Client Apache Reverse Proxy Cake Token Auth

Written by James McDonald

April 16, 2022

I have a reverse proxy that protects backend with basic auth

client -> basic auth reverse proxy -> token auth cakephp backend

curl -v \
	-H 'Authorization: Basic base64_encoded_user_pass_here' \
    -H 'Authorization: Token cakephptokenhere' \
    'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes' --output test.pdf

The problem with the above is that the Authorization header succeeds at the reverse proxy and passes both headers through and then CakePHP gets confused by the headers and doesn’t auth

The trick is to remove the Authorization Request Header at the proxy and then switch to token query string for the CakePHP auth

# test env
ProxyPass /subdir http://docker:9999/subdir
ProxyPassReverse /subdir http://docker:9999/subdir

<Location "/subdir">
        RewriteEngine On
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile "/etc/httpd/myhtpasswd"
        Require valid-user
        ProxyPreserveHost On
        RequestHeader unset Authorization
</Location>
curl -v \
	-H 'Authorization: Basic base64_encoded_user_pass_here' \
    'http://internetAddress/subdir/controller/action?report_date=1973-01-31&email=yes&token=12345656699080' --output test.pdf

Yes this is insecure because it exposes an auth token in the query string but all good as it works.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...