-1

There's a Java application running on my server that creates a page on a certain port on the server. Is there any way I can sit in the middle of that page being served by Java and the user to first request a password?

I realise I could do this through a frame on a page that I control through apache, but I want it to be more secure than that.

Thanks!

Gausie
  • 111
  • 5
  • Are you looking to do any kind of authorization controls as well, or just let anyone get to anything if they have a working password? And where do you want the user accounts to be stored/managed? – Shane Madden Dec 24 '12 at 06:59
  • A basic authentication tool is fine, once you've got the password you're in. With regards to where it would be stored, it depends on what method I would have to use - HTTP in .htpasswd for example. – Gausie Dec 24 '12 at 07:05
  • 1
    Is it possible to change the listening address/port of the java application? My thinking is to use a general purpose web server as the listener on that port, and have it proxy requests through to the java application after authentication has been done - does that sound reasonable? – Shane Madden Dec 24 '12 at 07:10
  • That sounds fine, but the problem still remains that if someone were to find the port that we're proxying, the authentication would be bypassed. – Gausie Dec 24 '12 at 16:04
  • @Gausie if your application's TCP socket was bound to localhost, and this the hole you have pointed out was limited to local users on the server, would that be good enough? – Celada Dec 24 '12 at 17:14
  • @Celada I think I could bind the application's port to localhost, but are you suggesting that I then proxy whatever authentication I choose to that localhost, it would do? How would I make that proxy? – Gausie Dec 24 '12 at 19:05
  • 2
    You'd set up the proxy as suggested by @ShaneMadden: a general purpose web server such as Apache that is set up to proxy all connections with something like `ProxyPass http://localhost:otherport/` but perform authentication before doing it. Your existing Java server wouldn't see the authentication at all. The downside to this entire approach is that from the point of view of your Java application, all connections are coming from `localhost`, which doesn't make for very useful logs. – Celada Dec 24 '12 at 19:27

1 Answers1

2

An example configuration in Apache, since you mentioned it in your question.. but any ol' web server software (nginx, lighttpd) should work - let me know if you would prefer one of the others.

Say you've switched the java application to listen on 127.0.0.1:8000.

# I'm making this a port 443 example because basic authentication
# is completely unencrypted - if the credentials are sensitive at all,
# you should be using SSL. Change the port and drop the SSL directives if needed.
<VirtualHost *:443>
    ServerName example.com

    SSLEngine On
    SSLCertificateFile /path/to/public.pem
    SSLCertificateKeyFile /path/to/private.key

    <Location />
        AuthType Basic
        AuthName "Message Here"
        AuthBasicProvider file
        AuthUserFile /path/to/password/file  # Keep this outside of the web root.
        Require valid-user

        ProxyPass http://127.0.0.1:8000/
        ProxyPassReverse http://127.0.0.1:8000/
    </Location>
</VirtualHost>

Create the password file with the htpasswd binary, and this should do the trick.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks for the answer. I've tried it without the SSL for the time being, although may do so later once I sit down and try to work out non-standard SSL ports. Here it is: ` ServerName mydomain AuthType Basic AuthName "Log in" AuthBasicProvider file AuthUserFile /home/user/proxypassword Require valid-user ProxyPass http://127.0.0.1:60080/ ProxyPassReverse http://127.0.0.1:60080/ ` Anyway, unfortunately I'm not getting anything from mydomain:1111 :-( – Gausie Dec 24 '12 at 22:12
  • @Gausie You'll also need a `Listen 1111` in your configuration for that - it should be warning during startup on that. If that's not it, anything else interesting in the error log? – Shane Madden Dec 24 '12 at 22:28
  • Thanks. I've now got a 500 error and `proxy: No protocol handler was valid for the URL /game.php. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.` in the logs. I've got proxy and proxy_html enabled, what's missing? Do I really need to load it manually using LoadModule as well? – Gausie Dec 24 '12 at 22:37
  • 1
    @Gausie You'll also need `proxy_http`. – Shane Madden Dec 24 '12 at 22:41
  • Hooray! You are a good person. – Gausie Dec 24 '12 at 22:51
  • Actually, one more question. The page I'm proxying to is a frameset and the pages are being displayed are showing `The proxy server received an invalid response from an upstream server. The proxy server could not handle the request`. When I access some of the pages on their own, they work; just not through the frames. Thoughts? – Gausie Dec 24 '12 at 22:52
  • @Gausie That's interesting. Do these failures log anything in Apache's error log? – Shane Madden Dec 24 '12 at 22:59
  • `(20014)Internal error: proxy: error reading status line from remote server 127.0.0.1:60080, referer: http://mydomain:1111/game.php` – Gausie Dec 24 '12 at 23:41
  • 1
    @Gausie Hmm. How about the service that's being proxied to - any useful logs there? That kind of error would normally mean an empty response or reset connection.. if there's no telling error logs in the application service, then let's grab a packet capture using `tcpdump` from the loopback interface during one of those requests to see what's going on. – Shane Madden Dec 25 '12 at 00:58
  • The application seems to be "ignoring a request from [a] bogus referrer". – Gausie Dec 25 '12 at 01:24
  • So I need to fake the referrer. – Gausie Dec 25 '12 at 01:38
  • I give up - how do I do that? :P – Gausie Dec 25 '12 at 02:03
  • 1
    @Gausie Problematic. Try adding `ProxyPreserveHost On` - that might get it working correctly, by showing the backend what host header was sent to Apache. If not, we'll need to go with the nuclear option and blow up the header: `RequestHeader unset Referer` (yes, it's spelled wrong). – Shane Madden Dec 25 '12 at 02:05