I'm configuring Apache in front of Hawtio – a Karaf-hosted JVM management console. Although Hawtio is served by Jetty and protected by Karaf's JAAS implementation, we want Apache to add Basic Auth that we can then additionally secure it – e.g. from brute force attacks with Fail2Ban.
However, despite following advice such as this and this, Apache's basic auth keeps popping up rather than asking for the credentials once only. Hawtio's log-in page loads after two requests for credentials but then, once you've put in the Hawtio log-in details, Apache keeps popping up its log-in page. I've even gone as far as entering the credentials twenty times but it still asks for more!
Am I missing something obvious?
Here's my config:-
<VirtualHost *:80>
ServerAdmin admin@localhost
ServerName hawtio.mydomain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
# suppress rule checking for Hawtio stuff
SecRuleRemoveById 950901 960010 970003 970014 981257 981318 981407 981205 981222 981240 981220
<Location />
ProxyPass http://application-server:8765/
ProxyPassReverse http://application-server:8765
AuthUserFile /etc/users
AuthName "Restricted area"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
RequestHeader unset Authorization
</Location>
</VirtualHost>
I've tried numerous variations including with the <Proxy> group rather than <Location /> but to no avail. As per this post, I added RequestHeader unset Authorization to see if it was Jetty that was complaining but neither the presence nor the absence of that directive makes a difference.
The site works perfectly if I remove the basic auth directives.
Thanks for any pointers.
Best Answer
You need to set a cookie or cache the credentials some how. I've seen this when configuring Apache with one-time passcodes. mod_auth_radius supports AuthRadiusCookieValid. Not sure what you would use here.