I have a reverse proxy that protects backend with basic auth
client -> basic auth reverse proxy -> token auth cakephp backend
curl -v \ -H 'Authorization: Basic base64_encoded_user_pass_here' \ -H 'Authorization: Token cakephptokenhere' \ 'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes' --output test.pdf
The problem with the above is that the Authorization header succeeds at the reverse proxy and passes both headers through and then CakePHP gets confused by the headers and doesn’t auth
The trick is to remove the Authorization Request Header at the proxy and then switch to token query string for the CakePHP auth
# test env ProxyPass /subdir http://docker:9999/subdir ProxyPassReverse /subdir http://docker:9999/subdir <Location "/subdir"> RewriteEngine On AuthType Basic AuthName "Restricted Area" AuthUserFile "/etc/httpd/myhtpasswd" Require valid-user ProxyPreserveHost On RequestHeader unset Authorization </Location>
curl -v \ -H 'Authorization: Basic base64_encoded_user_pass_here' \ 'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes&token=12345656699080' --output test.pdf
Yes this is insecure because it exposes an auth token in the query string but all good as it works.