reverse proxy with basic auth

[EV21]

Since the uberspace web backend does not provide basic auth and some web applications out there don't have own authentification systems an own server could be a solution as a workaround.

relevant apps may be: prometheus, Pluto.jl , ethercalc #951, ...

---

apache/httpd (binary maintained by Uberspace) <- click here to expand

You can use the systems apache binary to run your own instance with a custom configuration. Generate the ``~/.htpasswd`` with your first user/password setting by executing the following command: ``` htpasswd -cB ~/.htpasswd alice New password: Re-type new password: Adding password for user alice ``` .. note:: option ``c`` for creating new file; option ``B`` is for encrypting the passwords using bcrypt To change a password: ``` htpasswd -B ~/.htpasswd alice New password: Re-type new password: Updating password for user alice ``` Add a user: ``` htpasswd -B ~/.htpasswd bob New password: Re-type new password: Adding password for user bob ``` Delete a user ``` htpasswd -D ~/.htpasswd bob Deleting password for user bob ``` Create `~/httpd.conf` with the following content: ``` LoadModule unixd_module /usr/lib64/httpd/modules/mod_unixd.so LoadModule mpm_event_module /usr/lib64/httpd/modules/mod_mpm_event.so LoadModule proxy_module /usr/lib64/httpd/modules/mod_proxy.so LoadModule proxy_http_module /usr/lib64/httpd/modules/mod_proxy_http.so LoadModule auth_basic_module /usr/lib64/httpd/modules/mod_auth_basic.so LoadModule authn_core_module /usr/lib64/httpd/modules/mod_authn_core.so LoadModule authn_file_module /usr/lib64/httpd/modules/mod_authn_file.so LoadModule authz_core_module /usr/lib64/httpd/modules/mod_authz_core.so LoadModule authz_user_module /usr/lib64/httpd/modules/mod_authz_user.so LoadModule log_config_module /usr/lib64/httpd/modules/mod_log_config.so ErrorLog "/home/isabell/logs/httpd/error_log" ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %-{X-Forwarded-For-Anon}i] %M" LogFormat "%a %l %u %t \"%r\" %>s %b" common LogFormat "%{X-Forwarded-For-Anon}i %l %u %t \"%r\" %>s %b" anon CustomLog /home/isabell/logs/httpd/access_log anon User isabell Group isabell PidFile /home/isabell/httpd.pid Listen 8042 ServerName isabell.uber.space ProxyPass / http://0.0.0.0:8888/ ProxyPassReverse / http://0.0.0.0:8888/ AuthName "Restricted" AuthType Basic AuthUserFile /home/isabell/.htpasswd Require valid-user ``` Create ``~/etc/services.d/apache.ini`` with the following content: ```ini= [program:apache] command=/usr/sbin/httpd -f %(ENV_HOME)s/httpd.conf -DFOREGROUND autostart=true autorestart=true ``` ``` [isabell@stardust ~]$ supervisorctl reread SERVICE: available [isabell@stardust ~]$ supervisorctl update SERVICE: added process group [isabell@stardust ~]$ supervisorctl status SERVICE RUNNING pid 26020, uptime 0:03:14 [isabell@stardust ~]$ ``` ``` uberspace web backend set / --http --port 8042 ```

