how to add password protection to a proxy domain ?

[mec-forum]

Hello. I have successfully been able to add an alias to a domain that hosts a nodejs app in the htaccess file.
But When I try to add a basic password authentication it does give me a blank page instead of prompting for credentials.

This is my current .htaccess file:

AuthType Basic
AuthName "RESTRICTED ACCESS"
AuthUserFile "/home/username/.htpasswds/sub.domain.com/passwd"
Require valid-user

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]

RewriteCond %{HTTP_HOST} .
RewriteRule ^ http://app.other-domain.com:4200%{REQUEST_URI} [L,P]

Here is a curl output. It does seem the app server itself is replying (with error 404) rather than apache sending the 401 directly...

HTTP/1.1 404 Not Found
Date: Thu, 07 Jan 2021 20:02:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 148

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /401.shtml</pre>
</body>
</html>

If I use the unsecure http protocol with curl I get the headers for my https rewrite which then the app server answer with status 404:

HTTP/1.1 302 Found
Date: Thu, 07 Jan 2021 20:02:08 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
Location: https://sub.domain.com/401.shtml
Content-Length: 218
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Thu, 07 Jan 2021 20:02:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 148

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /401.shtml</pre>
</body>
</html>

Is there a way to prevent this behaviour and make basic auth work like it is supposed to? Do I have errors / oversights in htaccess?

―――
Also, this webapp can use websockets but I have not found much information on what to add to my htaccess for proxying it...
A quicker way of asking this question may be: "How to add a password protected transparent proxy to a dynamic domain host by only editing .htaccess (if possible) ?"

 

[cPRex]

Hey hey! Our support for Node.JS apps is a bit limited, but I don't believe the main redirection of the app itself should be handled in the .htaccess. According to our documentation here:

How to Install a Node.js Application | cPanel & WHM Documentation

This document describes how to install a Node.js web application. Node.js is a JavaScript runtime that allows you to build scalable web applications.

docs.cpanel.net

the app.js file will have the port configuration set for that app. Since this is the case, you may want to try using a .htaccess file inside the directory of your app itself and not the global /home/username/.htpasswd.