Allow AccessList and PasswordFile functionality to work for reverse proxy

3 February 2017, 01:25
I have some simple web services (elog, roundup, fossil) that I want to run behind hiawatha.
I want to limit what hosts can connect to the reverse proxy and in one case add
a password requirement enforced by hiawatha before the service.

I have only a single DNS name on which to run it, so I can't have multiple virtual hosts.

Basically I am looking for a way to set up access controls available to directories for the reverse proxy.

Since I have different access lists/passwords for the different proxys, so I can't set it
at the virtual host level.

Is there any solution to this issue?
Hugo Leisink
3 February 2017, 19:43
To limit what hosts can connect, use the AccessList option.

Have you given the ReverseProxy option already a try?
Joe Schmoe
3 February 2017, 21:24
Is it possible to use the port (like 8080 or 8888) for different virtualhosts using the same IP address or even hostname?
Hugo Leisink
3 February 2017, 23:31
Yes, use the BindingID and RequiredBinding options for that.
4 February 2017, 00:31
Hi Hugo:

I only want some of the reverse proxy's to have an access list not all.

There is no way that I know of to have two different access lists for 2 different
reverse proxies in a single virtual host.

I really wish I could define a
reverseproxy {
proxyid = elog
path = /elog
strip = 1
target =
timeout = 60
keepalive = yes
accesslist = deny, pwd, deny all
passwordfile = /protect/passwords

and then in the virtualhost use:
virtualhost {
# configure for foswiki
UseToolkit = foswiki
Alias = /foswiki/bin:/tools/foswiki/bin
Alias = /foswiki/pub:/tools/foswiki/pub
Alias = /foswiki/robots.txt:/tools/foswiki/robots.txt
# configure for elog
UseToolkit = elog
use ReverseProxy elog

UseToolkit = fossil
useReversProxy fossil

usetoolkit roundup
usereverseproxy = roundup
... 30 other directives removed

similar to how directory stanzas are configured.

Joe Schmoe abut a year ago I tried to set up reverse proxy's by looping back into
hiawatha on different ports with different virtual hostnames. Hiawatha detected it
as an infinite loop and dropped connections.

See the 7 June 2015 post on:

Hugo does the use of the BindingId and RequiredBinding change the X-Hiawatha-RProxy-ID value
so that rproxy.c::rproxy_loop_detected() doesn't detect a loop when I proxy back through
a running hiawatha?

If so then that sounds like it would work. I just create a new
virtual host stanza with a binding of and different ports. Then set the accesslist and passwordfile for the virtual host and use that host for exactly one reverse proxy.

Does that sounds like it would work?

-- rouilj
Hugo Leisink
5 February 2017, 09:42
No, that won't work with Hiawatha. My advice, buy a cheap domain name and make some hostnames in it. Will also solve a lot of other issues.
6 February 2017, 02:00
That's something more to maintain and pay for, additional costs will probably scuttle the whole thing.

Would you be open to the idea of adding a counter to the rproxy header?
This is the same idea as a TTL in the IP protocol.

Every time hiawatha sees a matching rproxy_id it scans the string to find the integer value.
If the value exceeds some number, it reports a loop and doesn't forward the connection.
Otherwise it increments the counter and generates the next rproxy request. In my case a limit
of 2 would work fine.

Also I tried another way to meet the requirements. Have the internet facing haiwatha proxy to a second hiawatha.

The config file for the second hiawatha binds a specific port on the loopback address.
Then the binding id is used to bind a specific port to a VirtualHost. In the virtual
host I set AccessList and PasswordFile. Should this work? I spent an hour on it and never did manage to get it working reliably.
6 February 2017, 02:20
Ok,I see how the loop detection is coded, without some major changes the TTL idea won't work.
Too bad.

But I think the second hiawatha should work right?
Hugo Leisink
6 February 2017, 09:42
That's something more to maintain and pay for, additional costs will probably scuttle the whole thing.

A domain costs about $10 a year and only requires setting hostnames once. I have multiple domains and they don't require any maintenance. You are trying to make it work with a whole lot of technical trickery, just to save $10 a year. I advice you to rethink this.
This topic has been closed.