Saturday, October 11, 2008

Apache2 Forward Proxying with Digest Authentication

Since WPA is so flaky under Linux with the Westel's provided by Verizon DSL I often connect to my kid's wireless network which is sort of wide open. When I connect I've been using the built-in SOCKS proxy in SSH but I've started using Opera (9.6) since the font rendering is a little nicer on the eyes, but it doesn't support SOCKS?

Oh I know I could come up with selective authorization under squid depending on if I login or the kids do, but I'm too lazy for that so I decide. But to find an HTTP proxy other than squid that supports authentication and is available as a Debian package. Pretty tough. Zorp looked interesting but too painful.

So I've used Apache as a reverse proxy but never a normal forward proxy. Maybe all the cool authentication methods that work with Apache would work with mod_proxy?

Well I had nothing better to do while waiting for my daughter to fall asleep tonight. Damn red velvet cake my wife made had her totally wired. And I'm shocked as hell I got all this working, since I'd never even done Digest Authentication before on anything.

These are the modules you will need enabled although most of these were dependences: mod_proxy, mod_digest I think were the only ones I added.

nikolas:/etc/apache2/mods-enabled# ls
alias.load autoindex.load proxy.conf
auth_basic.load cgid.conf proxy_connect.load
auth_digest.load cgid.load proxy_http.load
authn_file.load dir.conf proxy.load
authz_default.load dir.load setenvif.load
authz_groupfile.load env.load ssl.conf
authz_host.load mime.load ssl.load
authz_user.load negotiation.load status.load

The Gotchas
  • You have to open up two listening ports, one for HTTP and the other for SSL. I'm using 1080 and 1083. You then specify this in the browser proxy config. You have to use SSL for some reason, weird. Update: actually if you use AllowCONNECT 80 443 you can listen on a single port.

  • The Apache documentation is either wrong or Debian is broken. You do use AuthUserFile, not the one it say in the mod_digest documentaiton

  • The realm you specify in the apache config has to match what you specify with htdigest.

    So this works on Firefox 3.0.3 and Opera 9.6 but SSL is not properly forwarded with IE7 despite applying the MSIE BrowserMatch

    Here are some the errors I had along the way...

    [Sat Oct 11 19:46:34 2008] [warn] proxy: No protocol handler was valid for the URL If you are using a DSO ve
    rsion of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

    [Sat Oct 11 20:18:48 2008] [crit] [client] configuration error: couldn't perform authentication. AuthType not set!: ht

    [Sat Oct 11 20:37:59 2008] [error] [client] Digest: user `mfranz' in realm `Blah' not found:

    And the Error I get on IE7

    [Sun Oct 12 08:12:45 2008] [error] [client] Digest: uri mismatch
    - does not match request-uri

    egypt said...

    You have to use SSL because if you don't it's no longer a secure proxy. The point of tunneling through SSH is to have everything encrypted. Simply forwarding through a proxy provides no additional security and the guy sitting in the Volvo across the street will still be able to see all of your traffic.

    Matt Franz said...


    Sure, if I want confidentiality I use SSH, OpenVPN, stunnel, or just connect to my WPA2 network. But this configuration (even with the SSL options enabled) didn't provide a sure tunnel.

    And the Volvo across the street is the only other car with an Obama sticker in my neighborhood so they can sniff my traffic anytime.

    rdeacon said...

    Did you have any luck with the IE7 issue. I am running into the same issue now.

    Matt Franz said...


    No I gave up and went back to just using Basic auth in the training environment where I had a lot of Windows users :(