I had considered using 

RequestHeader unset Authorization

But this just disables Basic Auth entirely

Here is the vhost:

<VirtualHost *:80>
    ServerName app.company.tld
    ErrorLog "/var/log/company-proxy/app_prox_error_log"
    CustomLog "/var/log/company-proxy/app_prox_access_log" common
    SSLProxyEngine On
    ProxyRequests Off
    <Proxy *>
            Order deny,allow
            Deny from all
            Allow from all
    </Proxy>
    <Location />
            AuthType Basic
            AuthName "Proxy Auth"
            AuthUserFile /var/www/company-auth/APP/.htpasswd
            Require user username
            Satisfy any
            Deny from all
            Allow from 1.0.0.0/16
    </Location>
    ProxyPreserveHost On
    ProxyPass / http://app.company.tld:1000/
    ProxyPassReverse / http://app.company.tld:1000/
</VirtualHost>

Upvotes: 2

Views: 3096

Answers (1)

Daniel Gruno
Daniel Gruno

Reputation: 144

Your initial idea is correct, RequestHeader unset Authorization is the right way to do it. This will not disable basic auth on the front end, as the unset mechanism runs later than the auth check, but it will prevent the Authorization header from reaching the backend.

If your backend needs auth headers, that is another matter, but if it does not, then this is the correct (and thoroughly tested) method to do it.

Upvotes: 3

Related Questions