Using Mod_rewrite and Authentication on ALL incoming URLs

apache-2.2 mod-rewrite http-authentication

I have a need to make sure that my url, call it www.domain.com is always protected at least via Basic HTTP authentication. Also, I want to use mod_rewrite to send my users to one of two OC4j instances running on my server. I also want to protect my OC4j admin panel (and other admin-type functions) with this same authentication. I'll have 2 users, call them admin (admin will have access to both the OC4j instances and the OC4j admin panel) and guest (guest will only be able to reach the OC4j instances).

So, let's say I have two OC4j instances-- instance_a and instance_b. instance_a will run on port 8888 and instance_b will run on port 8889. When a user types www.domain.com/instance_a I want to first make sure they are authenticated to the server, then I want to use mod_rewrite to proxy the request to www.domain.com:8888/instance_a. This will follow suit for instance_b. Again, ANY user, admin or guest, can get to these instances. If the user tries to go to the OC4j admin panel directly for either instance, I want to kick them out if they are not an admin user.

I have a VirtualHost entry that looks something like this:

<VirtualHost *:80>
        ServerName www.domain.com
        CustomLog "/var/log/httpd/ic/access_log" "combined"
        ErrorLog "/var/log/httpd/ic/error_log"
        RewriteEngine on
        RewriteLogLevel 9
        RewriteLog "/var/log/httpd/rewrite_log"
        RewriteCond %{REMOTE_USER} !^guest$ [OR]
        RewriteCond %{REMOTE_USER} !^admin$
        RewriteCond %{REQUEST_URI} ^/instance_a.*$
        RewriteRule ^.*$ - [F,L]
        <LocationMatch "^/.*$">
                AuthType Basic
                AuthName "Please Login"
                AuthBasicProvider file
                AuthUserFile /usr/local/apache/passwd/passwords
                Require valid-user
        </LocationMatch>
</VirtualHost>

For some reason this isn't working (not that I am surprised). It seems like when I use both the Authentication and the mod_rewrite stuff they don't work together.

Thanks in advance.


Solution 1:

I believe the problem with the configuration as posted is the first two RewriteCond lines:

    RewriteCond %{REMOTE_USER} !^guest$ [OR]
    RewriteCond %{REMOTE_USER} !^admin$

If REMOTE_USER is 'admin', the first test succeeds, causing a Forbidden response. The case for 'guest' is similar. You could try combining the two tests:

    RewriteCond %{REMOTE_USER} !^(guest|admin)$

If REMOTE_USER is guest or admin, ^(guest|admin)$ will match, causing the whole RewriteCond to fail.

Related

SharePoint Backup/Restore without stsadm
Parallel port blocking
How to virtualise a SharePoint ASP application
How can I add Git tags in Bitbucket?
Is that possible to make <video> mirrored?
What characters should be restricted from a Unix file name?
How do I validate two fields for uniqueness
Different default remote (tracking branch) for git pull and git push
how to compare two string dates in javascript?
React.js -- How to pass properties object to child component?
Makefile:2: *** missing separator. Stop [duplicate]
Open links made by createObjectURL in IE11