Client Apache Reverse Proxy Cake Token Auth

Written by James McDonald

April 16, 2022

I have a reverse proxy that protects backend with basic auth

client -> basic auth reverse proxy -> token auth cakephp backend

curl -v \
	-H 'Authorization: Basic base64_encoded_user_pass_here' \
    -H 'Authorization: Token cakephptokenhere' \
    'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes' --output test.pdf

The problem with the above is that the Authorization header succeeds at the reverse proxy and passes both headers through and then CakePHP gets confused by the headers and doesn’t auth

The trick is to remove the Authorization Request Header at the proxy and then switch to token query string for the CakePHP auth

# test env
ProxyPass /subdir http://docker:9999/subdir
ProxyPassReverse /subdir http://docker:9999/subdir

<Location "/subdir">
        RewriteEngine On
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile "/etc/httpd/myhtpasswd"
        Require valid-user
        ProxyPreserveHost On
        RequestHeader unset Authorization
curl -v \
	-H 'Authorization: Basic base64_encoded_user_pass_here' \
    'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes&token=12345656699080' --output test.pdf

Yes this is insecure because it exposes an auth token in the query string but all good as it works.


Submit a Comment

Your email address will not be published.

You May Also Like…

List your VSCode Extensions

Ever wondered what extensions you have installed and want to keep a list? This actually is a good way to audit your...

array_merge vs the + operator

<?php $options = [ 'rootNode' => 'response' ]; // array_merge // the same key appearing later will overwrite echo...