Ah, that works! Great suggestion. I've never encountered this behavior
before because previous iterations had the backends for each ProxyPass
directive pointing to the same (Docker) host.

Thank you so much!

On Fri, Jun 14, 2024 at 12:25 PM Daniel Gruno <humbed...@apache.org> wrote:

> On 6/14/24 12:41, M Foster wrote:
> > Hello,
> >
> > I'm struggling a bit with an issue when using Apache as a reverse proxy
> > when needing to use differing Authentication. I've searched for a couple
> > of days now, but nothing matching what I'm seeing has come up.
> >
> > The scenario is that I am using Apache as a reverse proxy, but sending a
> > sub-path to different backend like so (extremely simplified):
> >
> > <Location "/foo/bar">
> >    ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> > </Location>
> > <Location "/foo">
> >    ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> > </Location>
>
> One is overriding the other, so you get an arbitrary result. You can
> exclude /foo/bar from your second pass by using something like
> LocationMatch instead:
>
> <Location /foo/bar>
>    .. things here for /foo/bar
> </Location>
> <LocationMatch "^(/foo/(?!bar).*)$">
>      .. things here for /foo/baz but not /foo/bar
>      ProxyPass "http://host1.example.com/$1";
> </LocationMatch>
>
> Do note that if the Auth realm is the same, you can get the wrong
> credentials showing up if they differ. These should be unique if the
> credentials are.
>
> >
> > This works without issue. However, as soon as I try to put
> > authentication on the second location (or more accurately different
> > authentication directives), any request to "/foo/bar" triggers auth:
> >
> > Example:
> > <Location "/foo/bar">
> >    ProxyPass http://host2:8080/foo/bar <http://host2:8080/foo/bar>
> > </Location>
> > <Location "/foo">
> >    AuthType basic
> >    AuthName "Restricted"
> >    AuthUserFile /usr/local/apache2/.htpasswd
> >    Require valid-user
> >    ProxyPass http://host1.example.com/foo <http://host1.example.com/foo>
> > </Location>
> >
> > In the logs, set to trace8, I see that now apache is matching the
> > REQUEST_URI to the wrong proxy handler:
> >
> > "attempting to match URI path '/foo/bar' against prefix '/foo' for
> proxying
> > "URI path /foo/bar' matches proxy handler 'proxy:http://
> > host1.example.com/foo/bar <http://host1.example.com/foo/bar>'"
> > "authorization result of Require valid-user : denied (no authenticated
> > user)"
> >
> > Without any auth, the logs correctly show the request to `/foo/bar`
> > being routed to the correct proxy handler 'proxy:http://host2:8080/foo/
> > bar <http://host2:8080/foo/bar>'.
> >
> > If anyone has any ideas on why adding auth completely blows up the proxy
> > routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> > servers, just to handle each case.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Reply via email to