Forum Moderators: phranque
- A music server (Logitech's SqueezeCenter) on port 9000.
- An X10 home automation server on port 88
- A webcam on port 8080
- .. and a few more.
By using Apache's Virtual Host and Reverse Proxy configuration, I am able to access each of these over port 80 on the Internet, by using easy-to-remember sub-domains, such as:
- music.mydomain.com
- x10.mydomain.com
- webcam.mydomain.com
.. and all works well. For each new service I want to add, I simply edit Apache's httpd-vhost.cnf file and add information such as (for the music server):
<VirtualHost *:80>
ServerName music.mydomain.com
ProxyPreserveHost On
ProxyPass / [127.0.0.1:9000...]
ProxyPassReverse / [127.0.0.1:9000...]
<Location />
AuthName "only for registered users"
Authtype Basic AuthUserFile "C:/Program Files/Apache Software Foundation/Apache2.2/dotpasswd"
require valid-user
</Location>
</VirtualHost>
Everything works as it should, and if I go to music.mydomain.com, I am asked for my username and password, and pending successful authentication, I am granted access.
However, and this is where I'm stuck, what I'd really like to do is to visit something like mydomain.com, log-in just the once, and then be presented with a list of all the available services (music, x10, webcam, etc), and just to click on which one I want and *NOT* have to log in again. The problem is that although the HTTP realm is the same for each Virtual Host, I am asked to re-authenticate when effectively visiting a different "site".
I'm therefore thinking that my current strategy won't work. So how do I do it? Essentially, how do I access multiple backend servers on my LAN, via a single authentication prompt? In an ideal world, the solution would be in addition to what I'm currently doing, as it's also convenient to be able to access these services directly.
Any suggestiosn welcome!
Thanks
Ian
Jim
Thanks for your idea.
Ok, so I see where you are coming from, but how does the subdirectory, or query option like you suggest allow only authenticated users to access the desired sub-system? Need to remember that I'm only using Apache as a proxy to connect to other back-end systems .. they're not purely webpages that can be stored in subdirectories as such.
I'm sure it's possible; I just don't have a clue how to configure Apache accordingly.
Thanks for any assistance!
Ian
I haven't played with this set up myself (at least not that I remember), but you may need to first pass the requests through a local (front-end) directory, so that auth is performed on that directory, and subdirectories of that directory are then reverse-proxied to the various back-end servers. Otherwise, you'd end up having to do the auth on the back-end servers, and you'd be right back where you started with separate logins required.
To be (hopefully) clear: a request for example.com/services/music could invoke auth at the /services directory level, and then ProxyPass to the music server could be applied at the /music level.
The directory index page of the auth-protected directory /services could include your "list of links" to all of your services, but this approach will also support direct access to any/all services, as long as you have logged-in to any one of them at the /services level.
Jim
Thanks once again! I feel I'm nearly there now.
Fully understand your concept, and so added the following to my httpd.conf file:
# Setup protected area
<Location /services>
AuthName "only for registered users"
Authtype Basic
AuthUserFile "C:/Program Files/Apache Software Foundation/Apache2.2/dotpasswd"
require valid-user
</Location>
Next, I wanted to add the following proxy statements:
ProxyPass /services/music/ [192.168.1.3:9000...]
ProxyPassReverse /services/music/ [192.168.1.3:9000...]
.. but I'm at a loss to know where to add this (and further proxy commands for the other services).
I've tried putting these commands in all sorts of places, and it either stops the Apache service from restarting, or I get "page not found" error (ie, Apache isn't proxying).
If I can just figure out where to place these proxy statements, then I'm there!
Also, "my concept" implies that the auth <Location> should be "/services", rather than "/" as you've shown it (I assumed that you don't want to have to log in to get access to the other stuff hosted on your main/front-end server).
Jim
Ian
