Bug#943946: apache2: HTTP Basic Auth not reflected when ProxyPassReverse is used.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#943946: apache2: HTTP Basic Auth not reflected when ProxyPassReverse is used.
From: "laozhoubuluo@hotmail.com" <laozhoubuluo@hotmail.com>
Date: Fri, 1 Nov 2019 12:35:33 +0000
Message-id: <[🔎] PS2PR03MB3927A9185E0C70928366CE17C4620@PS2PR03MB3927.apcprd03.prod.outlook.com>
Reply-to: "laozhoubuluo@hotmail.com" <laozhoubuluo@hotmail.com>, 943946@bugs.debian.org

Package: apache2
Version: 2.4.38-3+deb10u3
Severity: normal

Dear Maintainer,

When I set up a site that needs to use the mod_auth_basic module for HTTP basic authentication. when users authenticated via HTTP Basic, reverse proxy to the page on backend server via mod_proxy.

I expected the server require HTTP Basic authentication to the user and return the backend server proxy only to the authenticated user.

Currently, when a reverse proxy is configured on the server, the apache does not require HTTP Basic authentication to the user, and directly returns the content of the backend server.

-- Package-specific info:

-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.38-3+deb10u3
ii  apache2-data   2.4.38-3+deb10u3
ii  apache2-utils  2.4.38-3+deb10u3
ii  dpkg           1.19.7
ii  lsb-base       10.2019051400
ii  mime-support   3.62
ii  perl           5.28.1-6
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.5-1+b1
ii  libaprutil1              1.6.1-4
ii  libaprutil1-dbd-sqlite3  1.6.1-4
ii  libaprutil1-ldap         1.6.1-4
ii  libbrotli1               1.0.7-2
ii  libc6                    2.28-10
ii  libcurl4                 7.64.0-4
ii  libjansson4              2.12-1
ii  libldap-2.4-2            2.4.47+dfsg-3+deb10u1
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.36.0-2+deb10u1
ii  libpcre3                 2:8.39-12
ii  libssl1.1                1.1.1d-0+deb10u2
ii  libxml2                  2.9.4+dfsg1-7+b3
ii  perl                     5.28.1-6
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.38-3+deb10u3
ii  apache2-bin  2.4.38-3+deb10u3

-- Configuration Files:
/etc/apache2/apache2.conf changed

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
#       Require all granted

        AuthUserFile /var/www/.htpasswd
        AuthName "Website Page Auth"
        AuthType Basic
        require valid-user
        order deny,allow

</Directory>

/etc/apache2/sites-available/proxy-site.conf changed

<VirtualHost *:80>

        ProxyPass / http://100.64.10.3/
        ProxyPassReverse / http://100.64.10.3/

</VirtualHost>

-- no debconf information

Reply to:

Next by Date: Bug#565626: Investment Proposal
Next by thread: Bug#565626: Investment Proposal
Index(es):
- Date
- Thread