Apache – Remove basic authentication header with apache mod proxy

apachebasic-authenticationmod-proxy

I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.

Best Answer

Make sure mod_headers is enabled. An example config:

<VirtualHost *:80>
        ServerName something.example.com
        ServerAdmin admin@example.com

        ProxyRequests Off
        ProxyPreserveHost Off
        AllowEncodedSlashes On
        KeepAlive Off

        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>

        <Location />
                AuthType Basic
                AuthName "Authorized Users Only"
                AuthUserFile /etc/apache2/passwd
                Require valid-user
        </Location>

        RequestHeader unset Authorization
        ProxyPass / http://localhost:5984/ example
        ProxyPassReverse / http://localhost:5984/

        ErrorLog /var/log/apache2/something.example.com-error_log
        CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>

Related Solutions

HTTP Basic Authentication – what’s the expected web browser experience

To help everyone avoid confusion, I will reformulate the question in two parts.

First : "how can make an authenticated HTTP request with a browser, using BASIC auth?".

In the browser you can do a http basic auth first by waiting the prompt to come, or by editing the URL if you follow this format: http://myusername:mypassword@somesite.com

NB: the curl command mentionned in the question is perfectly fine, if you have a command-line and curl installed. ;)

References:

Also according to the CURL manual page https://curl.haxx.se/docs/manual.html

HTTP

  Curl also supports user and password in HTTP URLs, thus you can pick a file
  like:

      curl http://name:passwd@machine.domain/full/path/to/file

  or specify user and password separately like in

      curl -u name:passwd http://machine.domain/full/path/to/file

  HTTP offers many different methods of authentication and curl supports
  several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
  method to use, curl defaults to Basic. You can also ask curl to pick the
  most secure ones out of the ones that the server accepts for the given URL,
  by using --anyauth.

  NOTE! According to the URL specification, HTTP URLs can not contain a user
  and password, so that style will not work when using curl via a proxy, even
  though curl allows it at other times. When using a proxy, you _must_ use
  the -u style for user and password.

The second and real question is "However, on somesite.com, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?"

The curl documentation says the -u option supports many method of authentication, Basic being the default.

Google-chrome – How to clear basic authentication details in chrome

It seems chrome will always show you the login prompt if you include a username in the url e.g.

http://me@example.com

This is not a real full solution, see Mike's comment below.

Best Answer

Related Solutions

HTTP Basic Authentication – what’s the expected web browser experience

Google-chrome – How to clear basic authentication details in chrome

Related Topic