Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

Fri, 14 Jun 2024 11:25:31 -0700 

On 6/14/24 12:41, M Foster wrote:

Hello,
I'm struggling a bit with an issue when using Apache as a reverse proxy when needing to use differing Authentication. I've searched for a couple of days now, but nothing matching what I'm seeing has come up.
The scenario is that I am using Apache as a reverse proxy, but sending a sub-path to different backend like so (extremely simplified): 

<Location "/foo/bar">
   ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
</Location>
<Location "/foo">
   ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
</Location>
One is overriding the other, so you get an arbitrary result. You can exclude /foo/bar from your second pass by using something like LocationMatch instead: 

<Location /foo/bar>
  .. things here for /foo/bar
</Location>
<LocationMatch "^(/foo/(?!bar).*)$">
    .. things here for /foo/baz but not /foo/bar
    ProxyPass "http://host1.example.com/$1";
</LocationMatch>
Do note that if the Auth realm is the same, you can get the wrong credentials showing up if they differ. These should be unique if the credentials are.
This works without issue. However, as soon as I try to put authentication on the second location (or more accurately different authentication directives), any request to "/foo/bar" triggers auth: 

Example:
<Location "/foo/bar">
   ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
</Location>
<Location "/foo">
   AuthType basic
   AuthName "Restricted"
   AuthUserFile /usr/local/apache2/.htpasswd
   Require valid-user
   ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
</Location>
In the logs, set to trace8, I see that now apache is matching the REQUEST_URI to the wrong proxy handler: 

"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:http:// host1.example.com/foo/bar <http://host1.example.com/foo/bar>'" "authorization result of Require valid-user : denied (no authenticated user)"
Without any auth, the logs correctly show the request to `/foo/bar` being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ bar <http://host2:8080/foo/bar>'.
If anyone has any ideas on why adding auth completely blows up the proxy routing, I'd appreciate it. Otherwise, I'll have to create two proxy servers, just to handle each case. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to