Rewrite
然後用 Apache for Cloudfront 重寫 Basic Auth
我有一個網站,所有頁面都通過 AWS Cloudfront(現在 TTL 為 0)。
站點域是 www.example.com,它是雲端分發的 CNAME。然後,Cloudfront 使用 origin.www.example.com 從我的 Web 伺服器請求該站點,並為身份驗證添加自定義標頭。
但是現在我還需要將基本身份驗證添加到站點,直到它啟動。我已經通過在 RewriteCond 中使用 LA-U:REMOTE_USER 進行了嘗試
此配置有效,但沒有 Auth:
<VirtualHost *:80> ServerName www.example.com ServerAlias www.example.com ServerAdmin admin@site.com DocumentRoot /var/www/www.example.com/trunk <IfModule mpm_itk_module> AssignUserId www_site www_site </IfModule> <LocationMatch "^(.*\.php)$"> ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk </LocationMatch> Alias "/robots.txt" "/var/www/norobots.txt" <Directory /var/www/www.example.com> RewriteEngine on RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$ RewriteRule .* - [F] </Directory> CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log </VirtualHost>
curl http://cxcglobal.demonow.website/
返回站點 HTML。還
curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/
返回站點原始碼。
但是,當我將配置修改為
<VirtualHost *:80> ServerName www.example.com ServerAlias origin.www.example.com ServerAdmin jd@automatem.co.nz DocumentRoot /var/www/www.example.com/trunk <IfModule mpm_itk_module> AssignUserId www_site www_site </IfModule> <LocationMatch "^(.*\.php)$"> ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk </LocationMatch> Alias "/robots.txt" "/var/www/norobots.txt" <Directory /var/www/www.example.com> RewriteEngine on RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$ RewriteRule .* - [F] RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$ RewriteRule ^/(.*) http://origin.www.example.com/$1 [P,L] AuthUserFile /etc/apache2/staging.passwd AuthType Basic AuthName "Review security udpates" Require valid-user LogLevel alert rewrite:trace3 </Directory> CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log </VirtualHost>
我收到一個錯誤:
curl http://www.example.com/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address> </body></html>
對於兩個 curl 請求。我在特定於站點的錯誤日誌中沒有錯誤,在全域 apache 錯誤日誌中也沒有錯誤。我也找不到重寫日誌的任何條目。
更好的方法,可能是使用 lambda 直接在雲端處理身份驗證……
我自己沒有嘗試過,但我找到了這個資源……
http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/
它似乎相對簡單。Lambda@Edge 允許您執行程式碼來檢查和修改傳入請求。