Apache2 Reverse Proxy with PHP Login Page (Check for session var before forwarding to server)

Question

I have an apache2 reverse proxy setup fine for an ssl backend server.

(WWW --> Apache2 --> Server) Works fine.

I have a nice method of doing 2FA using TOTP and looking to get this working for this particular web application.

How can I get apache2 to check for a sessionid / var (check if a user is authenticated using my php script) before forwarding them on to the server behind the proxy?

IE: Im looking for this..

1. User connects to proxy and is presented with a login form.
2. User gets authenticated a session ($_SESSION['loggedin'] = "1")
3. Apache checks if that = 1, if so, forward to proxied host. If not, present login.php (as an example)

Essentially what i am trying to achieve is a 2factor mech as the app being proxied allowed one type and my php script using totp does another.

I just need apache top be able to check if they are logged in in php before forwarding to the proxied host.

Reverse proxy works fine currently, just need this extra "login" before being proxied to work..

Current config is essentially this..

<VirtualHost *:80>
ProxyPreserveHost On

ProxyPass / http://10.0.0.1:80/
ProxyPassReverse / http://10.0.0.1:80/

Would be nice to have something in the virtualhost to say something like, IF USER SESSION VAR X = Y then Proxy.

Any ideas?

I cant find anything whatsoever online.

Answer 1

To have users authenticated by PHP, one can redirect access to a restricted area to a script which carries out authentication and then redirects to the original location. For example like so:

RewriteEngine on
# don't redirect PHP scripts, they can check authentication directly
RewriteCond %{SCRIPT_FILENAME} !\.php$
# don't redirect sub-requests
RewriteCond %{IS_SUBREQ} !true$
RewriteRule ^(/restricted/.*)$ /auth-checker.php?path=$1&area=/restricted [QSA]

The PHP script can be roughly structured as follows:

<?php
$virt_ok = false;
$virt = NULL;

$area = @$_GET['area'];
$path = @$_GET['path'];

$login = new my_special_authenticator($area);
// this implies auth ok

// export authentication results
$user = $login->get_user();
apache_setenv('REMOTE_USER', $user);

// redirect as needed
$virt = @apache_lookup_uri($path);
if (!empty($virt->content_type))
    header('content-type: '. $virt->content_type);

$virt_ok = @virtual($path);
if (empty($virt_ok))
{
    // error page
}
?>

Now having exported authentication results, they can be added in the request header for the backend server:

RequestHeader set Remote-User:  "%{REMOTE_USER}e"
ProxyPass /restricted/ http://10.0.0.1:80/
ProxyPassReverse /restricted/ http://10.0.0.1:80/

Answer 2

Hey Mr self called "Smart" Graham xD

First. In the IT there is no impossible.

I would like to implement exactly what you want. So far I have used BasicAuth for this problem.

To solve your Apache Authentication problem u have to use the Location directive.

For BasicAuth this looks like

<VirtualHost *:80>
    ServerName myproxyservice.mydomain.de

    ServerAdmin webmaster@mydomain.de

    <Location />
        AuthType Basic
        AuthName "Restricted area"
        AuthUserFile /var/www/html/myproxyservice/.htpasswd
        Require valid-user
    </Location>

    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:32400/
    ProxyPassReverse / http://127.0.0.1:32400/
</VirtualHost>

But now. I wanna have a nicer login form. This is possible with a Apache Module.

mod_session

mod_auth_form "Here are easy Examples, so there is no need for me to make one"

Dear Linux Users. U have to activate the following modules:

a2enmod session_cookie

a2enmod request

a2enmod auth_form

---

MfG R0b1ns - 'Ich hab auch Discord :)