Re: reverse-proxy ReviewBoard through external Apache with basic auth?

[Will Partain]

Christian Hammond  writes:

> If the external Review Board server is requiring Basic Auth for access
> (outside of our Basic Auth requests in the API), then that may be a
> problem. You're dealing with two different kinds of authentication. I'm not
> sure from your description whether things are set up so that Review Board
> is expecting Basic Auth for authentication using some custom backend, or if
> you just have an extra layer around the access to your server.
>
> Can you tell me more about the auth setup, and how/why things are set up
> this way?

Hi, Christian -- the machine I am calling external.example.com
faces the public internet and is the "front door"/gatekeeper for
several services (of which ReviewBoard is one).  It requires
basic HTTP auth to get it to do anything at all.  It's DMZ-ish --
can't see any filesystems, etc.; just reverse-proxies requests
back to the right place.

ReviewBoard runs on (what I am calling) backend.example.com.  We
need "users", so we can tell who did what, but
authentication/authorization aren't critical.  In the past,
passwords were a standard pattern that everyone knew.  (The
authentication that mattered was at the "front door".)

(Some old chat re REMOTE_USER etc is related -- "I already know
this person is OK, let's get on with it".  I can't tell if any of
that stuff is in modern ReviewBoard.)

With the standard Auth, it looked to me like the Authorization
HTTP header (with Basic auth info in it) was coming in from the
reverse proxy and ReviewBoard was using that to authenticate to
the Web API. (Yes?)  What I didn't quite get was: if I made the
ReviewBoard usernames and passwords the same as the "front door"
auth, i.e. the "correct" info should be in the Authorization HTTP
header, it still didn't quite work.  (E.g. I never got a Publish
button for a comment on a review.)

> Generally, I'd recommend not using Basic Auth for your Review Board server,
> and instead using something backed by LDAP, if you need some kind of
> external management of users.

For our ReviewBoard, pretty brainless auth would be fine (see
above).  LDAP would be overkill.  I'd actually prefer ReviewBoard
never saw users' real passwords.  Hmm... is there a way to just
blindly let them in?

(I am also not sure why... if you stick a ReviewBoard server
directly on external.example.com -- still doing HTTP Basic auth
-- and get rid of the reverse-proxying, it all works fine.  I
can't quite see what difference the RB server sees.)

Maybe we'll figure it out :-)  Thanks for your help,

Will

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

reverse-proxy ReviewBoard through external Apache with basic auth?

[Will Partain]

I am failing to reverse-proxy through an external Apache 2.4 server to
a ReviewBoard service (2.6.5.1).

The external server is (let's say) external.example.com.  Its Apache
config includes:

  ProxyPass /reviews http://backend.example.com/reviews

  
ProxyPassReverse  http://backend.example.com/reviews
ProxyPassReverseCookieDomain backend.example.com external.example.com
RequestHeaderunset  Accept-Encoding

<%= @httpd_auth_thing %>
  

where the @httpd_auth_thing turns into a standard Apache Basic
authentication thing.

The backend server (also Apache 2.4) includes standard ReviewBoard
runes, i.e.

WSGIPassAuthorization On
WSGIScriptAlias "/reviews" "<%= @reviewboard_home 
-%>/htdocs/reviewboard.wsgi/reviews"

/htdocs">
AllowOverride All
Options -Indexes +FollowSymLinks
#  #partain: our addition:
   AuthName <%= @httpd_auth_name %>
   AuthUserFile <%= @httpd_auth_user_file %>
   AuthType Basic
   
 Require valid-user
 Require local
   


(Puppet fills in the template with obvious things.)

I then make admin and user "accounts" through the admin interface.
All good.

If you use a browser to connect *directly* to backend.example.com/reviews/
(just for testing...), all the ReviewBoard stuff works.

If you connect (properly) through external.example.com/reviews/, a
fair few things work, e.g. all the admin functions.

But if you start doing review things (i.e. tickle the "Web API" ?),
things don't go well.  One example might be: click to add a comment on
a review -- it will take the comment, but never bring up a
'Publish'/'Discard' button, and the comment will in fact not be there.

A worry I have: the external.example.com Apache requires Basic
authentication.  Its username/passwords have nothing to do with
ReviewBoard.

So... I login to ReviewBoard (apparently OK).  But, in subsequent
requests, an "Authorization: Basic " header (with the
*external.example.com* info) is being passed back to
backend.example.com, and that *may* be confusing things.

For example, I'm logged in as 'admin', looking at a review... I then
click on 'Admin' (to go do admin).  It asks me to login again -- why?
because it thinks I'm 'partain' (because it got that from the [bogus]
Basic authentication?).

When I changed the ReviewBoard username/password to match the
external.example.com HTTP username/password (so that the
'Authorization' info would happen to be correct), that did not
appear to help.

Is this analysis even partly right?  What should I look at next?
Does *anyone* have a working reverse-proxied ReviewBoard with Apache?  Thanks,

Will

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.