Home / server / Questions / 924373
Accepted
jdog
Asked: 2018-08-01 20:14:30 +0800 CST

Rewrite then Basic Auth with Apache for Cloudfront

  • 772

I have a website where all pages go through AWS Cloudfront (right now with a TTL of 0).

The site domain is www.example.com, which is a CNAME to the cloudfront distribution. Cloudfront then requests the site from my web server with origin.www.example.com, adding a custom header for Authentication.

However now I also need to add Basic Auth to the site until it is launched. I've tried this by using LA-U:REMOTE_USER in a RewriteCond

This configuration works, but has no Auth:

<VirtualHost *:80>

    ServerName www.example.com
    ServerAlias www.example.com

    ServerAdmin [email protected]

    DocumentRoot /var/www/www.example.com/trunk

    <IfModule mpm_itk_module>
        AssignUserId www_site www_site
    </IfModule>

    <LocationMatch "^(.*\.php)$">
        ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
    </LocationMatch>

    Alias "/robots.txt" "/var/www/norobots.txt"

    <Directory /var/www/www.example.com>
        RewriteEngine on
        RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
        RewriteRule  .* - [F]
    </Directory>

    CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
    ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>

curl http://cxcglobal.demonow.website/

returns the site HTML. Also

curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/

returns the site source code.

However when I amend the configuration to

<VirtualHost *:80>

    ServerName www.example.com
    ServerAlias origin.www.example.com

    ServerAdmin [email protected]

    DocumentRoot /var/www/www.example.com/trunk

    <IfModule mpm_itk_module>
        AssignUserId www_site www_site
    </IfModule>

    <LocationMatch "^(.*\.php)$">
        ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
    </LocationMatch>

    Alias "/robots.txt" "/var/www/norobots.txt"

    <Directory /var/www/www.example.com>
        RewriteEngine on
        RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
        RewriteRule  .* - [F]

        RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$
        RewriteRule ^/(.*) http://origin.www.example.com/$1   [P,L]

        AuthUserFile /etc/apache2/staging.passwd
        AuthType Basic
        AuthName "Review security udpates"
        Require valid-user

        LogLevel alert rewrite:trace3

    </Directory>

    CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
    ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>

I get an error:

curl http://www.example.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address>
</body></html>

for both curl requests. I have no errors in the site-specific error log, nor in the global apache error log. I can also not find any entries for the rewrite log.

rewrite

1 Answers

  1. Best Answer

    A better way, may be to use lambda to handle the authentication directly at cloudfront...

    I haven't tried it myself, but I found this resource...

    http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/

    It appears to be relatively straightforward. Lambda@Edge lets you to run code to inspect and modify incoming requests.

    • 0