Reputation: 6383
Apache2 - authorize users against a Location using BasicAuth but ONLY for users outside local subnet
In my Apache 2 config I have a VirtualHost which looks something like this:
<VirtualHost *:80>
ServerName sub.domain.com
# username:password sent on to endpoint
RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=="
ProxyPass /xyz http://192.168.1.253:8080/endpoint
ProxyPassReverse /xyz http://192.168.1.253:8080/endpoint
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
# So what goes here?
</Location>
</VirtualHost>
I am using the virtual host as reverse proxy to another server (which I will call the endpoint) on the network.
I am trying to figure out a configuration that would allow users inside the network browsing to sub.domain.com to automatically be served the endpoint. However, users outside the network should be prompted for credentials
The endpoint requires a password which I have hidden by using RequestHeader (which I want). The password external users should be prompted by is DIFFERENT and will need to be BasicAuth, getting it's user list from a htpasswd file.
Upvotes: 1
Views: 15103
Answers (3)
Reputation: 5733
I think that David has covered Apache2 configuration pretty well, but it's also common to use split DNS to provide different services to your internal and external users. There's really no reason for your internal users to make a request from your proxy, since they (ostensibly) have direct access to the "endpoint".
There are cases where you can actually incur routing delays and congestion if your internal users are connecting to one of your public IP addresses. Originally, I was a fan of having separate hardware for the two DNS servers, but have recently switched to using bind "views" to provide different zones to my two users classes.
Upvotes: 0
Reputation: 15208
You could create two vhosts, one that listens on the external interface and one the local. The auth settings would be in the former.
Upvotes: 0
Reputation: 131650
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
Right out of http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:
Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy any
Of course, you also need to include your AuthUserFile or whatever directives
AuthType basic
AuthName "yadayadayada"
AuthUserFile /foo/bar/blah/.htpasswd
</Location>
Upvotes: 8
Related Questions
- Apache Deny <Location> but allow to sub Location
- Combine ip and user auth restriction for subfolder in apache 2.4
- Apache basic authentication except for those Allowed
- Apache .htaccess - applying basic authentication conditionally based on environment or hostname
- .htaccess / .htpasswd bypass if at a certain IP address
- Apache Basic Auth only for Requests with URL Path
- Apache authentication except localhost
- How to exclude some IPs from authorization
- Apache authentification - letting users from X IP address in WITHOUT required password, others must type password
- How do you limit access to a site by geographical location?