Hi Will,

If the external Review Board server is requiring Basic Auth for access
(outside of our Basic Auth requests in the API), then that may be a
problem. You're dealing with two different kinds of authentication. I'm not
sure from your description whether things are set up so that Review Board
is expecting Basic Auth for authentication using some custom backend, or if
you just have an extra layer around the access to your server.

Can you tell me more about the auth setup, and how/why things are set up
this way?

Generally, I'd recommend not using Basic Auth for your Review Board server,
and instead using something backed by LDAP, if you need some kind of
external management of users.

We have Nginx set up to forward requests to our Apache running Review
Board, and it works great, but we're not using Basic Auth.

Christian

-- 
Christian Hammond
President/CEO of Beanbag <https://www.beanbaginc.com/>
Makers of Review Board <https://www.reviewboard.org/>

On Wed, Jul 27, 2016 at 10:04 AM, Will Partain <will.part...@verilab.com>
wrote:

> I am failing to reverse-proxy through an external Apache 2.4 server to
> a ReviewBoard service (2.6.5.1).
>
> The external server is (let's say) external.example.com.  Its Apache
> config includes:
>
>   ProxyPass /reviews http://backend.example.com/reviews
>
>   <Location /reviews>
>     ProxyPassReverse  http://backend.example.com/reviews
>     ProxyPassReverseCookieDomain backend.example.com external.example.com
>     RequestHeader    unset  Accept-Encoding
>
>     <%= @httpd_auth_thing %>
>   </Location>
>
> where the @httpd_auth_thing turns into a standard Apache Basic
> authentication thing.
>
> The backend server (also Apache 2.4) includes standard ReviewBoard
> runes, i.e.
>
>         WSGIPassAuthorization On
>         WSGIScriptAlias "/reviews" "<%= @reviewboard_home
> -%>/htdocs/reviewboard.wsgi/reviews"
>
>         <Directory "<%= @reviewboard_home -%>/htdocs">
>                 AllowOverride All
>                 Options -Indexes +FollowSymLinks
> #          #partain: our addition:
>            AuthName <%= @httpd_auth_name %>
>            AuthUserFile <%= @httpd_auth_user_file %>
>            AuthType Basic
>            <RequireAny>
>              Require valid-user
>              Require local
>            </RequireAny>
>         </Directory>
>
> (Puppet fills in the template with obvious things.)
>
> I then make admin and user "accounts" through the admin interface.
> All good.
>
> If you use a browser to connect *directly* to backend.example.com/reviews/
> (just for testing...), all the ReviewBoard stuff works.
>
> If you connect (properly) through external.example.com/reviews/, a
> fair few things work, e.g. all the admin functions.
>
> But if you start doing review things (i.e. tickle the "Web API" ?),
> things don't go well.  One example might be: click to add a comment on
> a review -- it will take the comment, but never bring up a
> 'Publish'/'Discard' button, and the comment will in fact not be there.
>
> A worry I have: the external.example.com Apache requires Basic
> authentication.  Its username/passwords have nothing to do with
> ReviewBoard.
>
> So... I login to ReviewBoard (apparently OK).  But, in subsequent
> requests, an "Authorization: Basic ...." header (with the
> *external.example.com* info) is being passed back to
> backend.example.com, and that *may* be confusing things.
>
> For example, I'm logged in as 'admin', looking at a review... I then
> click on 'Admin' (to go do admin).  It asks me to login again -- why?
> because it thinks I'm 'partain' (because it got that from the [bogus]
> Basic authentication?).
>
> When I changed the ReviewBoard username/password to match the
> external.example.com HTTP username/password (so that the
> 'Authorization' info would happen to be correct), that did not
> appear to help.
>
> Is this analysis even partly right?  What should I look at next?
> Does *anyone* have a working reverse-proxied ReviewBoard with Apache?
> Thanks,
>
> Will
>
> --
> Supercharge your Review Board with Power Pack:
> https://www.reviewboard.org/powerpack/
> Want us to host Review Board for you? Check out RBCommons:
> https://rbcommons.com/
> Happy user? Let us know! https://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reviewboard+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to