7

I have a need to make sure that my url, call it www.domain.com is always protected at least via Basic HTTP authentication. Also, I want to use mod_rewrite to send my users to one of two OC4j instances running on my server. I also want to protect my OC4j admin panel (and other admin-type functions) with this same authentication. I'll have 2 users, call them admin (admin will have access to both the OC4j instances and the OC4j admin panel) and guest (guest will only be able to reach the OC4j instances).

So, let's say I have two OC4j instances-- instance_a and instance_b. instance_a will run on port 8888 and instance_b will run on port 8889. When a user types www.domain.com/instance_a I want to first make sure they are authenticated to the server, then I want to use mod_rewrite to proxy the request to www.domain.com:8888/instance_a. This will follow suit for instance_b. Again, ANY user, admin or guest, can get to these instances. If the user tries to go to the OC4j admin panel directly for either instance, I want to kick them out if they are not an admin user.

I have a VirtualHost entry that looks something like this:

<VirtualHost *:80>
        ServerName www.domain.com
        CustomLog "/var/log/httpd/ic/access_log" "combined"
        ErrorLog "/var/log/httpd/ic/error_log"
        RewriteEngine on
        RewriteLogLevel 9
        RewriteLog "/var/log/httpd/rewrite_log"
        RewriteCond %{REMOTE_USER} !^guest$ [OR]
        RewriteCond %{REMOTE_USER} !^admin$
        RewriteCond %{REQUEST_URI} ^/instance_a.*$
        RewriteRule ^.*$ - [F,L]
        <LocationMatch "^/.*$">
                AuthType Basic
                AuthName "Please Login"
                AuthBasicProvider file
                AuthUserFile /usr/local/apache/passwd/passwords
                Require valid-user
        </LocationMatch>
</VirtualHost>

For some reason this isn't working (not that I am surprised). It seems like when I use both the Authentication and the mod_rewrite stuff they don't work together.

Thanks in advance.

El Guapo
  • 171
  • 1
  • 3

3 Answers3

1

I believe the problem with the configuration as posted is the first two RewriteCond lines:

    RewriteCond %{REMOTE_USER} !^guest$ [OR]
    RewriteCond %{REMOTE_USER} !^admin$

If REMOTE_USER is 'admin', the first test succeeds, causing a Forbidden response. The case for 'guest' is similar. You could try combining the two tests:

    RewriteCond %{REMOTE_USER} !^(guest|admin)$

If REMOTE_USER is guest or admin, ^(guest|admin)$ will match, causing the whole RewriteCond to fail.

outis
  • 1,088
  • 8
  • 14
  • Or, just remove the `OR` flag on the first `RewriteCond` directive, to make it an _implicit_ AND. (Effectively the same as your combined rule... `!^(guest|admin)$`) – MrWhite Oct 30 '15 at 23:46
  • I was referring to modifying the OPs original two conditions (your combined rule is correct)... `!guest AND !admin` (by simply removing the `[OR]`) would be the equivalent of your combined rule `!(guest OR admin)`. Just another way of expressing the same thing. – MrWhite Nov 02 '15 at 00:57
  • But the regex are negated (`!`). – MrWhite Nov 02 '15 at 10:08
0

Not sure if this will help or not, but you may want to pull your Rewrite Conditions/Rules out of the LocationMatch and put it before/after the LocationMatch.

Jordan S. Jones
  • 1,083
  • 9
  • 13
0

Blimey.

This is untested, but perhaps something like:

<VirtualHost *:80>
        ServerName www.domain.com
        CustomLog "/var/log/httpd/ic/access_log" "combined"
        ErrorLog "/var/log/httpd/ic/error_log"
        RewriteEngine on
        RewriteRule ^(/instance_a/.*) http://localhost:8888/$1 [P]
        RewriteRule ^(/instance_b/.*) http://localhost:8889/$1 [P]
        <Proxy "http://localhost:888?/">
                AuthType Basic
                AuthName "Please Login"
                AuthBasicProvider file
                AuthUserFile /usr/local/apache/passwd/passwords
                Require valid-user
        </Proxy>
        <Proxy "http://localhost:888?/instance_?/admin">
                Require group admin
        </Proxy>
</VirtualHost>

I'm not sure whether you need to duplicate the auth directives in each Proxy block -- you'll have to experiment.

markdrayton
  • 2,429
  • 1
  • 20
  • 24