5

I'm having trouble figuring out how to adding basic HTTP authentication to password-protect a development testing environment running on a production web server. Both the main site and the testing environment are virtual hosts that use AJP proxying to serve separate instances of Tomcat webapps. We need to prevent the public from accessing the testing environment without making changes to web.xml in the Tomcat environment the protection must be achieved with Apache not Tomcat. However the ProxyPass and ProxyPassReverse directives in the virtual host seem to override the use of .htaccess or anything I put in a <Directory> control block, while it seems that I cannot use directives like AuthType in the main body of the <VirtualHost> control block alongside. I'm not very experienced with Apache (or Tomcat) and unsure about what directives can apply where and which might override others. Because the changes need to be made on a production server, I can't easily experiment for fear of causing any downtime.

The httpd.conf itself is very simple:

LoadModule  proxy_http_module   /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule  headers_module      /usr/lib/apache2/modules/mod_headers.so

LoadFile    /usr/lib/libxml2.so

The relevant virtual host file, /etc/apache2/sites-available/dev443 is as follows:

<IfModule mod_ssl.c>
<VirtualHost dev.mydomain.com:80443>
    ServerName  dev.mydomain.com:80443
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/dev

    ProxyPass / ajp://127.0.0.1:8010/
    ProxyPassReverse / ajp://127.0.0.1:8010/

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/dev/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All 
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    LogLevel info

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    SSLEngine on

    SSLCertificateFile    /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    SSLCACertificateFile  /etc/ssl/certs/intermediate.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

For the record, the following versions are involved: Apache: 2.2.14 / Tomcat: 7.0.23 / Java: SE 1.6.0_26-b03 / OS: Ubuntu 10.04 LTS

Joe Carroll
  • 518
  • 3
  • 11
  • I think it will be more secure to restrict the access using `allow from` and `deny from` instead of authentication to block access from public. – Khaled Jan 23 '12 at 09:14
  • Currently, we're filtering by IP using the firewall, which is essentially the same approach. However, a few people involved in the project need access to the testing environment from home and they don't have fixed IP addresses for their Internet connections, so I though password protection would involve less maintenance in the long run. – Joe Carroll Jan 23 '12 at 11:32
  • Can I move the AJP proxy configuration within a control block? I had a look at this [StackOverflow Q&A](http://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication) that suggests it supports authentication. Would it be supported inside a control block (the solution has it in httpd.conf)? – Joe Carroll Jan 23 '12 at 11:39

1 Answers1

3

As you've discovered, the <Directory> blocks don't apply because you're serving content from a proxy server, not a local directory.

Try <Location> instead.

<Location />
    ProxyPass ajp://127.0.0.1:8010/
    ProxyPassReverse ajp://127.0.0.1:8010/
    AuthType Basic
    AuthName "something"
    AuthUserFile /path/to/htpasswd
    Require valid-user
</Location>
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • I had just started looking into the possibility of using but I was having trouble finding confirmation in the documentation that this approach was supported and hadn't gotten around to testing it. The [documentation](http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html) specifies that the contexts in which these directives are allowed includes but there's no mention there of although it seems that and are effectively equivalent/interchangeable (except for the distinction of the source of the content). – Joe Carroll Jan 24 '12 at 09:54