Nefarious Login Error Behind Protected Proxy
slapcat opened this issue · comments
I have placed Nefarious behind a simple Apache proxy. It runs perfectly until I add in some basic authentication to the proxy. When I do, the site will render, but when I try to login, Nefarious presents an error in the top right corner:
Username
Password
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n\n<title>401 Unauthorized</title>\n\nUnauthorized
\nThis server could not verify that you\nare authorized to access the document\nrequested. Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.
\n
\nApache/2.4.53 (Debian) Server at example.com Port 80\n\n"
My proxy configuration is very boilerplate:
<VirtualHost *:80>
ServerName example.com
ProxyPreserveHost On
ProxyPass / http://192.168.122.164:8000/
ProxyPassReverse / http://192.168.122.164:8000/
Timeout 5400
ProxyTimeout 5400
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
</VirtualHost>
It seems like the authentication between the proxy and Nefarious are getting crossed somehow... Is there any workaround for this? (Even if it is just possible to remove the login completely from Nefarious, that would be acceptable for my use case.)
I don't immediately know why this wouldn't work. It sounds like just the javascript XMLHttpRequest/ajax requests are being denied by the apache authentication rule (since you said the page loaded initially). I would have assumed the browser would have already authenticated and subsequently passed those credentials along with the ajax requests but maybe I'm mistaken. Maybe the javascript ajax requests need to explicitly send the authentication credentials with every request. I'll have to set this configuration up myself to confirm my theory.
I now have a feeling apache isn't sending the Authorization http header to nefarious to authenticate.
nefarious needs to see an http header like Authorization: Token 123abc
to athenticate the requests and i'm wondering if the 401
error is from nefarious because it can't authenticate without that header.
Closing due to inactivity, but feel free to re-open if you want to continue troubleshooting this.