reverse proxy with authentication
I need to secure a bunch of web apps on separate internal servers for accessing from the internet, and it seems that a reverse proxy is probably a decent way of doing this. The problem is going to be authentication as I want to put front end security on the proxy (so unauthenticated users can't touch my apps with their own dubious security) but some of the apps require their own username and password, potentially different to the proxy. This won't work using conventional web security obviously, so I'll need to get a little creative. What I was thinking is something that goes like this: . User goes to apps.company.com.au/auth and enters username + password . Proxy validates credentials and sets a cookie . The Proxy validates the cookie for each request then 'eats' it before passing the request to the internal server . Any access without the set cookie gets redirected to the /auth page for authentication . Apps are accessed via apps.company.com.au/appname My google-fu is weak just lately though and I can't find anything that might do what I want... the reverse proxy part is fine (squid or apache) but not the front end authentication layer. The docs for mod_proxy (which I've used before) don't seem to suggest that I can do it that way. Any suggestions? Thanks James
James Harper wrote:
I need to secure a bunch of web apps on separate internal servers for accessing from the internet, and it seems that a reverse proxy is probably a decent way of doing this. The problem is going to be authentication as I want to put front end security on the proxy (so unauthenticated users can't touch my apps with their own dubious security) but some of the apps require their own username and password, potentially different to the proxy. This won't work using conventional web security obviously, so I'll need to get a little creative.
I have something similar; my reverse proxy does http-level auth (apache, mod-proxy & mod-authnz-ldap), and the some apps behind it also do their own separate html form/cookie/whatever auth. Neither layer knows/cares/interferes with the other. I determined to my satisfaction that I could not have two layers (the proxy httpd and the "real" httpd) both doing http-layer auth, unless they were both using the same uname/passwd pair. In which case, it works fine, because apache simply passes the appropriate header straight on to the backend httpd. (Unless you tell it not to, of course.)
I determined to my satisfaction that I could not have two layers (the proxy httpd and the "real" httpd) both doing http-layer auth, unless they were both using the same uname/passwd pair. In which case, it works fine, because apache simply passes the appropriate header straight on to the backend httpd. (Unless you tell it not to, of course.)
Which kind of excludes it being useful to my situation where the backend server may require different or no credentials... I've had a look at the squid logs and I think I can do what I want with a deny redirection and some creative acls. James
participants (2)
-
James Harper -
Trent W. Buck