我有一个网站,所有页面都通过 AWS Cloudfront(现在 TTL 为 0)。
站点域是 www.example.com,它是云端分发的 CNAME。然后,Cloudfront 使用 origin.www.example.com 从我的 Web 服务器请求该站点,并为身份验证添加自定义标头。
但是现在我还需要将基本身份验证添加到站点,直到它启动。我已经通过在 RewriteCond 中使用 LA-U:REMOTE_USER 进行了尝试
此配置有效,但没有 Auth:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias www.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/www.example.com/trunk
<IfModule mpm_itk_module>
AssignUserId www_site www_site
</IfModule>
<LocationMatch "^(.*\.php)$">
ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
</LocationMatch>
Alias "/robots.txt" "/var/www/norobots.txt"
<Directory /var/www/www.example.com>
RewriteEngine on
RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$
RewriteRule .* - [F]
</Directory>
CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log
</VirtualHost>
curl http://cxcglobal.demonow.website/
返回站点 HTML。还
curl --header "X-PSK-Auth:mypassword" "http://cxcglobal.demonow.website/
返回站点源代码。
但是,当我将配置修改为
<VirtualHost *:80>
ServerName www.example.com
ServerAlias origin.www.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/www.example.com/trunk
<IfModule mpm_itk_module>
AssignUserId www_site www_site
</IfModule>
<LocationMatch "^(.*\.php)$">
ProxyPass fcgi://127.0.0.1:9154/var/www/www.example.com/trunk
</LocationMatch>
Alias "/robots.txt" "/var/www/norobots.txt"
<Directory /var/www/www.example.com>
RewriteEngine on
RewriteCond %{HTTP:X-PSK-Auth} !^mypassword$
RewriteRule .* - [F]
RewriteCond %{LA-U:WxLaRwvCQ2yAf5KJREMOTE_USER} !^$
RewriteRule ^/(.*) http://origin.www.example.com/$1 [P,L]
AuthUserFile /etc/apache2/staging.passwd
AuthType Basic
AuthName "Review security udpates"
Require valid-user
LogLevel alert rewrite:trace3
</Directory>
CustomLog /var/www/www.example.com/apachelogs/www.example.com-access.log combined
ErrorLog /var/www/www.example.com/apachelogs/www.example.com-error.log
</VirtualHost>
我收到一个错误:
curl http://www.example.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at origin.www.example.com Port 80</address>
</body></html>
对于两个 curl 请求。我在特定于站点的错误日志中没有错误,在全局 apache 错误日志中也没有错误。我也找不到重写日志的任何条目。
更好的方法,可能是使用 lambda 直接在云端处理身份验证......
我自己没有尝试过,但我找到了这个资源......
http://engineering.widen.com/blog/AWS-CloudFront-User-Authentication-using-Lambda@Edge/
它似乎相对简单。Lambda@Edge 允许您运行代码来检查和修改传入请求。