Forum
Reverse proxy
Rouilj
6 June 2015, 21:55
Hello:
As a long time apache user, I have been very happy to try hiawatha and so far it is handing the needs of my personal web server.
I am using: Hiawatha v9.13, cache, IPv6, reverse proxy, TLS (1.3.10), Tomahawk, URL toolkit, XSLT
I have some web servers (fossil, roundup ...) behind a reverse proxy. To protect these servers from attack, I would like to password protect the url's at the hiawatha level.
I noticed that there was a forum post stating that reverse proxy was getting some changes that would permit more configuration options. Might one of these options be password protection on a per reverse url basis?
My current config is:
My virtual host will serve both public (non-password protected) files as well as these reverse proxied servers along with owncloud, foswiki etc. services. Hence I can't assign a password at the virtual server level.
I am going to experiment with setting up password protection on the cgi based services (foswiki/owncloud...) tonight. I expect that the PasswordFile option in their Directory configurations should do exactly what I want.
In reading the documentation for the reverse proxy I wonder if this would work to password protect the reverse proxied url's. In the documentation of ReverseProxy it says:
Would setting something up like:
along with a /etc/hosts entry of:
127.0.0.1 localhost fossil_host
do what I want. I.E. does the change to the Host HTTP header done by the reverse proxy allow me to recursively connect to the same hiawatha server and activate a new VirtualHost stanza?
If so are there any downsides to doing this (other than a performance hit)? Will the hiawatha server go up in a big ball of flame or
otherwise self destruct ?
Thanks for your help/thoughts.
As a long time apache user, I have been very happy to try hiawatha and so far it is handing the needs of my personal web server.
I am using: Hiawatha v9.13, cache, IPv6, reverse proxy, TLS (1.3.10), Tomahawk, URL toolkit, XSLT
I have some web servers (fossil, roundup ...) behind a reverse proxy. To protect these servers from attack, I would like to password protect the url's at the hiawatha level.
I noticed that there was a forum post stating that reverse proxy was getting some changes that would permit more configuration options. Might one of these options be password protection on a per reverse url basis?
My current config is:
VirtualHost {
[...]
# configure for fossil
UseToolkit = fossil # rewrites /fossil to /fossil/ and
# redirects the client
ReverseProxy /fossil/ 1 http://127.0.0.1:8082/ 60
# configure for roundup
ReverseProxy /demo 1 http://127.0.0.1:8917/demo 300
[...]
}
My virtual host will serve both public (non-password protected) files as well as these reverse proxied servers along with owncloud, foswiki etc. services. Hence I can't assign a password at the virtual server level.
I am going to experiment with setting up password protection on the cgi based services (foswiki/owncloud...) tonight. I expect that the PasswordFile option in their Directory configurations should do exactly what I want.
In reading the documentation for the reverse proxy I wonder if this would work to password protect the reverse proxied url's. In the documentation of ReverseProxy it says:
ReverseProxy [!]<pattern> [<skip directories>] http[s]://<hostname>[:<port>][/<path>] [<timeout>] [keep-alive]
... When <hostname> is an IP address, the value of the Host HTTP header is unchanged. Otherwise, it is replaced with the value of <hostname>.
Would setting something up like:
ReverseProxy /fossil/ 1 http://fossil_host/ 60
VirtualHost {
Hostname fossil_host
PasswordFile ....
ReverseProxy .* 1 http://127.0.0.1:8082/ 60
}
along with a /etc/hosts entry of:
127.0.0.1 localhost fossil_host
do what I want. I.E. does the change to the Host HTTP header done by the reverse proxy allow me to recursively connect to the same hiawatha server and activate a new VirtualHost stanza?
If so are there any downsides to doing this (other than a performance hit)? Will the hiawatha server go up in a big ball of flame or
otherwise self destruct ?
Thanks for your help/thoughts.
Hugo Leisink
6 June 2015, 22:42
HTTP authentication settings are handled before forwarding a request to a reverse proxy. Directory settings however are not, because Hiawatha has no knowledge about any directory at a final webserver. So, when it comes to HTTP authentication while in reverse proxy mode it's all or nothing.
About the big ball of flame: Yes, there have been several reports about Hiawatha causing a meltdown. Unfortunately, I don't know what caused it, because in all causes entire data centers have been burned to the ground, so there was nothing left to debug. Use at your own risk.
About the big ball of flame: Yes, there have been several reports about Hiawatha causing a meltdown. Unfortunately, I don't know what caused it, because in all causes entire data centers have been burned to the ground, so there was nothing left to debug. Use at your own risk.
rouilj
7 June 2015, 02:04
Sigh, this was seen as spam so I have changed some formatting to try to get around that.
Hugo said:
] HTTP authentication settings are handled before forwarding a request
] to a reverse proxy. ...
Ok, so I can't mix authenticated reverse proxy and unauthenticated
resources in a single VirtualHost. Also there is no way to set a
different username/password config for each reverse proxied server in
a VirtualHost.
Do you know if my redirection hack and Host Header change method would
work?
Also using Directory/PasswordFile I set up passwords for the non
proxied services: owncloud and foswiki.
