Rewrite

然後用 Apache for Cloudfront 重寫 Basic Auth

  • June 11, 2020

我有一個網站,所有頁面都通過 AWS Cloudfront(現在 TTL 為 0)。

站點域是 www.example.com,它是雲端分發的 CNAME。然後,Cloudfront 使用 origin.www.example.com 從我的 Web 伺服器請求該站點,並為身份驗證添加自定義標頭。

但是現在我還需要將基本身份驗證添加到站點,直到它啟動。我已經通過在 RewriteCond 中使用 LA-U:REMOTE_USER 進行了嘗試

此配置有效,但沒有 Auth:

<VirtualHost *:80>

   ServerName www.example.com
   ServerAlias www.example.com

   ServerAdmin admin@site.com

   DocumentRoot /var/www/www.example.com/trunk

   <IfModule mpm_itk_module>
       AssignUserId www_site www_site
   </IfModule>

   <LocationMatch "^(.*\.php)$">
       ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
   </LocationMatch>

   Alias "/robots.txt" "/var/www/norobots.txt"

   <Directory /var/www/www.example.com>
       RewriteEngine on
       RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
       RewriteRule  .* - [F]
   </Directory>

   CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
   ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>
curl http://cxcglobal.demonow.website/

返回站點 HTML。還

curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/

返回站點原始碼。

但是,當我將配置修改為

<VirtualHost *:80>

   ServerName www.example.com
   ServerAlias origin.www.example.com

   ServerAdmin jd@automatem.co.nz

   DocumentRoot /var/www/www.example.com/trunk

   <IfModule mpm_itk_module>
       AssignUserId www_site www_site
   </IfModule>

   <LocationMatch "^(.*\.php)$">
       ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
   </LocationMatch>

   Alias "/robots.txt" "/var/www/norobots.txt"

   <Directory /var/www/www.example.com>
       RewriteEngine on
       RewriteCond  %{HTTP:X-PSK-Auth}  !^mypassword$
       RewriteRule  .* - [F]

       RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$
       RewriteRule ^/(.*) http://origin.www.example.com/$1   [P,L]

       AuthUserFile /etc/apache2/staging.passwd
       AuthType Basic
       AuthName "Review security udpates"
       Require valid-user

       LogLevel alert rewrite:trace3

   </Directory>

   CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
   ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log

</VirtualHost>

我收到一個錯誤:

curl http://www.example.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address>
</body></html>

對於兩個 curl 請求。我在特定於站點的錯誤日誌中沒有錯誤,在全域 apache 錯誤日誌中也沒有錯誤。我也找不到重寫日誌的任何條目。

更好的方法,可能是使用 lambda 直接在雲端處理身份驗證……

我自己沒有嘗試過,但我找到了這個資源……

http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/

它似乎相對簡單。Lambda@Edge 允許您執行程式碼來檢查和修改傳入請求。

引用自:https://serverfault.com/questions/924373