how to add password protection to a proxy domain ?

mec-forum

Member
Jun 18, 2019
20
4
3
Italy
cPanel Access Level
Root Administrator
Hello. I have successfully been able to add an alias to a domain that hosts a nodejs app in the htaccess file.
But When I try to add a basic password authentication it does give me a blank page instead of prompting for credentials.

This is my current .htaccess file:
Code:
AuthType Basic
AuthName "RESTRICTED ACCESS"
AuthUserFile "/home/username/.htpasswds/sub.domain.com/passwd"
Require valid-user

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]

RewriteCond %{HTTP_HOST} .
RewriteRule ^ http://app.other-domain.com:4200%{REQUEST_URI} [L,P]
Here is a curl output. It does seem the app server itself is replying (with error 404) rather than apache sending the 401 directly...

Code:
HTTP/1.1 404 Not Found
Date: Thu, 07 Jan 2021 20:02:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 148

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /401.shtml</pre>
</body>
</html>
If I use the unsecure http protocol with curl I get the headers for my https rewrite which then the app server answer with status 404:

Code:
HTTP/1.1 302 Found
Date: Thu, 07 Jan 2021 20:02:08 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
Location: https://sub.domain.com/401.shtml
Content-Length: 218
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Thu, 07 Jan 2021 20:02:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="RESTRICTED ACCESS"
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 148

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /401.shtml</pre>
</body>
</html>

Is there a way to prevent this behaviour and make basic auth work like it is supposed to? Do I have errors / oversights in htaccess?

―――
Also, this webapp can use websockets but I have not found much information on what to add to my htaccess for proxying it...
A quicker way of asking this question may be: "How to add a password protected transparent proxy to a dynamic domain host by only editing .htaccess (if possible) ?"
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,977
376
213
cPanel Access Level
Root Administrator
Hey hey! Our support for Node.JS apps is a bit limited, but I don't believe the main redirection of the app itself should be handled in the .htaccess. According to our documentation here:


the app.js file will have the port configuration set for that app. Since this is the case, you may want to try using a .htaccess file inside the directory of your app itself and not the global /home/username/.htpasswd.