问题
In my Apache 2 config I have a VirtualHost which looks something like this:
<VirtualHost *:80>
ServerName sub.domain.com
# username:password sent on to endpoint
RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=="
ProxyPass /xyz http://192.168.1.253:8080/endpoint
ProxyPassReverse /xyz http://192.168.1.253:8080/endpoint
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
# So what goes here?
</Location>
</VirtualHost>
I am using the virtual host as reverse proxy to another server (which I will call the endpoint) on the network.
I am trying to figure out a configuration that would allow users inside the network browsing to sub.domain.com to automatically be served the endpoint. However, users outside the network should be prompted for credentials
The endpoint requires a password which I have hidden by using RequestHeader (which I want). The password external users should be prompted by is DIFFERENT and will need to be BasicAuth, getting it's user list from a htpasswd file.
回答1:
<Location /xyz>
# This needs to let users through under the following circumstances
# * They are in 192.168.1.0/24
# * They have a valid user in a htpasswd file
Right out of http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:
Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy any
Of course, you also need to include your AuthUserFile or whatever directives
AuthType basic
AuthName "yadayadayada"
AuthUserFile /foo/bar/blah/.htpasswd
</Location>
回答2:
You could create two vhosts, one that listens on the external interface and one the local. The auth settings would be in the former.
回答3:
I think that David has covered Apache2 configuration pretty well, but it's also common to use split DNS to provide different services to your internal and external users. There's really no reason for your internal users to make a request from your proxy, since they (ostensibly) have direct access to the "endpoint".
There are cases where you can actually incur routing delays and congestion if your internal users are connecting to one of your public IP addresses. Originally, I was a fan of having separate hardware for the two DNS servers, but have recently switched to using bind "views" to provide different zones to my two users classes.
来源:https://stackoverflow.com/questions/580032/apache2-authorize-users-against-a-location-using-basicauth-but-only-for-users