apache basic auth across multiple virtualhosts - apache

I have a few staging sites as virtual hosts on a server, plus a couple of public-facing virtual host sites. The stating sites are all under a single directory (e.g., /var/www/staging-sites/[site-document-root]).
Up to now I've been configuring HTTP Basic Auth for each virtual host, but it seems like there should be a way to do it once for all of them.
The question "apache global basic auth" indicates that I could place Basic Auth directives in a <Directory /var/www/staging-sites> container in the main apache config file, but doing so doesn't cause the browser to prompt for credentials.
Here's the output of tail -n 7 /etc/apache2/apache2.conf:
<Directory "/var/www/staging-sites/">
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider file
AuthUserFile /var/www/staging-sites/.htpasswd
Require valid-user
</Directory>
I've verified that /var/www/staging-sites/.htpasswd exists, and that the site foo.mydomain.com uses the Document Root /var/www/staging-sites/foo.
I've restarted apache to ensure the new config gets loaded.
However, when I open http://foo.mydomain.com, the site is displayed without prompting for Basic Auth credentials.
What am I doing wrong?

Solved. The problem was this section in the virtualhost configuration itself:
<Directory /var/www/staging-sites/foo>
Require all granted
</Directory>
Apparently all the virtualhosts were created with an equivalent configuration. As might be expected, Require all granted in the virtualhost config outdoes Require valid-user in the global config.
Removing that line allows the Basic Auth, as configured above, to work properly.

You can also leave Require all granted but add Satisfy all

Related

Acces Control only works inside <Location> directive, Apache/2.4.6 (CentOS)

There's a server with several instances of Apache running. One instance needs access from anywhere, but only for authorized users. Instance is started up by a systemctl script with the -f option pointing to a config file in /opt/.
Config includes directives from another file in the same folder under /opt/. The relevant part of the included directives looks like the following at the present moment:
"
[...]
<Location "/subfolder">
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
LimitRequestBody <someNumber>
</Location>
[...]
DavLockDB /somepath/webdav/DavLock
Alias /subfolder /mainfolder/subfolder
<Directory /mainfolder/subfolder>
Dav on
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /somepath/webdav/.htpasswd
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
AllowOverride All
SSLRequireSSL
Options FollowSymLinks Indexes
</Directory>
[...]
"
This works so far, it only permits access to folder if you enter your username and password.
Problem is, if I comment out the <Location directive to comply with security recommendations, then access is flat-out denied. There is no way to enter a username and a password, and if I supply them on the command line, they are ignored, while they previously worked with the <Location block intact.
The <RequireAll> block inside the <Directory> directive is completely ineffectual. In fact, if I comment it out there, it changes nothing whatsoever in the behaviour of the httpd instance. It works only when it is placed inside the <Location block. The rest of the <Directory> block on the other hand seems to be working.
Does someone have any tips as to what I may be missing here? Thanks in advance!
H/T to Apache Basic Auth not working in .htaccess or Directory blocks; works fine in Location blocks
The problem was that the configuration file the Apache instance is started up with included one of the system-wide configs in /etc/ with a default location block inside, similar to the following:
<Location />
Require all denied
[...]
</Location>
When I commented out the line Require all denied from here, the access control directives in the <Directory> block started to work as expected.
The explanation of the above is that, unlike "normal" <Location> directives, which "operate completely outside the filesystem", <Location /> refers to the entire server (see the Apache documentation: https://httpd.apache.org/docs/2.4/mod/core.html#location ), so it means pretty much the same as <Directory /> (at least when it comes to its scope), except that it can only be overridden by another <Location> directive.

Allow subdirectory Apache 2.4

I'm struggling with the htaccess system of apache.
My apache directories are set as follow:
www/ (Protected via /var/www/.htaccess)
www/public/ (Supposed to be unprotected via /var/www/public/.htaccess)
However i still can't access the public folder without the need to log in via my AuthType Basic from my www/.htaccess...
www/.htaccess:
AuthType Basic
AuthName "Acces restreint"
AuthUserFile "/var/www/.htpasswd"
Require valid-user
www/public/.htaccess:
AuthType None
Require All Granted
I really am not an expert in Apache so I may have missed the obvious.
Ok, I just figured out that what I was doing works but using H5AI as browser it needed to access the files.
I simply added a rule in the apache2.conf to prevent him being overwritten by the main directory .htaccess and all worked fine.

