问题
I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.
回答1:
Make sure mod_headers is enabled. An example config:
<VirtualHost *:80>
ServerName something.example.com
ServerAdmin admin@example.com
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes On
KeepAlive Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /etc/apache2/passwd
Require valid-user
</Location>
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
ErrorLog /var/log/apache2/something.example.com-error_log
CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>
回答2:
I just had the same problem with Apache in front of another Java server trying to do basic auth, adding the following to my Apache config seemed to fix it:
RequestHeader unset Authorization
来源:https://stackoverflow.com/questions/4428903/remove-basic-authentication-header-with-apache-mod-proxy