---

Caddy <- CLICK HERE to expand

```shell= [isabell@stardust ~]$ VERSION=2.5.1 [isabell@stardust ~]$ wget https://github.com/caddyserver/caddy/releases/download/v${VERSION}/caddy_${VERSION}_linux_amd64.tar.gz [isabell@stardust ~]$ tar --extract --gzip --file caddy_${VERSION}_linux_amd64.tar.gz caddy [isabell@stardust ~]$ rm caddy_${VERSION}_linux_amd64.tar.gz [isabell@stardust ~]$ mv ~/caddy ~/bin/caddy [isabell@stardust ~]$ caddy hash-password Enter password: Confirm password: JDJhJDE0JEZYVld1dk92VWkwWWFITFltcEp1MWVlWUNvMWRGM2F4UnM1Ykc2d1daRXlVLkltZmdZL0VH ``` Create `~/Caddyfile` with the following content and replace isabell, the generated hash password from above next to it and adjust the port of your application (in this case 8888). ```= { # this is the port the uberspace web backend connects to http_port 8042 } http://isabell.uber.space { basicauth /* { Isabell JDJhJDE0JEZYVld1dk92VWkwWWFITFltcEp1MWVlWUNvMWRGM2F4UnM1Ykc2d1daRXlVLkltZmdZL0VH # If you want to add another user, just use a new line for each user like this Bob FDJhJDE0JGYvVTdFUy9OLm1TRnNaekVQbFBOWU9FMEpQZW43UTBXaTQvT3lVTDY2V3g2WDlsM0h6VlV1 Alice ADJhJDE0JGYvVTdFUy9OLm1TRnNaekVQbFBOWU9FMEpQZW43UTBXaTQvT3lVTDY2V3g2WDlsM0h6VlVF } # this (8888) is the port of your application reverse_proxy 0.0.0.0:8888 } ``` Create `~/etc/services.d/caddy.ini` ``` [program:caddy] command=caddy run -config %(ENV_HOME)s/Caddyfile startsecs=5 stopsecs=5 autostart=yes autorestart=yes ``` ``` [isabell@stardust caddy]$ supervisorctl reread caddy: available [isabell@stardust caddy]$ supervisorctl update caddy: added process group [isabell@stardust caddy]$ supervisorctl status caddy RUNNING pid 10213, uptime 0:00:06 ``` ``` [isabell@stardust ~]$ uberspace web backend set / --http --port 8042 ``` Upgrades can be done by simply execute the following command: ``` [isabell@stardust ~]$ caddy upgrade [isabell@stardust ~]$ supbervisorctl restart caddy ``` Note: caddy logs everything to stderr ``` supervisorctl tail -f caddy stderr ```

[coderkun]

Why don’t you use regular httpd with a Reverse Proxy configuration?

[EV21]

ProxyPass and ProxyPassReverse are forbidden on uberspace via the .htaccess files.

I tried this, but that does not work:

AuthType Basic
AuthName "Please enter user and password"
AuthUserFile /var/www/virtual/isabell/.htpasswd
Require valid-user

## ProxyPass(Reverse) not allowed here on apache/uberspace
#ProxyPass / http://0.0.0.0:4242/
#ProxyPassReverse / http://0.0.0.0:4242/

I haven't tried to install my own Apache instance yet. I think that is not as simple as the example above.

---

edit:

Okay, there might be a simple enough way via Homebrew so we can install the latest and greatest httpd/apache2 web server

brew install httpd

[SalocinHB]

If you want, you can run our httpd binary with your own config. No need for brewing your own.

[EV21]

I played a while with

• apache, works but too much config magic
• p3y: removed it as it was never maintained
• Caddy is my favorite - easy setup (single binary app), easy upgrade (first post is edited ⬆️)
• nginx: I don't get it to work (on uberspace with preinstalled binary)

my NOT WORKING isabellised nginx config

``` daemon off; pid /home/isabell/nginx.pid; events {} http { access_log /dev/null; error_log /dev/null; server { listen 8042; server_name isabell.uber.space; location / { auth_basic_user_file /home/isabell/.htpasswd; proxy_pass http://0.0.0.0:8888; } } } ``` running ``` /opt/nginx/sbin/nginx -c ~/my_nginx.conf ``` results in ``` nginx: [alert] could not open error log file: open() "/opt/nginx/logs/error.log" failed (13: Permission denied) 2022/06/11 22:22:47 [alert] 19151#19151: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) 2022/06/11 22:22:47 [alert] 19151#19151: [lua] base.lua:41: use of lua-resty-core with LuaJIT 2.0 is not recommended; use LuaJIT 2.1+ instead 2022/06/11 22:22:47 [alert] 19151#19151: [lua] lrucache.lua:16: use of lua-resty-lrucache with LuaJIT 2.0 is not recommended; use LuaJIT 2.1+ instead 2022/06/11 22:22:47 [emerg] 19151#19151: open() "/opt/nginx/logs/error.log" failed (13: Permission denied) ``` I have no idea how to get this fixed without doing an own nginx installation (no go)

---

➡️ So what do you think about a Caddy guide or howto with the focus on basic auth?

That stuff could also be scripted so there it adds no extra complexity to other guides, just something like this:

bash -c "$(wget -q -O - https://trusted-example.com/caddy_basic_auth.sh)" _ backend-port 8042 app-port 9000

An interactive mode could also simply ask for all parameters with user and password.

[no-one]

@EV21 I just stumbled across this and think that the Caddy guide you mentioned would be a really good idea, especially as a basis for other guides. Maybe you are still motivated. :) Edit: Maybe in combination with https://www.authelia.com/