Why does a .htaccess protected directory work on http but not on https?

I have a domain example.com. example.com links to a Tumblr blog. sub.example.com links to my home's Ubuntu Server's Apache server. I also have SSL optionally enabled throughout sub.example.com (i.e., the user can choose between using http or https for any webpage). sub.example.com/directory is .htaccess protected. I can access the directory perfectly fine on http://sub.example.com/directory, but not on https://sub.example.com/directory. On the https version, I get prompted for my login info. Once I entered my credentials in, I got this error:
Error: File Not Found
File Not Found.
I'm not sure what's going wrong. Below is the full /var/www/html/directory/.htaccess file and a selected portion of the /etc/apache2/apache2.conf file.
.htaccess:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/.htpasswd
Require valid-user
apache2.conf:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
I'm on Ubuntu 14.10 and Apache 2.4.10
Try checking these steps below
Make sure your HTTPS is working without password.
Make sure your .htaccess point to the correct .htpasswd path.
I think your apache2.conf is fine but check config files in sites-enabled and conf-available if there any incorrect for port 443.
Like so many things with computers, a reboot fixed my issues. So, I probably didn't restart some service.

Using "require group" with mod_authn_dbm in Apache HTTPD 2.4

I am using Apache HTTPD 2.4 and I've decided it's time for me to move from mod_authn_file to mod_authn_dbm. I've got it mostly working but it won't check my AuthDBMUserFile for group information. I've googled it and it appears that this kind of functionality should still be available, via mod_authz_dbm which I've now included. The documentation for mod_authz_dbm makes it appear that you just have to use the AuthDBMGroupFile directive as in my configuration below:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require group admin
</Directory>
(Don't worry, site/data is not accessible via the webserver!)
However, even though the directive is clearly known (httpd -t doesn't complain and the server starts OK), it is either being ignored or something else is trying to find a different group file. The error I see in the log file is:
AH01664: No group file was specified in the configuration
Does my configuration look incomplete somehow?
I have an answer via the Apache HTTPD Users Mailing List courtesy of Eric Covener, who says:
mod_authz_dbm responds to Require dbm-group (and dbm-file-group) only in 2.4 which seems to be a change from 2.2.
So my configuration should have been:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require dbm-group admin
</Directory>
I have tried this and it does exactly what I wanted. Many thanks Eric!

using http basic auth to login to mutiple virtual hosts at once under apache

I have 2 virtual hosts under one domain: a.mydomain.com, b.mydomain.com.
And in the global configuration of apache I have the following:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This works well for all the virtual hosts to have basic auth protection. However, I need to enter username and password for a.mydomain.com and b.mydomain after I went to mydomain.com and authenticate there.
So my question is: is there a way to do authentication on mydomain.com only and that user do not need to enter username and password again for all the virtual hosts under this domain?
Thanks advance.
Any configuration done in the httpd.conf or apache2.conf is a global configuration and will apply to all of your configured sites.
To only have it apply to one of the sites. Move the auth configurations to the specific virtual host configuration file
<Directory />
# keep these
Options FollowSymLinks
AllowOverride None
# move these to the vhost configuration you want to protect
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This might be useful for someone:
I have a single virtual host with many aliases. It is a multisite set up with a single source code for multiple websites. I needed a basic authentication for some of the hosts but not for others while the virtual host is common for all the hosts/domains.
Here is ow I did it and it works fine (Apache 2.4 / Ubuntu 18LTS):
SetEnvIf Host "secure\.host\.com" SECURED
SetEnvIfNoCase Request_URI "^/secure-dir/" SECURED
AuthType Basic
AuthName "Basic Auth Message"
AuthUserFile /var/www/public-html/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED
In the above example I also have a secured directory (line 2) which works with regular expression so it will match with any file in that directory.
On line 1 is the secured host name. Please note the backslash before each dot character!
Add as many lines for hosts or directories as you need.