Proxying to a restricted site

Hi! I’m currently trying to use redirects to proxy to another domain, which ideally would be restricted in some way. I’ve had this working for a while with the secondary site open to the public, but I’m trying to move it to a test site which should not be available publicly.

My netlify.toml looks like this, and works when the second site is fully open:

  from = "/*"
  to = ""
  status = 200
  force = false

The first attempt was with Basic-Auth, so I added this to [[redirects]] in netlify.toml:

headers = { Basic-Auth = "myuser:password" }

I turned off Basic-Auth and tried configuring Apache to allow from our Netlify domain:

order deny,allow
deny from all
allow from

I’ve also tried using a custom header, with headers = { x-from = "netlify" } in netlify.toml and Apache configured like:

order allow,deny
allow from all
RewriteCond %{HTTP:x-from} !^netlify$ [NC]
RewriteRule ^ - [F]

None of these methods have worked. Another piece that could be causing issues is the fact that the secondary domain will redirect to a particular locale. However, with the second site open to the public, going to mynetlifysite[dot]com/en-US proxies as expected, and this is the behavior I’m trying to replicate (but with the site not publicly accessible). Thanks for any help!

If you proxy to a redirect, we will serve the redirect. Could that be what you are seeing?

Visitor browses to your netlify site
We proxy that connection to your backend
your backend returns 301 to us
we return 301 (we do NOT follow it!) to your visitor

If that isn’t what’s happening, I’d look at what your browser actually sends when you login to the backend directly. I suspect it isn’t an HTTP request header called Basic-Auth but instead something more like Authorization: header as demonstrated here:

Thanks for the response fool! You hit a couple of good points here: first, yeah, we were seeing the redirect being served, but we’ve got an okay handle on that now. Second, your auth suspicions are correct, and I think I mentally mashed up a couple pieces of documentation when trying this. I read this: and processed it as “adding a header for basic auth credentials”, not “add basic auth protection to the specified routes”. Anyways, thank you, Authorization was what I needed (and should have tried earlier!)

1 Like