Tuesday, April 10, 2012

Apache - proxiing to simple proxy to allow viewing of authenticated data

In Apache, we can enable the proxy module to allow our web server to send a request to another location, and we serve the result.  To do this quickly, simply enable the proxy modules you need :
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
Once enabled, you can then create the proxy section. Please note that the following configuration is for an example - do NOT use it without hardening who has access to your proxy!  The config :
<Proxy *>
Order deny,allow
Allow from all
ProxyPass / http://www.google.com/
Again, note that this will create an open proxy, and that is bad if you don't control who can access what, because you will be the one left holding the bag if they request illegal material. You have been warned!

This works great for most things, but let's presume for a minue that you wanted to serve a page from an HTTPS connection, no matter how it's requested from our web server. We need to enable SSLProxyEngine. If we are using self-signed certificates from that location, you might have to also add "SSLProxyCheckPeerCN off", e.g. :
SSLProxyEngine On
SSLProxyCheckPeerCN off
Let's toss in two more criteria. First, let's presume that you want one subsection of your site to be served from the local filesystem.  We can disable the proxy for a location by adding another proxy pass :
ProxyPass /local/ !
Now, for the second part, let's presume we have a chunk of the proxy that requires authentication.  In this case, we don't want to present the real user with the password pop-up, so, how do we do this?  Web browsers utilize a basic authentication using a series of headers, WWW-Authenticate, and Authorization.  The WWW-Authenticate is a response header that triggers the browser to authenticate the request.  The browser pops up the username/password dialog box, and then uses that information to generate an Authorization header.

Since we really don't need to worry about the WWW-Authenticate header, we can simple inject a permanent Authorization header into the system.  It's done with the RequestHeader directive, similar to :
<Location /svn/trunk/>
RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
Now, here is a problem. How do we know what to put with the Authorization header?  Looking at the value that follows Basic, it looks like a MIME Base64 encoding.  Feeding it through a simple perl command, we can decode it and find out that it is indeed a Base64 encoding in the format of "username:pass".  We can figure out what we need by installing the MIME::Base64 perl module and running :
[username@hostname ~]$ perl -MMIME::Base64 -e "print encode_base64('username:password');"
[username@hostname ~]$
This will inject an authorization header into the proxied request.  Hopefully, this little cheat sheet will be of assistance to someone.

1 comment:

  1. I have to a simple method to the any blocked torrent site. Now i m going share this great link here just single click on this link
    Instagram uk proxy