2

On a development server, I have installed the tool Jenkins for automated testing. This runs on port 8080. If I go to www.mysite.com:8080 I can see the command panel for this. I want to make this inaccessible to the outside world by password protecting it using Apache. (My server is running Ubuntu 12.04 LTS). I read through the following page for general advice and specifically on the topic of security they suggest the following settings:

<VirtualHost *:80>
    ServerAdmin your@email.address.com
    DocumentRoot "/opt/apache/httpd/htdocs"
    ServerName jenkins.yourdomain.com
    ErrorLog "logs/jenkins-error_log"

    ProxyPass /jenkins/ ajp://127.0.0.1:8102/jenkins/
    ProxyPassReverse /jenkins/ ajp://127.0.0.1:8102/jenkins/
    <Location />
        Order allow,deny
        Allow from all
    </Location>
    <Location /jenkins/>
         AuthType basic
         AuthName "jenkins"
         AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
    </Location>
</VirtualHost>

My Apache file currently has the following settings:

<VirtualHost *:80>
        # Admin email, Server Name (domain name), and any aliases
        ServerAdmin tech@mysite.com
        ServerName www.mysite.com
        ServerAlias mysite.com

        # Index file and Document Root (where the public files are located)
        DirectoryIndex index.html index.php
        DocumentRoot /var/www

        # Log file locations
        LogLevel warn
        ErrorLog /var/log/apache/error.log
        CustomLog /var/log/apache/access.log combined

</VirtualHost>

I could not get the suggested approach to work without an error (though no messages in console or in the logs), so I added the following lines:

<VirtualHost *:8080>
    ServerName www.mysite.com
    ProxyPass / http://www.dev.mysite.com:8080/
    ProxyPassReverse / www.dev.mysite.com:8080/
    ProxyPreserveHost on
    <Proxy *>
        AuthType Basic
        AuthName "Dev Server"
        AuthUserFile "/home/.htpasswd"
        Require valid-user
    </Proxy>
</VirtualHost>

And in my .htpasswd file I put the following lines:

john:n5MfE
dave:9fluR

I then restarted Apache but port 8080 is still accesible without a password. Am I following the correct procedure?

celenius
  • 273
  • 1
  • 4
  • 17
  • If this is a development server and you don't want to make it accessible to the outside world, why serve it on your machine's public IP address ? Start by restricting your Apache to serve anything only on, say 127.0.0.1, (and please, if it is a development server, don't run something else on it) and always use it through a ssh tunnel with your browser. – ogerard Jan 08 '15 at 07:18

2 Answers2

2

You should use the htpasswd program to create and add users to the .htpasswd file as plaintext passwords are not supported on linux e.g.

htpasswd -c /home/.htpasswd john
New password:
Re-type new password:
Adding password for user john

will create the file and add the user john with the password you provide. You can then add other users like this

htpasswd /home/.htpasswd dave
New password:
Re-type new password:
Adding password for user dave
user9517
  • 114,104
  • 20
  • 206
  • 289
  • Ah, I see. I just changed the password using this approach, restarted Apache, but I still am not prompted for a password to view this port. – celenius Mar 23 '13 at 15:18
2

I'm not sure <Proxy> directive handle HTTP Basic auth (documentation suggest only restriction by IP/domain). I think you should just use general method like:

<Location />
    AuthType Basic
    AuthName "Dev Server"
    AuthUserFile "/home/.htpasswd"
    Require valid-user
</Location>
dsznajder
  • 547
  • 4
  • 13