OH3 behind Apache proxy

Hi.
I hope this hasn’t been discussed elsewhere, I’ve searched for a while wihout finding good solutions.

I wan’t to be able to reach my OH server from wherever I am. For that purpose I have used Apache (since I have it installed for other stuff anyway) with OH2, using ProxyPass, ProxyPassReverse and with basic authentication (pasting entire config below for reference). I soon discoversed that this didn’t work with OH3 because it has it’s own authentication. After some googling I added “Requestheader unset Authorization” to the Apache config (which from what I can understand strips the auth headers from the request) which makes it work again for reaching the user functions.

However this doesn’t work when I want to log in to reach the admin functions, when I try to log in to OH all I get is a white page and Apache log says that “client used wrong authentication scheme”.

Anyone knows how to get around this? Or if there’s any best practice on how to do? Of course I don’t want anything of my OH installation to be reachable without authentication from the Internet and if I understand it correctly some auth in the proxy is needed to accomplish this? But at the same time I need to use OH’s built in authentication to reach the admin functions.

How do others do this?

My Apache config currently looks like this:

<VirtualHost *:443>
  ServerName oh.<redacted>.se

  RequestHeader unset Authorization
  ProxyPass / http://rockpi:8080/
  ProxyPassReverse / http://rockpi:8080/

  <Location />
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    AuthUserFile "/etc/apache2/passwords"
    Require user <redacted>
  </Location>

  <Directory />
    AllowOverride All
  </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/<redacted>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<redacted>/privkey.pem
</VirtualHost>

Just checking: did you see this solution, and it didn’t help?

2 Likes

Strange. Can’t see how I could have missed that one… Guess it’ll put me on the track again. Thanks!