Apache2.2 Url whitelisting from basic auth - apache

I have a virtualhost configured with basic auth, but I want to whitelist only one url, because it will be called from a 3rd party API where I can't configure authentication. I read the other questions here but I couldn't get it work, this is how it looks like now:
<Location "^/this/url">
AuthType None
Order Allow,Deny
Allow from all
Satisfy any
</Location>
<Location />
AuthUserFile "/srv/.htpasswd"
AuthName authorization
AuthType Basic
require valid-user
Order Allow,Deny
Deny from all
Satisfy any
</Location>
So I want http://www.example.com to have authentication but http://www.example.com/this/url don't.

Related

How to specify a whitelist for HTTP basic authentication (to except certain paths from requiring a password)?

Here's the essential part of my current configuration, where I protect my entire website using HTTP basic authentication:
<VirtualHost *:443>
<Location "/">
AuthType Basic
AuthName "Protected Area"
AuthBasicProvider file
AuthUserFile /path/to/passwords_file
Require valid-user
</Location>
</VirtualHost>
However, I want to except certain paths so they are publicly available, specifically robots.txt, favicon.ico, manifest.json. How to do this?
Adding the following configuration block after the existing Location one will except the specified paths from requiring a password:
<Location ~ "^/favicon\.ico$|^/manifest\.json$|^/robots\.txt$">
Require all granted
</Location>
This one uses a single regex matching string for all files, but you could also specify each of them individually, one at a time, without using regex:
<Location "/favicon.ico">
Require all granted
</Location>
<Location "/manifest.json">
Require all granted
</Location>
<Location "/robots.txt">
Require all granted
</Location>

Allow either users OR ips to access using apache

I have users in .htpasswd and allowed IPs in .htaccess
I want to allow either user/password (for IPs not in .htaccss) OR IPs to access (without auth).
I edited the dir section in httpd with these lines
But its asking for user/password for the allowed IPs and IPs not in the file are not asked to authenticate.
<Directory xxx>
AllowOverride All
Options Indexes FollowSymLinks
AuthName "Authentication required!"
AuthType Basic
AuthUserFile <my path>/.htpasswd
<RequireAny>
Require ip 127.0.0.1
Require valid-user
</RequireAny>
</Directory>
These configs worked for me
AllowOverride All
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/my path/.htpasswd"
Require valid-user
satisfy any
deny from all
allow from x.x.x.x

Apache Basic Auth only for Requests with URL Path

I'd like to get Basic Authentication for everything except requests from a certain IP Range and URLs that have a URL Path. (In my scenario these always end with .html)
The IP Range works fine, but I can't get requests to go threw that end with .html. For example:
http://subdomain.domain.com/test.html or http://subdomain.domain.com/test/test.html
should be allowed without authentication, while
http://subdomain.domain.com or http://domain.com
should be denied.
This is the Basic Auth block in my .htaccess:
SetEnvIf Request_URI ".html$" auth=1
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName "Login"
require valid-user
Allow from 123.456.78 env=auth
Satisfy Any
You need 2 different Allow lines:
SetEnvIf Request_URI "\.html$" NO_AUTH
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName "Login"
require valid-user
Satisfy Any
Order Deny,Allow
Deny from all
Allow from 123.456.78
Allow from env=NO_AUTH

Basic auth across multiple directories

I have a web site that I am using Apache for authentication (using basic auth for testing). It works just fine on all browsers. Now, I am trying to add the API that the web site uses to the authentication realm (using the same AuthName), and noticing the following behaviors:
On Safari it authenticates twice, once when going to the web site, and then again when it makes the API call. (I would prefer only to have to authenticate the first time.)
On both Chrome and Firefox it authenticates when I first go to the web site, but then it returns a 401 error when the web site makes the API call.
These are all on the same domain/port, so I do not see this being a CORS issue (especially since this works when I remove the authentication requirement for the API, which is then not locked down and hence, not desirable). I do have the same AuthName, FWIW, but that seems to have no effect.
My API config in httpd.conf is:
WSGIDaemonProcess rest_api user=gms threads=5
WSGIScriptAlias /api /var/www/extjs/rest_api/rest_api.wsgi
<Location /api>
Options +FollowSymLinks +Multiviews +Indexes
AllowOverride None
Order allow,deny
Deny from all
AuthType basic
Satisfy Any
AuthName "PrivateRepository"
AuthUserFile /var/www/extjs/.htpasswd
Require valid-user
</Location>
While the web site's is:
<VirtualHost *:80>
ServerName cardiocatalogqt
Alias /cardiocatalogqt /var/www/extjs/cardiocatalogqt
<Location /cardiocatalogqt>
Options +FollowSymLinks +Multiviews +Indexes
AllowOverride None
Order allow,deny
Deny from all
AuthType basic
Satisfy Any
AuthName "PrivateRepository"
AuthUserFile /var/www/extjs/.htpasswd
Require valid-user
</Location>
</VirtualHost>
You'll need to rearrange the URL's so they have a common prefix if you want browsers to pre-emptively send basic auth credentials.

Allow Amazon CDN to bypass HTTP Basic Authentication

I am trying to allow Amazon CDN to access the resources on my password-protected staging site (HTTP Basic Authentication).
This is the code I have in the httpd.conf file for it:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName staging.domain.com
DocumentRoot /var/www/html
<Directory "/var/www/html/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
AuthName "Development Access"
AuthType Basic
AuthUserFile /path/to/password.htpasswd
Require valid-user
SetEnvIf User-Agent "^Amazon.*" cdn
Order allow,deny
Allow from env=cdn
</Directory>
</Virtualhost>
I'm using SetEnvIf to assign a variable if the user agent is Amazon and then just allowing it, but this is not working. Can somebody please help me out with this one?
the problem is that a valid user is required to get to the content, indifferent of the user agent used.
Give this article in the Apache Manual a read, specifically take a look at the RequireAny bit. That allows you to setup the rules with the complexity you require. Your config code would look something like this.
SetEnvIf User-Agent "^Amazon.*" cdn
<RequireAny>
Require valid-user
Require cdn
</RequireAny>
This only works on Apache 2.4 upwards. On 2.2 you can look at this article in the Apache Wiki and specially to the Satisfy Any directive. Hope this helps.
If you have Apache 2 and possibly the requirement to access the resources with HTTP Auth, this has worked for me:
<Directory /var/www/yourwebdirectory>
SetEnvIf User-Agent "^Amazon.*" cdn
AuthUserFile /etc/apache2/.htpasswd.forthissite
AuthType Basic
AuthName "My Files"
Require valid-user
Order allow,deny
Allow from env=cdn
Satisfy Any
</Directory>