1

I have a website where all pages go through AWS Cloudfront (right now with a TTL of 0).

The site domain is www.example.com, which is a CNAME to the cloudfront distribution. Cloudfront then requests the site from my web server with origin.www.example.com, adding a custom header for Authentication.

However now I also need to add Basic Auth to the site until it is launched. I've tried this by using LA-U:REMOTE_USER in a RewriteCond

This configuration works, but has no Auth:

<VirtualHost *:80> ServerName www.example.com ServerAlias www.example.com ServerAdmin [email protected] DocumentRoot /var/www/www.example.com/trunk <IfModule mpm_itk_module> AssignUserId www_site www_site </IfModule> <LocationMatch "^(.*\.php)$"> ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk </LocationMatch> Alias "/robots.txt" "/var/www/norobots.txt" <Directory /var/www/www.example.com> RewriteEngine on RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$ RewriteRule .* - [F] </Directory> CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log </VirtualHost> 
curl http://cxcglobal.demonow.website/

returns the site HTML. Also

curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/

returns the site source code.

However when I amend the configuration to

<VirtualHost *:80> ServerName www.example.com ServerAlias origin.www.example.com ServerAdmin [email protected] DocumentRoot /var/www/www.example.com/trunk <IfModule mpm_itk_module> AssignUserId www_site www_site </IfModule> <LocationMatch "^(.*\.php)$"> ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk </LocationMatch> Alias "/robots.txt" "/var/www/norobots.txt" <Directory /var/www/www.example.com> RewriteEngine on RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$ RewriteRule .* - [F] RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$ RewriteRule ^/(.*) http://origin.www.example.com/$1 [P,L] AuthUserFile /etc/apache2/staging.passwd AuthType Basic AuthName "Review security udpates" Require valid-user LogLevel alert rewrite:trace3 </Directory> CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log </VirtualHost>

I get an error:

curl http://www.example.com/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address> </body></html>

for both curl requests. I have no errors in the site-specific error log, nor in the global apache error log. I can also not find any entries for the rewrite log.

Improve this question

1 Answer 1

Reset to default
0

A better way, may be to use lambda to handle the authentication directly at cloudfront...

I haven't tried it myself, but I found this resource...

http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/

It appears to be relatively straightforward. Lambda@Edge lets you to run code to inspect and modify incoming requests.

Improve this answer
1
  • Yes Ive used that method, I'm justtrying to keep it compact, but this is my backstop method Commented Aug 1, 2018 at 17:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.