I use Apache's mod_info to display detailed information about my server setup.
httpd-vhosts.conf
# Set path below to be handled by mod_info. It will show server info.
# For this to work, this module must be loaded (uncommented in httpd.conf)
<Location /special/path>
SetHandler server-info
Order allow,deny
Allow from 127.0.0.1
</Location>
Allow from is set to the local machine because this is on my dev machine.
This module allows me to see a tremendous amount of information by navigating to /special/path. I'd like to get the same benefit on my production server, so I can see the output remotely. This means I need to make the path publicly accessible but of course keep that info away from prying eyes.
What's the most practical way to protect that output? I'm ok with a static password challenge so long as the password is not stored in the clear (hashed is ok) and definitely not stored in a publicly accessible location.
Apache 2.4.16
To solve my problem, I used this configuration:
# All paths beginning with /admin will be password protected with
# credentials from /path/admin.htpasswd
<Location /admin>
AuthType Basic
AuthName "Administrators"
AuthBasicProvider file
AuthUserFile "/path/admin.htpasswd"
Require valid-user
</Location>
<IfModule info_module>
<Location /admin/server-info>
SetHandler server-info
</Location>
</IfModule>
The .htpasswd file contains one {username}:{hashed password} per line. Eg:
linda:$apr1$hq20V6OX$uKFyONT91I1BhCae0YJ7B1
eric:$apr1$h4XrUUNS$Hi61JTs1nQOgI/ehMnC0X0
I used the password hash generator from htaccesstools.com
Related
There's a server with several instances of Apache running. One instance needs access from anywhere, but only for authorized users. Instance is started up by a systemctl script with the -f option pointing to a config file in /opt/.
Config includes directives from another file in the same folder under /opt/. The relevant part of the included directives looks like the following at the present moment:
"
[...]
<Location "/subfolder">
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
LimitRequestBody <someNumber>
</Location>
[...]
DavLockDB /somepath/webdav/DavLock
Alias /subfolder /mainfolder/subfolder
<Directory /mainfolder/subfolder>
Dav on
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /somepath/webdav/.htpasswd
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
AllowOverride All
SSLRequireSSL
Options FollowSymLinks Indexes
</Directory>
[...]
"
This works so far, it only permits access to folder if you enter your username and password.
Problem is, if I comment out the <Location directive to comply with security recommendations, then access is flat-out denied. There is no way to enter a username and a password, and if I supply them on the command line, they are ignored, while they previously worked with the <Location block intact.
The <RequireAll> block inside the <Directory> directive is completely ineffectual. In fact, if I comment it out there, it changes nothing whatsoever in the behaviour of the httpd instance. It works only when it is placed inside the <Location block. The rest of the <Directory> block on the other hand seems to be working.
Does someone have any tips as to what I may be missing here? Thanks in advance!
H/T to Apache Basic Auth not working in .htaccess or Directory blocks; works fine in Location blocks
The problem was that the configuration file the Apache instance is started up with included one of the system-wide configs in /etc/ with a default location block inside, similar to the following:
<Location />
Require all denied
[...]
</Location>
When I commented out the line Require all denied from here, the access control directives in the <Directory> block started to work as expected.
The explanation of the above is that, unlike "normal" <Location> directives, which "operate completely outside the filesystem", <Location /> refers to the entire server (see the Apache documentation: https://httpd.apache.org/docs/2.4/mod/core.html#location ), so it means pretty much the same as <Directory /> (at least when it comes to its scope), except that it can only be overridden by another <Location> directive.
I have a few staging sites as virtual hosts on a server, plus a couple of public-facing virtual host sites. The stating sites are all under a single directory (e.g., /var/www/staging-sites/[site-document-root]).
Up to now I've been configuring HTTP Basic Auth for each virtual host, but it seems like there should be a way to do it once for all of them.
The question "apache global basic auth" indicates that I could place Basic Auth directives in a <Directory /var/www/staging-sites> container in the main apache config file, but doing so doesn't cause the browser to prompt for credentials.
Here's the output of tail -n 7 /etc/apache2/apache2.conf:
<Directory "/var/www/staging-sites/">
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider file
AuthUserFile /var/www/staging-sites/.htpasswd
Require valid-user
</Directory>
I've verified that /var/www/staging-sites/.htpasswd exists, and that the site foo.mydomain.com uses the Document Root /var/www/staging-sites/foo.
I've restarted apache to ensure the new config gets loaded.
However, when I open http://foo.mydomain.com, the site is displayed without prompting for Basic Auth credentials.
What am I doing wrong?
Solved. The problem was this section in the virtualhost configuration itself:
<Directory /var/www/staging-sites/foo>
Require all granted
</Directory>
Apparently all the virtualhosts were created with an equivalent configuration. As might be expected, Require all granted in the virtualhost config outdoes Require valid-user in the global config.
Removing that line allows the Basic Auth, as configured above, to work properly.
You can also leave Require all granted but add Satisfy all
I have a question to a complex apache configuration (apache 2.2). Is the following possible, and if yes, how:
From some IPs access to particular files should be allowed without authentication.
From other IPs access to the same files should be allowed with authentication only.
From all other IPs access should not be allowed.
I've tried with
general:
Order deny,allow
deny from all
Then two blocks for the specified directory:
<Location /testverzeichnis/index.html>
AuthType Basic
AuthName "blabla"
Deny from all
Allow from <IP1>
AuthUserFile /srv/www/apache/.htpasswd
Require user scht
</Location>
This does work! I got a window for user/password, and on the second machine access is not allowed.
Then I tried to get access without password from the second machine:
<Location /testverzeichnis/index.html>
Deny from all
Allow from <IP2>
</Location>
But then I got the authentication box on the second machine!
Is this possible at all?
Thank you in advance!
Regards
Burkhard
"Satisfy any" in a single configuration section.
I have a development server and a live server. Both use the same .htaccess but I want the development server to be password protected. When I copy the .htaccess file over to the live, I get a 500 error. Does .htaccess offer some way to only password protect directories using conditionals like IF?
what I'm using:
<Directory "/home/my/path/to/development/site/">
AuthName "Restricted Area 52"
AuthType Basic
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthGroupFile /dev/null
require valid-user
</Directory>
Could really use some help.
You can't have <Directory> containers inside an htaccess file, but you can conditionally turn on or off HTTP auth based on an environment varaible.
So for example, say your production site is http://production.example.com and your dev site is http://dev.example.com then you can check against the HTTP Host and set an environment variable:
SetEnvIfNoCase Host ^dev\.example\.com$ require_auth=true
Or, if the path is different, say your production site is http://example.com/ and dev site is http://example.com/dev/, then you can check against the requested URI:
SetEnvIfNoCase Request_URI ^/dev/ require_auth=true
There's several other checks you can make that's outlined in the mod_setenvif. Either way, you want to set require_auth=true when it's a request for dev. Then you setup your auth stuff to use Satisfy Any:
# Auth stuff
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthName "Restricted Area 52"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
So if require_auth isn't set, then no auth is required, and your SetenvIf should set it if it's a dev request.
I have 2 virtual hosts under one domain: a.mydomain.com, b.mydomain.com.
And in the global configuration of apache I have the following:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This works well for all the virtual hosts to have basic auth protection. However, I need to enter username and password for a.mydomain.com and b.mydomain after I went to mydomain.com and authenticate there.
So my question is: is there a way to do authentication on mydomain.com only and that user do not need to enter username and password again for all the virtual hosts under this domain?
Thanks advance.
Any configuration done in the httpd.conf or apache2.conf is a global configuration and will apply to all of your configured sites.
To only have it apply to one of the sites. Move the auth configurations to the specific virtual host configuration file
<Directory />
# keep these
Options FollowSymLinks
AllowOverride None
# move these to the vhost configuration you want to protect
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This might be useful for someone:
I have a single virtual host with many aliases. It is a multisite set up with a single source code for multiple websites. I needed a basic authentication for some of the hosts but not for others while the virtual host is common for all the hosts/domains.
Here is ow I did it and it works fine (Apache 2.4 / Ubuntu 18LTS):
SetEnvIf Host "secure\.host\.com" SECURED
SetEnvIfNoCase Request_URI "^/secure-dir/" SECURED
AuthType Basic
AuthName "Basic Auth Message"
AuthUserFile /var/www/public-html/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED
In the above example I also have a secured directory (line 2) which works with regular expression so it will match with any file in that directory.
On line 1 is the secured host name. Please note the backslash before each dot character!
Add as many lines for hosts or directories as you need.