+4  A: 

Add or overwrite the Authorization header before passing any request on to the endpoint. The authorization header can be hard coded, it's just a base-64 encoding of the string "username:password" (without the quotes.)

Enable the mod_headers module if not already done.

RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

To perform this conditionally, enable the mod_setenvif, e.g. still ask for the master password in the case of local requests:

SetEnvIf Remote_Addr "127\.0\.0\.1" localrequest
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" env=!localrequest

EXAMPLE

# ALL remote users ALWAYS authenticate against reverse proxy's
#  /www/conf/passwords database
#
<Directory /var/web/pages/secure>
  AuthBasicProvider /www/conf/passwords
  AuthType Basic
  AuthName "Protected Area"
  Require valid-user
</Directory>

# reverse proxy authenticates against master server as:
#  Aladdin:open sesame (Base64 encoded)
#
RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Cheers, V.

vladr  2009-02-20 21:14:42
This looks promising but I don't want to ask for the MASTER password if it's non-local requests, i want apache to maintain a basic Auth passwd list and allow users to Auth with one of several different passwords which the endpoint will never see. This doesn't do that afaik right?
bjeanes  2009-02-22 22:42:54
Just use the first (unconditional, i.e. without SetEnvIf and 'localrequest') variant, i.e. 'RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="'. The reverse proxy will always authenticate with the master password, and users will always use the other passwords to connect to the RP.
vladr  2009-02-23 00:00:35
I tried both your original suggestion using SetEnvIf and trying to get BasicAuth working and had no success either way. I can successfully disable the password thru the proxy altogether, but not conditionally based on the type of request.
bjeanes  2009-02-23 07:06:41
Not sure I understand what was successful and what was not successful. Did the "EXAMPLE" work at all, in the sense that was it able to successfully authenticate against the backend with the master password? What did not work?
vladr  2009-02-23 07:19:01
The RequestHeader part worked a charm, but the full Example has a few problems: Directory doesn't make sense here, AuthBasicProvider doesn't so what I think it does, and if it did this would always require a PW. Need to allow users to access proxy if they are on 192.168.1.* OR have a valid PW
bjeanes  2009-02-24 00:26:02
Screw it I will put the second part into another question. You've answered the core part which was how to send Auth details to the end point behind the proxy.
bjeanes  2009-02-24 00:28:34

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP