When setting up a web server, there are usually sections that we want to restrict access to. Web applications often provide their own authentication and authorization methods, but in some cases we may want to restrict access through the web server itself.

Our need for Reverse Proxy arises when we want to open a service running on the web server to the outside world. For example, you have a service running at 3100 prt and you want to access this service via service.example.com. In this case, you will need a router.

In this article, I will show you how to do Reverse Proxy on a web server using VirtualHost and how to apply password protection.

Creating the Password File

First of all, user names and passwords that will have access permission must be introduced to the system. For this we need the htpasswd command.

If htpasswd is not installed on your system, you can install it as follows. I’m using the yum package manager. You can easily find the installation suitable for your system with a short research.

yum provides \*bin/htpasswd
or
yum install httpd-tools

Now that the command is in our system, we can generate passwords. For this, we will create a hidden file named .htpasswd in the /etc/httpd directory of our system.

Since we will be using htpasswd for the first time yet, we need to add the -c option to create the specified file. To create a new entry in the file, we specify a username (admin in this example) at the end of the command:

sudo htpasswd -c /etc/httpd/.htpasswd admin

After running this command, the system will ask you for a password. After entering your password twice, the password for the admin user will be defined.

If you want to add other users from now on, you don’t need to use the -c command.

sudo htpasswd /etc/httpd/.htpasswd another_user

If we view the contents of the file, we can see the username and encrypted password for each record:

cat /etc/httpd/.htpasswd

Output
admin:$apr1$lzxsIfXG$tmCvCfb49vpPFwKGVsuYz.
another_user:$apr1$p1E9MeAf$kiAhneUwr.MhAE2kKGYHK.

Defining VirtualHost Basic Login

Let’s open the virtualhost config file where we will add login with password. In my example this file is /etc/httpd/conf/httpd.conf.

sudo nano /etc/httpd/conf/httpd.conf

In the config file, you need to have a definition as follows.

<VirtualHost *:80>
    ServerName service.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Access restriction is made on a directory basis. For this, we need to use Directory or Location definitions.

<VirtualHost *:80>
    ServerName service.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/html">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/httpd/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

Username and password will now be required to access service.example.com.

Reverse Proxy

To add a Reverse Proxy, ProxyPass and ProxyPassReverse fields will do the trick. The config that includes Reverse Proxy and Basic Authentication processes together will be as follows.

<VirtualHost *:80>
    ServerName service.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyErrorOverride On
    ProxyPass   /   http://127.0.0.1:3100/
    ProxyPassReverse   /   http://127.0.0.1:3100/

    <Location />
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/httpd/.htpasswd
        Require valid-user
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

Location is used here, unlike Directory. A point to note is that / must be placed at the end of the target url in ProxyPass and ProxyPassReverse definitions. Otherwise, a correct mapping will not be possible.

Resources

• https://httpd.apache.org/docs/2.4/programs/htpasswd.html
• https://httpd.apache.org/docs/current/mod/mod_proxy.html