Re: reverse-proxy ReviewBoard through external Apache with basic auth?
Christian Hammondwrites: > If the external Review Board server is requiring Basic Auth for access > (outside of our Basic Auth requests in the API), then that may be a > problem. You're dealing with two different kinds of authentication. I'm not > sure from your description whether things are set up so that Review Board > is expecting Basic Auth for authentication using some custom backend, or if > you just have an extra layer around the access to your server. > > Can you tell me more about the auth setup, and how/why things are set up > this way? Hi, Christian -- the machine I am calling external.example.com faces the public internet and is the "front door"/gatekeeper for several services (of which ReviewBoard is one). It requires basic HTTP auth to get it to do anything at all. It's DMZ-ish -- can't see any filesystems, etc.; just reverse-proxies requests back to the right place. ReviewBoard runs on (what I am calling) backend.example.com. We need "users", so we can tell who did what, but authentication/authorization aren't critical. In the past, passwords were a standard pattern that everyone knew. (The authentication that mattered was at the "front door".) (Some old chat re REMOTE_USER etc is related -- "I already know this person is OK, let's get on with it". I can't tell if any of that stuff is in modern ReviewBoard.) With the standard Auth, it looked to me like the Authorization HTTP header (with Basic auth info in it) was coming in from the reverse proxy and ReviewBoard was using that to authenticate to the Web API. (Yes?) What I didn't quite get was: if I made the ReviewBoard usernames and passwords the same as the "front door" auth, i.e. the "correct" info should be in the Authorization HTTP header, it still didn't quite work. (E.g. I never got a Publish button for a comment on a review.) > Generally, I'd recommend not using Basic Auth for your Review Board server, > and instead using something backed by LDAP, if you need some kind of > external management of users. For our ReviewBoard, pretty brainless auth would be fine (see above). LDAP would be overkill. I'd actually prefer ReviewBoard never saw users' real passwords. Hmm... is there a way to just blindly let them in? (I am also not sure why... if you stick a ReviewBoard server directly on external.example.com -- still doing HTTP Basic auth -- and get rid of the reverse-proxying, it all works fine. I can't quite see what difference the RB server sees.) Maybe we'll figure it out :-) Thanks for your help, Will -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
reverse-proxy ReviewBoard through external Apache with basic auth?
I am failing to reverse-proxy through an external Apache 2.4 server to a ReviewBoard service (2.6.5.1). The external server is (let's say) external.example.com. Its Apache config includes: ProxyPass /reviews http://backend.example.com/reviews ProxyPassReverse http://backend.example.com/reviews ProxyPassReverseCookieDomain backend.example.com external.example.com RequestHeaderunset Accept-Encoding <%= @httpd_auth_thing %> where the @httpd_auth_thing turns into a standard Apache Basic authentication thing. The backend server (also Apache 2.4) includes standard ReviewBoard runes, i.e. WSGIPassAuthorization On WSGIScriptAlias "/reviews" "<%= @reviewboard_home -%>/htdocs/reviewboard.wsgi/reviews" /htdocs"> AllowOverride All Options -Indexes +FollowSymLinks # #partain: our addition: AuthName <%= @httpd_auth_name %> AuthUserFile <%= @httpd_auth_user_file %> AuthType Basic Require valid-user Require local (Puppet fills in the template with obvious things.) I then make admin and user "accounts" through the admin interface. All good. If you use a browser to connect *directly* to backend.example.com/reviews/ (just for testing...), all the ReviewBoard stuff works. If you connect (properly) through external.example.com/reviews/, a fair few things work, e.g. all the admin functions. But if you start doing review things (i.e. tickle the "Web API" ?), things don't go well. One example might be: click to add a comment on a review -- it will take the comment, but never bring up a 'Publish'/'Discard' button, and the comment will in fact not be there. A worry I have: the external.example.com Apache requires Basic authentication. Its username/passwords have nothing to do with ReviewBoard. So... I login to ReviewBoard (apparently OK). But, in subsequent requests, an "Authorization: Basic " header (with the *external.example.com* info) is being passed back to backend.example.com, and that *may* be confusing things. For example, I'm logged in as 'admin', looking at a review... I then click on 'Admin' (to go do admin). It asks me to login again -- why? because it thinks I'm 'partain' (because it got that from the [bogus] Basic authentication?). When I changed the ReviewBoard username/password to match the external.example.com HTTP username/password (so that the 'Authorization' info would happen to be correct), that did not appear to help. Is this analysis even partly right? What should I look at next? Does *anyone* have a working reverse-proxied ReviewBoard with Apache? Thanks, Will -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.