I set up the same config for foswiki and it worked as expected.
However I wanted to use a different password file (and different
username/password) for Foswiki. So I have one username/password
configuration for uland:/foswiki and another one for uland:/owncloud.
AFAIK the browser stores a:
hostname, realm
with each directory path on a server that requests an authentication
to see if it can respond to an auth request. So I assume I need two
different realms one for foswiki and one for owncloud so the proper
username/password would be provided. IIUC the Realm is defined by the
LoginMessage option.
I tried:
Testing with wigwam showed:
$ sudo -u www-data wigwam -c /usr/local/etc/hiawatha/
Using /usr/local/etc/hiawatha/
Reading hiawatha.conf
No non-fatal errors found in the Hiawatha configuration.
But when restartng I see:
$ sudo kill `cat /usr/local/var/run/hiawatha.pid `; sleep 5; \
sudo /usr/local/sbin/hiawatha -c /usr/local/etc/hiawatha
Syntax error in hiawatha.conf on line 217.
Line 217 is the LoginMessage parameter and hiawatha did not start.
So looks like there are two issues here:
1) how do I specify the LoginMessage
2) wigwam is not reporting an error
It seems some browsers (e.f. firefox) will do the right thing
even if the realm is the same since I did manage to get different
basic auth passwords to work for /owncloud and /foswiki. Not quite
sure how that works, but I would still like to have different realms.
On a totally different topic, is there an rss feed for the forums?
-- rouilj
Hugo said:
] HTTP authentication settings are handled before forwarding a request
] to a reverse proxy. ...
Ok, so I can't mix authenticated reverse proxy and unauthenticated
resources in a single VirtualHost. Also there is no way to set a
different username/password config for each reverse proxied server in
a VirtualHost.
Do you know if my redirection hack and Host Header change method would
work?
Also using Directory/PasswordFile I set up passwords for the non
proxied services: owncloud and foswiki.
Directory {
Path = /var/www/owncloud
ExecuteCGI = yes
FollowSymlinks = yes
SetEnv HOME = /var/www/owncloud
SetEnv HTTP_HOME = /var/www/owncloud
PasswordFile = Basic:/usr/local/etc/hiawatha/passwd/owncloud
}
I set up the same config for foswiki and it worked as expected.
However I wanted to use a different password file (and different
username/password) for Foswiki. So I have one username/password
configuration for uland:/foswiki and another one for uland:/owncloud.
AFAIK the browser stores a:
hostname, realm
with each directory path on a server that requests an authentication
to see if it can respond to an auth request. So I assume I need two
different realms one for foswiki and one for owncloud so the proper
username/password would be provided. IIUC the Realm is defined by the
LoginMessage option.
I tried:
Directory {
Path = /var/www/owncloud
ExecuteCGI = yes
FollowSymlinks = yes
SetEnv HOME = /var/www/owncloud
SetEnv HTTP_HOME = /var/www/owncloud
PasswordFile = Basic:/usr/local/etc/hiawatha/passwd/owncloud
LoginMessage = Owncloud
}
Testing with wigwam showed:
$ sudo -u www-data wigwam -c /usr/local/etc/hiawatha/
Using /usr/local/etc/hiawatha/
Reading hiawatha.conf
No non-fatal errors found in the Hiawatha configuration.
But when restartng I see:
$ sudo kill `cat /usr/local/var/run/hiawatha.pid `; sleep 5; \
sudo /usr/local/sbin/hiawatha -c /usr/local/etc/hiawatha
Syntax error in hiawatha.conf on line 217.
Line 217 is the LoginMessage parameter and hiawatha did not start.
So looks like there are two issues here:
1) how do I specify the LoginMessage
2) wigwam is not reporting an error
It seems some browsers (e.f. firefox) will do the right thing
even if the realm is the same since I did manage to get different
basic auth passwords to work for /owncloud and /foswiki. Not quite
sure how that works, but I would still like to have different realms.
On a totally different topic, is there an rss feed for the forums?
-- rouilj
rouilj
7 June 2015, 04:16
Hi all:
Just for the record this failed http://uland/fossil when trying
to proxy to a new virtual host:
with return code 508, "loop detected"
==> access.log <==
127.0.0.1|Sat 06 Jun 2015 22:10:46
-0400|508|857||GET / HTTP/1.1|Connection: close|Host:
fossil_host|X-Hiawatha-RProxy-ID: ed1749cf83|User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101
Firefox/38.0|Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:
en-US,en;q=0.5|Accept-Encoding: gzip, deflate|DNT:
1|Cache-Control: max-age=0|Forwarded:
for="a.b.c.d"|X-Forwarded-For: a.b.c.d|X-Forwarded-Proto:
http|X-Forwarded-Host: uland|X-Forwarded-Port: 80
a.b.c.d|Sat 06 Jun 2015 22:10:46 -0400|508|1703||GET /fossil/
HTTP/1.1|Host: uland|User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux
i686; rv:38.0) Gecko/20100101 Firefox/38.0|Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:
en-US,en;q=0.5|Accept-Encoding: gzip, deflate|DNT: 1|Connection:
keep-alive|Cache-Control: max-age=0
bummer.
