httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Reverse Proxy and Authentication problem.
Date Fri, 29 Sep 2006 20:42:15 GMT
You set Require for your /. That means that Apache requieres
authentication for every request. Now here is simple description why
you have your problem:

1. Browser sends a request
2. Apache answers with 401 code: Authrization required
3. Browser asks user for a username and password and send it back to
the browser with each next request because HTTP is a stateless
protocol.
4. Apache check username/password for each request and grants access
if it sees it in its password file.
5. IIS send 401 for authorization
6. Browser asks for the new username/password and start to send these
with each request.
7. Apache refuses to provide access because it doesn't know these new user.

Your problem is that basic authentication is implemented on HTTP level
and both of your servers look like one to the browser.

I don't know how to fix this porblem. May be replacing Apache with
SQUID will help because SQUID send 407 when it asks for authroziation.

On 9/29/06, John Hallam <john_hallam@yahoo.com> wrote:
> I have a problem which I think might be a bug. I have
> setup Apache as a Reverse proxy and it works fine! The
> backend Web server is IIS. For some of the web pages a
> user has to enter their Windows credentials to reach
> the web page. This also works fine!
>
> The Problem: What is required is first a general
> authentication so that one can reach the backend
> server, which means that one authenticates first at
> the proxy and then a second time to access the
> protected IIS web pages. The first authenticate to
> grant access through the proxy works fine, but the IIS
> authentication part doesn't. If I look at the error
> log Apache is trying to authenticate the user instead
> of passing it through. Why? Is there a simple answer?
>
> The relevant configuration:
>
> <VirtualHost *:443>
>         ServerAdmin webmaster@localhost
>         ServerName proxy.xxxxxx.com
>
>         SSLEngine On
>         SSLProxyEngine on
>         SSLCertificateFile
> /etc/ssl/xxxxxxCA/www-cert.pem
>         SSLCertificateKeyFile
> /etc/ssl/xxxxxCA/www-key.pem
>
>         ProxyRequests Off
>
>         <Location />
>         AuthType Basic
>         AuthAuthoritative Off
>         AuthName "Restricted Area - PharmaPart only"
>         AuthLDAPAuthoritative Off
>         AuthLDAPURL
> ldap://ldap.xxxxx.net/ou=people,dc=xxxxxx,dc=com?mail?sub?(objectClass=*)
>         Require valid-user
>         ProxyPass http://ppzhsr02.xxxxxxx.net/
>         ProxyPassReverse http://ppzhsr02.xxxxxx.net/
>         </Location>
>
>         <Proxy *>
>         Order deny,allow
>         Allow from all
>         </Proxy>
>
> Like I've stated - take the Authxxxx part away and the
> IIS authentication works fine. It appears to me that
> when I put the Authxxxx statements in place that the
> Proxy wants to do all authentications rather than just
> the first access authentication.
>
> Can anyone help?
>
> Thanx
> John
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message