Bug#943946: apache2: HTTP Basic Auth not reflected when ProxyPassReverse is used.
Package: apache2
Version: 2.4.38-3+deb10u3
Severity: normal
Dear Maintainer,
When I set up a site that needs to use the mod_auth_basic module for HTTP basic authentication. when users authenticated via HTTP Basic, reverse proxy to the page on backend server via mod_proxy.
I expected the server require HTTP Basic authentication to the user and return the backend server proxy only to the authenticated user.
Currently, when a reverse proxy is configured on the server, the apache does not require HTTP Basic authentication to the user, and directly returns the content of the backend server.
-- Package-specific info:
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.38-3+deb10u3
ii apache2-data 2.4.38-3+deb10u3
ii apache2-utils 2.4.38-3+deb10u3
ii dpkg 1.19.7
ii lsb-base 10.2019051400
ii mime-support 3.62
ii perl 5.28.1-6
ii procps 2:3.3.15-2
Versions of packages apache2 recommends:
ii ssl-cert 1.0.39
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.6.5-1+b1
ii libaprutil1 1.6.1-4
ii libaprutil1-dbd-sqlite3 1.6.1-4
ii libaprutil1-ldap 1.6.1-4
ii libbrotli1 1.0.7-2
ii libc6 2.28-10
ii libcurl4 7.64.0-4
ii libjansson4 2.12-1
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.36.0-2+deb10u1
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1d-0+deb10u2
ii libxml2 2.9.4+dfsg1-7+b3
ii perl 5.28.1-6
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.38-3+deb10u3
ii apache2-bin 2.4.38-3+deb10u3
-- Configuration Files:
/etc/apache2/apache2.conf changed
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
# Require all granted
AuthUserFile /var/www/.htpasswd
AuthName "Website Page Auth"
AuthType Basic
require valid-user
order deny,allow
</Directory>
/etc/apache2/sites-available/proxy-site.conf changed
<VirtualHost *:80>
ProxyPass / http://100.64.10.3/
ProxyPassReverse / http://100.64.10.3/
</VirtualHost>
-- no debconf information
Reply to: