Exclude specific cakephp controller from http basic auth - apache

I'm trying to exclude a path (URI) from being blocked by basic http auth.
The path is /rest (http://example.com/rest) and represents a controller of a cakephp 3 application. It is NOT a real file, but rather a path rewritten by a rewite-condition and handeled by index.php in the webroot dir.
Here's the rewrite rules:
/var/www/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
/var/www/webroot/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
I'm running apache 2.4 and tried different configurations:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
Require expr %{REQUEST_URI} =~ m#/rest/.*#
Require expr %{REQUEST_URI} =~ m#/index.php/rest/.*#
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...adapted from https://stackoverflow.com/a/33655232/1285585
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Allow from all
Satisfy any
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
... from https://serverfault.com/a/475845/229877
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Require all granted
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</Virtualhost>
... from https://www.apachelounge.com/viewtopic.php?p=30200
...
<Location "/">
SetEnvIf Request_URI ^/rest noauth=1
SetEnvIf Request_URI /rest noauth=1
SetEnvIf Request_URI ^/index.php/rest noauth=1
SetEnvIf Request_URI /index.php/rest noauth=1
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
</Location>
... from https://stackoverflow.com/a/8979889/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location ~ "/(rest|index.php/rest)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
... from https://stackoverflow.com/a/13296294/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Files "index.php/rest">
Satisfy Any
Allow from all
</Files>
<Files "rest">
Satisfy Any
Allow from all
</Files>
... from HTTP Basic Auth Exclude Single File
However, none of them seem to work. I always get error 401 using wget or an auth request from a browser.
The problem seems to be, that the path /rest passes the condition but then is rewritten to index.php, which is under control of basic auth (and has to be).
Any clues?


Finally figured it out when I stumbelled upon this answer ( https://stackoverflow.com/a/14010456/1285585 ) to a related question.
Here is my solution:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
# Default to Basic Auth protection for any stie
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
# If the request goes to a rest page: bypass basic auth
SetEnvIf Request_URI ^/rest/ noauth=1
Allow from env=REDIRECT_noauth
Allow from env=noauth
Order Deny,Allow
Satisfy any
Deny from all
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Related

Apache LDAP Authentication only for some virtualhosts

I have a webserver running Apache 2.4.6 under CentOS 7 in which I have several web resources. I want to apply LDAP authentication only to some of them, so I am trying to do it by creating a single virtualhost for every resource and configure the LDAP authentication only to the resources I want.
This is my attempt:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
This is the relevant information of my current httpd.conf file:
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
IncludeOptional conf.d/*.conf
But it always asks for authentication for both test1 and test2 and for test2 I am not even able to load the content after logged in (test1 loads fine).

Finally achieved by using Alias directive, so:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
Alias /test1 /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
Alias /test2 /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Apache 2.4: AuthType Basic and REQUEST_URI - Comparisons (with or without regular expr.) do not work properly

We use Apache 2.4.10 on a Debian Server. Requests are redirected from an Apache Proxy Server (same system and version) who acts as balancer (only the one balance member at the moment).
The access to the related single virtual host is generally restricted via AuthType Basic. Just one folder containing public documents should be accessable without authentication.
I tested multiple ways (new apache 2.4 syntax) to accomplish that - but no matter, which method i tried, i always stucked at the same issue: any comparison with the REQUEST_URI does not work as expected - with or without a regular expression. It seems as if the REQUEST_URI had an invalid value at the time when a comparison takes place.
I tried i.a. the following alternatives:
A)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{REQUEST_URI} =~ m#^/docs#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
B)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
<LocationMatch "^/docs">
AuthType None
Require all granted
</LocationMatch>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
C)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
SetEnvIf Request_URI /docs noAuth=1
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require env noauth
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
Every alternative seems to stuck at the same issue. The comparison with the REQUEST_URI failes or does not work properly.
An example: When i change line 16 in example A to
Require expr %{REQUEST_URI} =~ m#^/[a-z]#
(as a test) then it works (access granted without credentials).
When i change [a-z] to e.g. [d-i], it still works, but when i change [a-z] to e.g. [d-g], it does not work anymore and the user/pass dialogue appears.
The exact same behaviour appears, when i change the regular expression in the LocationMatch directive in example B accordingly.
Another hint:
Using <Location /docs> instead of <LocationMatch... (see example B) does also not work. But <Location /> works.
And:
The log-output is always identical:
When access is granted without credentials the value of the REQUEST_URI is the same as the path part of the requested URL (e.g. /docs).
But when the user/pass-dialogue appears, the value is a dash ("-") this seems to be default value that apache uses for empty or not available values.
And:
The problem does persist, even when i access the server directly (without the proxy) or when i use e.g. wget to make a request to localhost on the server.
Does anyone have an idea whats going on here!?...

I finally found a workaround by myself. I use version A) - but with the environment variable THE_REQUEST instead of REQUEST_URI. Fortunately it works!
The adjusted version of A) - for GET requests only:
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{THE_REQUEST} =~ m#GET\s+\/docs\/[^\/]+\s+HTTP#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>

Instead of using Location, you can use another directory.
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
**<Directory "/var/www/domain.name/docs/">
AuthType None
Require all granted
</Directory>**
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
The same can be accomplished through the use of .htaccess. A related question has been answered in How to remove .htaccess password protection from a subdirectory

Apache reverse proxy with LDAP authentication for multiple Application

We have to perform Apache as a reverse proxy with LDAP Authentication (AWS EMR)for 2 different applications. Reverse Proxy and LDAP are working Fine but the Contents of Application's Web Page are not loading fully. We are getting 404 error code for some of the dependencies of the webpage through reverse proxying .
Here is our httpd.conf file:-
<VirtualHost *:80>
ServerName localhost
ProxyHTMLExtended On
RequestHeader unset Accept-Encoding
ProxyRequests off
ProxyPass /zeppelin/ http://localhost:8890/
ProxyHTMLURLMap http://localhost:8890 /zeppelin
ProxyPass /jupyter/ http://localhost:8900/
ProxyHTMLURLMap http://localhost:8900 /jupyter
<Location /zeppelin/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /zeppelin/
RequestHeader unset Accept-Encoding
</Location>
<Location /jupyter/>
Options Indexes FollowSymLinks
AllowOverride None
AuthName "Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap::url"
AuthLDAPBindDN "bindn"
AuthLDAPBindPassword "bindpassword"
Require valid-user
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /jupyter/
RequestHeader unset Accept-Encoding
</Location>
DocumentRoot /var/www
<Directory /var/www>
Options -Indexes
Order allow,deny
allow from all
</Directory>
</VirtualHost>

Setting up httpd authentication for a particular page

I had a script install this all for me but I am trying to configure it to how I like.
The issue is it does it at the root of the web directory I want it to a particular folder in the directory...how would I go about this...
This is what I have now
ServerName localhost
<VirtualHost *:80>
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent/
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/httpd/rutorrent.pem
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
#SCGIMount /RPC00001 127.0.0.1:23876
I want to make it so it asks for a password in /var/rutorrent/passwordarea
I also wouldn't mind having a separate password and username for /var/rutorrent so if someone could share how to do that as well I'd greatly appreciate it.
Thanks

Password protect directories when accessed from external IPs using Apache

Currently have password protection on my main and sub directories, however I'd like to make it only required when connecting from an outside IP address and password free when connecting from the local subnet.
Currently /etc/apache2/sites-available/default looks like this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
<Location /dir1>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/dir1/ http://10.1.2.2/dir1
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir1"
</Location>
<Location /dir2>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/ http://10.1.2.2/dir2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir2"
</Location>
</VirtualHost>
I've had a loot at Apache's documentation on auth but can't make sense of how I'd then implement the password protection in with that.

A bit of searching brought this up http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html
Basically changed this:
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
to this:
<Location />
Order deny,allow
Deny from all
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www"
Allow from 10.1.2.0/24
Satisfy Any
</Location>
Tested and it's all running smoothly.