[users at bb.net] How do you pass through authentication from Apache?

Chris Spencer chrisspen at gmail.com
Wed Feb 15 20:12:16 UTC 2017

Ok, now I understand. So Buildbot *will* always show a login form
regardless of auth method used, which is what I'm seeing. I misread what
you said earlier. Yes, Apache will block the request if basic auth fails. I
was asking how Buildbot by itself should behave, and I thought you meant
Buildbot wouldn't render anything when using RemoteUserAuth().

Buildbot and Apache seem to be working just fine on their own. Buildbot's
running builds and Apache's authenticating and passing me through to
Buildbot. The problem is Buildbot's either ignoring or not receiving the
REMOTE_USER header from Apache. For reference, this is my non-working
Apache config:

<VirtualHost *:80>

    <Location />
        AuthType Basic
        AuthName "Buildbot"
        AuthUserFile /usr/local/myproject/buildbot/htpasswd
        Require valid-user

    <Location /ws>
      ProxyPass ws://
      ProxyPassReverse ws://

    ProxyPass /ws !
    ProxyPass /
    ProxyPassReverse /


I'll ask for help on one of the StackExchange sites.

Thanks for your help.

On Wed, Feb 15, 2017 at 12:51 PM, Pierre Tardy <tardyp at gmail.com> wrote:

> It won't show a login form if apache is correctly configured as there
> should be no way to pass through apache if you are not authenticated.
> As the auth code is shared with all the other authentication mechanisms,
> and is already complex enough, there is nothing in the UI that manage that
> case.
> In that case of apache misconfiguration, it will just show the login form.
> Pierre
> Le mer. 15 févr. 2017 à 18:29, Chris Spencer <chrisspen at gmail.com> a
> écrit :
>> I'm still confused. You said if I used RemoteUserAuth, Buildbot won't
>> show a login form, but it is. Even if Apache isn't correctly passing
>> through the username, should that not be happening? Does Buildbot render a
>> login form for anonymous users, regardless of the auth method?
>> On Wed, Feb 15, 2017 at 12:01 PM, Pierre Tardy <tardyp at gmail.com> wrote:
>> From what I see, the buildbot config looks good.
>> I guess the issue you have is more about how to configure apache to
>> enforce authentication of a proxy
>> Perhaps you can get more help in an apache forum.
>> Pierre
>> Le mer. 15 févr. 2017 à 17:55, Chris Spencer <chrisspen at gmail.com> a
>> écrit :
>> The example Apache config doesn't include basic auth. I'm unfamiliar with
>> using websockets and basic auth together. How would I do that? Would I add
>> the auth settings to the <Location /ws> section or a separate <Location />
>> section?
>> On Wed, Feb 15, 2017 at 11:09 AM, Pierre Tardy <tardyp at gmail.com> wrote:
>> The goal of RemoteUserAuth is to disable completely the login UI of
>> buildbot, and let apache handle the authentication alone.
>> Buildbot will get a header from Apache telling it which user is actually
>> logged in.
>> If you configured your apache correctly, you should never achive to get
>> the buildbot UI unless you get a browser-based login prompt.
>>              Require valid-user  is if I understand correctly what is
>> need to implement such thing
>> Also, please note that apache requires a specific configuration to allow
>> websocket to work correctly
>> http://docs.buildbot.net/latest/manual/cfg-www.html#
>> reverse-proxy-configuration
>> Le mer. 15 févr. 2017 à 17:02, Chris Spencer <chrisspen at gmail.com> a
>> écrit :
>> I'm not sure I understand. Anonymous users can definitely still see the
>> site from Apache in 0.9.*. I'm looking at my Buildbot server right now as
>> an anonymous user. It seems to hide a lot of details for anonymous users,
>> but it's still rendering the basic site, listing builders and recent
>> builds. By "show no output" I mean it should only render a login page and
>> nothing else if the user is not authenticated.
>> I tried the util.RemoteUserAuth but it doesn't seem to do anything.
>> Buildbot still requires I login via the on-screen user login dropdown, and
>> ignores the basic Http login I give to Apache.
>> Oddly, it also seems to ignore util.HTPasswdAuth(). If I enter a
>> username/password that I added to my htpasswd file into Buildbot's login
>> form, Buildbot still won't let me login through its web interface. Is there
>> some trick to getting an htpasswd file to work with Buildbot? There are no
>> errors reported in the twistd.log.
>> This is my Apache config:
>>     <VirtualHost *:80>
>>         ProxyPass /
>>         <Location />
>>             AuthType Basic
>>             AuthName "Buildbot"
>>             AuthUserFile /usr/local/myproject/src/buildbot/htpasswd
>>             Require valid-user
>>         </Location>
>>     </VirtualHost>
>> On Wed, Feb 15, 2017 at 3:50 AM, Pierre Tardy <tardyp at gmail.com> wrote:
>> Hi Chris,
>> What you are looking for is theRemoteUserAuth plugin
>> http://buildbot.readthedocs.io/en/latest/manual/cfg-www.
>> html#buildbot.www.auth.RemoteUserAuth
>> There is no more support for combination useHttpHeader + HTPasswdAprAuth,
>> which allowed apache authentication + anonymous access.
>> I am not sure exactly if this is what you mean by "show no output to an
>> anonymous user"
>> Pierre
>> Le mer. 15 févr. 2017 à 07:21, Chris Spencer <chrisspen at gmail.com> a
>> écrit :
>> In 0.8.*, I was using http authentication in Apache to collect the
>> username/password and pass that through to Buildbot. I was doing that with:
>>     authz_cfg=authz.Authz(
>>         auth=auth.HTPasswdAprAuth('.htpasswd')),
>>         useHttpHeader=True,
>>         ...
>>     )
>> However, in 0.9.*, there doesn't appear to be a HTPasswdAprAuth class or
>> a useHttpHeader option. Is there still a way to setup this type of
>> authentication?
>> My goal is to show no output to an anonymous user.
>> _______________________________________________
>> users mailing list
>> users at buildbot.net
>> https://lists.buildbot.net/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170215/f7078d2d/attachment.html>

More information about the users mailing list