James Harper wrote:
I need to secure a bunch of web apps on separate internal servers for accessing from the internet, and it seems that a reverse proxy is probably a decent way of doing this. The problem is going to be authentication as I want to put front end security on the proxy (so unauthenticated users can't touch my apps with their own dubious security) but some of the apps require their own username and password, potentially different to the proxy. This won't work using conventional web security obviously, so I'll need to get a little creative.
I have something similar; my reverse proxy does http-level auth (apache, mod-proxy & mod-authnz-ldap), and the some apps behind it also do their own separate html form/cookie/whatever auth. Neither layer knows/cares/interferes with the other. I determined to my satisfaction that I could not have two layers (the proxy httpd and the "real" httpd) both doing http-layer auth, unless they were both using the same uname/passwd pair. In which case, it works fine, because apache simply passes the appropriate header straight on to the backend httpd. (Unless you tell it not to, of course.)