I have a site that uses apache reverse proxy to combine an old IIS system with some new rails functionality (same database). This works fine.
For staging I have created a beta site same as above except that I use ip address and digest-authorization to only allow developers access. This works fine for ip addresses.
However, when I use digest-authorization my reverse proxied /stylesheets folder (which points to an Amazon S3 bucket) is blocked with an error like the following:
InvalidArgumentUnsupported Authorization TypeDigest username="danv", realm="BETA-ACCESS", nonce="ZiudHuLlBAA=d9fa13adaa4f0bd37e3faa7b30ed6bd60a5570b2", uri="/stylesheets/default/screen.css", algorithm=MD5, response="7e1bc11912474647756537bb0bd3e488", qop=auth, nc=00000007, cnonce="ed4a08fc70364cb9"Authorization0E3F4E27386E0A00BTZfZ5Uv4PwuMzOCoIYhorPEuPOdNusLZjTDowqlZXImxZ0bLjt22B9Y5v7wc8+4
I have searched the web but cannot find anything about this behavior.
Here are the relevant parts of the virtual host file:
# IP and DIGEST ACCESS
<Proxy *>
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Include "D:\wamp\admin-allow.inc"
AuthType Digest
# realm associated with digest passwd
AuthName "BETA-ACCESS"
AuthDigestDomain /
AuthUserFile "D:/wamp/digest"
Require valid-user
Satisfy Any
</Proxy>
# Reverse proxy pointing to CNAME that points to:
# http://lib.decdynamics.com.s3.amazonaws.com/stylesheets
ProxyPass /stylesheets http://lib.decdynamics.com/stylesheets
ProxyPassReverse /stylesheets http://lib.decdynamics.com/stylesheets
Here is an URL showing direct access to a stylesheet:
http://lib.decdynamics.com/stylesheets/default/screen.css
Here the same stylesheet accessed via digest-authorization (of course login required):
http://beta.decdynamics.com/stylesheets/default/screen.css
What I am doing wrong?
Is it possible to exclude the /stylesheets folder from authorization?
My guess is that your proxy is sending the Authorization
header to S3 and S3 responds with that error. This is because S3 uses the same Authorization
header to authorize API requests and it does not support basic or digest authentication on it's own.
Do a test towards a local backend and verify what request headers are being sent by the proxy. If the Authorization
header is indeed present, rewrite the request on the proxy to remove it before it's sent to the S3 backend.
Thanks drco for the inspiration.
I decided to create a working example based on my real website (domain names and ip addresses are not real).
Note I had to use Location elements to isolate the /stylesheets, /images and /javascript folders. In future I will use a single /assets folder to DRY this up a bit.
I have a WAMP based apache server acting as reverse proxy to blend Windows IIS server subfolders with a linux based RAILS server with RAILS assets coming from Amazon S3. Now when I do development with this site it is protected using Digest Authorization. Which also allows me the ability to let a small number of clients directly access the beta.
#========================
# B E T A . E X A M P L E . C O M
#
<VirtualHost *:80>
ServerAdmin admin@example.com
ServerName beta.example.com
ServerAlias www.beta.example.com
DocumentRoot "D:/wamp/www_proxy"
ErrorLog "D:/wamp/logs/beta.example.com-error.log"
CustomLog "D:/wamp/logs/beta.example.com-access.log" combined
ProxyRequests Off
<Proxy *>
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Include "D:\wamp\admin-allow.inc"
AuthType Digest
# realm associated with digest passwd
AuthName "BETA-ACCESS"
AuthDigestDomain /
AuthUserFile "D:/wamp/digest"
Require valid-user
Satisfy Any
</Proxy>
# I I S
ProxyPass /ddaps http://localhost:8104/ddaps
ProxyPassReverse /ddaps http://localhost:8104/ddaps
ProxyPass /admin http://localhost:8104/admin
ProxyPassReverse /admin http://localhost:8104/admin
ProxyPass /themes http://localhost:8104/themes
ProxyPassReverse /themes http://localhost:8104/themes
# RAIL ASSETS
ProxyPass /stylesheets http://lib.example.com/stylesheets
ProxyPassReverse /stylesheets http://lib.example.com/stylesheets
<Location /stylesheets>
RequestHeader unset Authorization
</Location>
ProxyPass /images http://lib.example.com/images
ProxyPassReverse /images http://lib.example.com/images
<Location /images>
RequestHeader unset Authorization
</Location>
ProxyPass /javascripts http://lib.example.com/javascripts
ProxyPassReverse /javascripts http://lib.example.com/javascripts
<Location /javascripts>
RequestHeader unset Authorization
</Location>
# R A I L S
ProxyPass / http://xxx.xxx.xxx.xxx:8104/
ProxyPassReverse / http://xxx.xxx.xxx.xxx:8104/
</VirtualHost>
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.