1

I have a website where all pages go through AWS Cloudfront (right now with a TTL of 0).

The site domain is www.example.com, which is a CNAME to the cloudfront distribution. Cloudfront then requests the site from my web server with origin.www.example.com, adding a custom header for Authentication.

However now I also need to add Basic Auth to the site until it is launched. I've tried this by using LA-U:REMOTE_USER in a RewriteCond

This configuration works, but has no Auth:

<VirtualHost *:80>

    ServerName www.example.com
    ServerAlias www.example.com

    ServerAdmin admin@site.com

    DocumentRoot /var/www/www.example.com/trunk

    <IfModule mpm_itk_module>
        AssignUserId www_site www_site
    </IfModule>

    <LocationMatch "^(.*\.php)$">
        ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
    </LocationMatch>

    Alias "/robots.txt" "/var/www/norobots.txt"

    <Directory /var/www/www.example.com>
        RewriteEngine on
        RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
        RewriteRule  .* - [F]
    </Directory>

    CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
    ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>

curl http://cxcglobal.demonow.website/

returns the site HTML. Also

curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/

returns the site source code.

However when I amend the configuration to

<VirtualHost *:80>

    ServerName www.example.com
    ServerAlias origin.www.example.com

    ServerAdmin jd@automatem.co.nz

    DocumentRoot /var/www/www.example.com/trunk

    <IfModule mpm_itk_module>
        AssignUserId www_site www_site
    </IfModule>

    <LocationMatch "^(.*\.php)$">
        ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
    </LocationMatch>

    Alias "/robots.txt" "/var/www/norobots.txt"

    <Directory /var/www/www.example.com>
        RewriteEngine on
        RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
        RewriteRule  .* - [F]

        RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$
        RewriteRule ^/(.*) http://origin.www.example.com/$1   [P,L]

        AuthUserFile /etc/apache2/staging.passwd
        AuthType Basic
        AuthName "Review security udpates"
        Require valid-user

        LogLevel alert rewrite:trace3

    </Directory>

    CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
    ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>

I get an error:

curl http://www.example.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address>
</body></html>

for both curl requests. I have no errors in the site-specific error log, nor in the global apache error log. I can also not find any entries for the rewrite log.

Nisse Engström
  • 208
  • 2
  • 5
jdog
  • 121
  • 7
  • 29

1 Answers1

0

A better way, may be to use lambda to handle the authentication directly at cloudfront...

I haven't tried it myself, but I found this resource...

http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/

It appears to be relatively straightforward. Lambda@Edge lets you to run code to inspect and modify incoming requests.

user1751825
  • 365
  • 6
  • 13
  • Yes Ive used that method, I'm justtrying to keep it compact, but this is my backstop method – jdog Aug 01 '18 at 17:27