5

I have the following server setup:

  • Apache Tomcat 7 running Atlassian's Jira (http:// <server-ip>:8081/tickets)
  • Apache 2.4 web server as reverse proxy serving only the jira application at the moment, but there are more to come (http://<server-ip>/tickets)

Now, I want to restrict accesss to the whole system (i.e. http://<server-ip>/*) by setting up a basic authentication.

This is how the only enabled apache site config looks like:

 <VirtualHost *:80> <Proxy *> Require all granted </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass /tickets http://localhost:8081/tickets ProxyPassReverse /tickets http://localhost:8081/tickets <Location /> AllowOverride AuthConfig AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require user myuser </Location> </VirtualHost>

But with this config I encounter a problem while trying to log in. After entering the login data, the login window pops up asking again for the login. After three attempts a 401 error is returned by the tomcat! application and not apache.

There is no entry in neither apache's access.log nor error.log for this request. Though apache will log requests with wrong credentials.

How can I configure Apache to proxy all /tickets/* requests to Tomcat while forcing the client to authenticate when accessing /*?

Improve this question

2 Answers 2

Reset to default
2

It made me suspicious that I got a 401 error from the tomcat application. it seems, that apache fowarded the authorization request, though it shouldn't. I had to remove the "Authorization" parameter from the request header.

To do this. I enabled mod_headers and added RequestHeader unset "Authorization" just before the ProxyPass directives.

So my config looks like the following now:

 <VirtualHost *:80> ProxyRequests Off ProxyPreserveHost On RequestHeader unset "Authorization" <Location "/tickets/rest/"> Satisfy Any Order allow,deny Allow from all </Location> <Location /> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require user myuser </Location> ProxyPass /tickets http://localhost:8081/tickets ProxyPassReverse /tickets http://localhost:8081/tickets </VirtualHost>

EDIT:

Jira uses its own REST-API for the gadgets, so I had to define a Location-Tag for /tickets/rest path.

  • removed proxy-tag
  • added Location-Tag for the jira-rest API

Got ideas to solve the problem from:

Improve this answer
2
  • This solution didn't really help. Now the login window pops up every time I call an other page in the application. Commented Nov 24, 2015 at 13:24
  • edited my solution. It's working now. Commented Apr 4, 2016 at 9:33
1

You need to replace Require user myuser by Require valid-user

and remove

 <Proxy *> Require all granted </Proxy>
Improve this answer
2
  • It didn't work. Same result. Commented Nov 23, 2015 at 16:15
  • The Apache configuration as i sent you is correct i am using it like that with a proxy, the trouble ssems to be in tomcat part, can you check logs there ? By the way to have more logs, you can set LogLevel debug rewrite:trace8 then you should find in it the line who said you are successfully loged in on Apache Commented Nov 23, 2015 at 16:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.