0

My intent is to have Jenkins behind apache. It uses a proxy-pass (for /) and I want it to be behind some basic auth.

So I have set up an apache2, using digitalocean's tutorial as starting point.

I have generated a .htpasswd file with username/password test.

Whenever I configure my VirtualHost and I purposfully point to a non-existing file for authentication, I see an error in the apache logs. Whenever I use the correct .htpasswd I do not see such logs.

I get a Basic Auth username/passwd pop-up in my browser as expected. Whenever I use a wrong username (non existing), this also comes up in the logs as expected. When I use the correct test credentials I do not see such messages in the logs.

However, regardless of using the correct credentials I still get the Basic Auth credentials pop-up re-appearing. (and a 401 appears in my access log)

I can see for those login attempts (with correct credentials). I do get a 401 (I see it in the access logs). I do not see any errors about an invalid credentials in the errors logs. Whenever I type in wrong credentials they do appear there.

For completion sake, here is my config on the virtual host:

<VirtualHost *:80>
  ProxyPreserveHost On
  ProxyRequests On

  ServerName <bla>.<somehostname>.<bar>
  ServerAlias *.<somehostname>.<bar>

  ProxyPass / http://localhost:8090/
  ProxyPassReverse / http://localhost:8090/

  AllowEncodedSlashes NoDecode

  <Proxy http://localhost:8090>
    AllowOverride        All
    AuthType             Basic
    AuthUserFile         "/etc/apache2/.htpasswd"
    Require              valid-user
    Order allow,deny
    Allow from all
  </Proxy>

  ErrorLog ${APACHE_LOG_DIR}/ci_error.log
  CustomLog ${APACHE_LOG_DIR}/ci_access.log combined

  Header set Access-Control-Allow-Origin "*"
</VirtualHost>

I have no idea what to do next. I have been trying all sorts of things. Like non-encoded username/passwords (did not help, I use the htpasswd tool). I tried using Location instead of Proxy, it also did not have any effect. I made sure to set AllowOverride to All everywhere, which did not do anything.

Stefan Hendriks
  • 101
  • 2
  • Jenkins has built-in authentication. – jordanm Apr 12 '18 at 16:19
  • @jordanm I know, it is not that. I had set up Jenkins with authentication before doing this. I want to make sure only a few people can actually access this server. Via Basic Auth was a good idea (instead of IP filtering). – Stefan Hendriks Apr 12 '18 at 16:28
  • And getting to Jenkins directly without proxy works fine? – Ondřej Xicht Světlík Apr 13 '18 at 11:13
  • @OndřejXichtSvětlík thx for asking. Getting to Jenkins directly works fine. (disabling the proxy config). I noticed, when disabling the proxy and just setting up security for lets say /var/www, it works fine with the `.htpasswd` file. Re-enabling the proxy stopped asking for password (I disabled that), then re-enabling the part with basic auth broke it again. There is something I miss within the element I guess. But what... – Stefan Hendriks Apr 15 '18 at 14:26

0 Answers0