-- rouilj
Just for the record this failed http://uland/fossil when trying
to proxy to a new virtual host:
VirtualHost {
Hostname uland
[...]
# configure for fossil
UseToolkit = fossil
ReverseProxy ^/fossil/ 1 http://fossil_host/ 60
}
VirtualHost {
Hostname = fossil_host
WebSiteRoot = /var/www/html
AccessLogfile = /usr/local/var/log/hiawatha/access.log,monthly
ErrorLogfile = /usr/local/var/log/hiawatha/error.log,monthly
# configure for fossil
ReverseProxy .* 0 http://127.0.0.1:8082/ 60
}
with return code 508, "loop detected"
==> access.log <==
127.0.0.1|Sat 06 Jun 2015 22:10:46
-0400|508|857||GET / HTTP/1.1|Connection: close|Host:
fossil_host|X-Hiawatha-RProxy-ID: ed1749cf83|User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101
Firefox/38.0|Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:
en-US,en;q=0.5|Accept-Encoding: gzip, deflate|DNT:
1|Cache-Control: max-age=0|Forwarded:
for="a.b.c.d"|X-Forwarded-For: a.b.c.d|X-Forwarded-Proto:
http|X-Forwarded-Host: uland|X-Forwarded-Port: 80
a.b.c.d|Sat 06 Jun 2015 22:10:46 -0400|508|1703||GET /fossil/
HTTP/1.1|Host: uland|User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux
i686; rv:38.0) Gecko/20100101 Firefox/38.0|Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:
en-US,en;q=0.5|Accept-Encoding: gzip, deflate|DNT: 1|Connection:
keep-alive|Cache-Control: max-age=0
bummer.
-- rouilj
Hugo Leisink
7 June 2015, 09:20
The 'loop detected' is when you configure a proxy to forward a request to itself. I'm sure that is not what you want.
rouilj
7 June 2015, 15:32
> The 'loop detected' is when you configure a proxy to forward a request to itself.
Hmm, does that mean there is a bug in the routing, so I was hitting the uland virtual host
twice rather than having the uland virtual host proxy to the fossil_host virtual host?
The logs clearly show that the host headers were different.
> I'm sure that is not what you want.
Well it is what I want since the first reverse proxy does go back to hiwatha, but
it's just supposed to go to a different virtual host (fossil_host) than the original request
(which went to uland).
-- rouilj
Hmm, does that mean there is a bug in the routing, so I was hitting the uland virtual host
twice rather than having the uland virtual host proxy to the fossil_host virtual host?
The logs clearly show that the host headers were different.
> I'm sure that is not what you want.
Well it is what I want since the first reverse proxy does go back to hiwatha, but
it's just supposed to go to a different virtual host (fossil_host) than the original request
(which went to uland).
-- rouilj
Hugo Leisink
8 June 2015, 10:36
Don't use the reverse proxy for that. You can simply add the fossil_host as an alias. In that case, both hostnames end up at the same website.
If, for some reason, you don't want uland to be in the client's URL bar, use an UrlToolkit to redirect to fossil_host.
Please note that I haven't tested this rule.
Hostname = uland, fossil_host
If, for some reason, you don't want uland to be in the client's URL bar, use an UrlToolkit to redirect to fossil_host.
UrlToolkit {
Header Host fossil_host Return
Match /(.*) Redirect http://fossil_host/$1
}
Please note that I haven't tested this rule.
rouilj
9 June 2015, 01:48
You need to reread my original posting.
My goal is to have hiawatha password protect the ReverseProxy url's. You told me the only
way to do that is to set a password at the virtual host level.
Since I have a mix of password protected (reverse proxy and other) services
and non-password protected at the uland virtual host level, I was trying to
password protect the reverse proxy services by proxying the uland service
to a new virtual host (fossil_host). Then the VirtualHost stanza for fossil_host
would have the PasswordFile seting and provide the password protection for
the ReverseProxy locate in the fossil_host virtualhost.
My goal is to have hiawatha password protect the ReverseProxy url's. You told me the only
way to do that is to set a password at the virtual host level.
Since I have a mix of password protected (reverse proxy and other) services
and non-password protected at the uland virtual host level, I was trying to
password protect the reverse proxy services by proxying the uland service
to a new virtual host (fossil_host). Then the VirtualHost stanza for fossil_host
would have the PasswordFile seting and provide the password protection for
the ReverseProxy locate in the fossil_host virtualhost.
Hugo Leisink
9 June 2015, 22:40
In reverse proxy mode, Hiawatha only supports HTTP authentication for an entire virtual host, not on a per file or per directory basis.
rouilj
10 June 2015, 00:54
Yup, that's what I was trying to work around hence the reverse proxy to a different virtual host.
Now I have to decide if not protecting the reverse proxied web sites is better than going back to apache.
Thanks for trying to help.
-- rouilj
Now I have to decide if not protecting the reverse proxied web sites is better than going back to apache.
Thanks for trying to help.
-- rouilj
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
