Using an Apache reverse proxy with password in front of TeamCity

Hi all,

I have successfully set up an Apache 2 server as a reverse proxy in front of TeamCity.
Now, I'm trying to make it use an additional global password when serving proxy requests.

I added the relevant lines to my proxy.conf file:

<Proxy *>
Order deny,allow
Allow from all


AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/passwords
Require user ourusername

</Proxy>

ProxyPass / http://localhost:8111/ retry=0
ProxyPassReverse / http://localhost:8111/
ProxyPreserveHost On
ProxyErrorOverride On



This is the result I'm getting:
When I access a static resource of TeamCity (e.g. http://myserver.com/img/ajax-loader.gif), I enter the user/pass I just setup, and manage to access the resource. This is printed by my browser: The site says: "Restricted Files"

The problem is when I try to access the main TeamCity page (or /login.html). There, I get a total of two password prompts - the one above, and an additional password prompt with The site says: "TeamCity"

This prompt is actually for my personal TeamCity user/pass (not the global username I configured above). Instead of getting to the login page, the authentication mechanism happens at the apache level for some reason. When I enter my credentials, I am again prompted with 'The site says: "Restricted Files" ... I'm in a loop with the two passwords.

So, does anyone know how to configure an Apache reverse proxy with password authentication in front of TeamCity?

Thanks,
Ron

2 comments
Comment actions Permalink

Hi Ron

It looks like Apache proxy froces the browser to set Authorization HTTP header. Then this header is passed to TeamCity application where it tries to use it for internal authentication. Here is the conflict.

This is very simmilar issue: http://stackoverflow.com/questions/4428903/remove-basic-authentication-header-with-apache-mod-proxy
Try to use RequestHeader unset Authorization command.

By the way, could you share, why do you need such additional authentication level? TeamCity allows to disable guest logon - is it not enough?

Michael

0
Comment actions Permalink

This is just as an extra precaution.
Since this server is running on the public internet, it means that any flaw in TeamCity authentication mechanism can lead to an attacker viewing our source code.

Apache's authentication mechanism is more wildly tested than TeamCity's.

When I get a chance to test your solution, I'll post whether it worked or not - thanks!

0

Please sign in to leave a comment.