Apache forward proxy with credentials
August 16, 2023 1:47 AM Subscribe
I'd like to get your help configuring Apache to send/provide credentials with forward proxy requests.
Scenario: Apache is setup as a forward HTTP proxy, sending traffic to an upstream HTTP proxy that requires credentials. But I don't want downstream clients to have to give credentials, i.e. I want to bake them in. (Reason: Chrome is garbage and asks for them every goddamn time despite being stored in the password manager.)
Now, naive me thought there would be an Apache config function for this, but it does not exist. All that's needed is to add the header Proxy-Authorization: basic [static base64 data] to outbound requests. (I know this is insecure; not my choice.) But I can't make Apache do even this one simple thing.
This is the basic sketch of what I've tried:
I've tried moving around that RequestHeader directive (e.g. inside Proxy, outside, inside Location, etc.) and it just does not matter. How can I make Apache do this one stupid thing of adding a header? It's safe to assume that all proxied traffic will be TLS and hence all requests will be generated by mod_proxy_connect which does not seem to have any config options for adding headers. I would have thought the existing `mod_headers` stuff would work.
Please note that at this point I feel it necessary to point out that this is a FORWARD proxy, not a reverse proxy. There are oodles of web results for adding headers when doing reverse proxying, and all of them are irrelevant to what I'm doing.
Scenario: Apache is setup as a forward HTTP proxy, sending traffic to an upstream HTTP proxy that requires credentials. But I don't want downstream clients to have to give credentials, i.e. I want to bake them in. (Reason: Chrome is garbage and asks for them every goddamn time despite being stored in the password manager.)
Now, naive me thought there would be an Apache config function for this, but it does not exist. All that's needed is to add the header Proxy-Authorization: basic [static base64 data] to outbound requests. (I know this is insecure; not my choice.) But I can't make Apache do even this one simple thing.
This is the basic sketch of what I've tried:
<VirtualHost *:61281>
ProxyRequests On
ProxyRemote "*" "http://xx.xx.xx.xx:8000"
<Proxy "*">
Require ip 192.168.1.0/24
RequestHeader set Proxy-Authorization "Basic xxxxxxxxxxxxxx"
</Proxy>
<Location />
Deny from all
</Location>
</VirtualHost>
No auth header anywhere. The proxy naturally responds with a 407, Apache relays that back to the browser, and Chrome prompts for credentials. Fail.CONNECT example.com:443 HTTP/1.0\r\nProxy-agent: Apache/2.4.56 (Debian)\r\n\r\n
I've tried moving around that RequestHeader directive (e.g. inside Proxy, outside, inside Location, etc.) and it just does not matter. How can I make Apache do this one stupid thing of adding a header? It's safe to assume that all proxied traffic will be TLS and hence all requests will be generated by mod_proxy_connect which does not seem to have any config options for adding headers. I would have thought the existing `mod_headers` stuff would work.
Please note that at this point I feel it necessary to point out that this is a FORWARD proxy, not a reverse proxy. There are oodles of web results for adding headers when doing reverse proxying, and all of them are irrelevant to what I'm doing.
My top result when I Google Apache forward proxy with credentials is this Stack Overflow Question+Answer.
That result feels way too easy to find, so I'm wondering if I missed something?
posted by gible at 3:27 AM on August 16, 2023
That result feels way too easy to find, so I'm wondering if I missed something?
posted by gible at 3:27 AM on August 16, 2023
Response by poster: That is for setting up Apache as a forward proxy that requires authentication. Not at all relevant to what I'm trying to do, which is insert missing credentials to upstream proxy requests so that downstream users do not have to. Apache is not processing any passwords.
posted by Rhomboid at 3:42 AM on August 16, 2023
posted by Rhomboid at 3:42 AM on August 16, 2023
Response by poster: By the way I guess I should mark this as resolved because the link in my first comment pretty much shows this as impossible. But someone might have a workaround.
posted by Rhomboid at 3:44 AM on August 16, 2023
posted by Rhomboid at 3:44 AM on August 16, 2023
Response by poster: Oh, this is delicious! An 18 year old bug report of my exact issue! And! feature merged nearly 3 years ago. Success! Except it's only on trunk (2.5.x) and has never been in a released version. So I guess it takes at least 20 years from bug report to released version in Apache's universe.
Did I mention software was a mistake.
posted by Rhomboid at 3:56 AM on August 16, 2023
Did I mention software was a mistake.
posted by Rhomboid at 3:56 AM on August 16, 2023
Metafilter is the wrong place to ask this question, a lot of the expertise has moved on over the years. SO is where you want to go for help, go ask your questions there.
posted by Back At It Again At Krispy Kreme at 10:21 AM on August 16, 2023
posted by Back At It Again At Krispy Kreme at 10:21 AM on August 16, 2023
Copy the 2.5 version of mod_proxy.c into the build tree. Rebuild. Test. Install.
Apache is the canonical example of open source, if there is a problem, patch it. The name specifies that it's for "A Patchy Server"
It's been a while since I've hacked on apache, but let us know what system you're working on and we can help. It really is not difficult. There are more verification and contemporary software engineering practices with git and such but the essential steps are pretty simple.
posted by sammyo at 11:05 AM on August 16, 2023
Apache is the canonical example of open source, if there is a problem, patch it. The name specifies that it's for "A Patchy Server"
It's been a while since I've hacked on apache, but let us know what system you're working on and we can help. It really is not difficult. There are more verification and contemporary software engineering practices with git and such but the essential steps are pretty simple.
posted by sammyo at 11:05 AM on August 16, 2023
Response by poster: I'm not running a custom patched web server that will never receive future security updates without massive manual effort, are you actually insane.
posted by Rhomboid at 7:29 PM on August 16, 2023
posted by Rhomboid at 7:29 PM on August 16, 2023
You are not logged in, either login or create an account to post comments
(btw this was the first thing I tried before Apache, but it caused nodejs to segfault. Software was a mistake.)
posted by Rhomboid at 2:14 AM on August 16, 2023