We have some public content on the cloud and I am trying to use Basic Auth to deter people from accessing our non-production web-site unless they are on our corporate network.
Everything is working until I submit a request that is just an extension such as '/.js'.
$ wget https://test.domain.com/.js
HTTP request sent, awaiting response... 401 Authorization Required
Authorization failed.
If I add a file name, I am not asked for to authenticate. I get a 200 if the file actually exists.
$ wget https://test.domain.com/x.js
HTTP request sent, awaiting response... 404 Not Found
2014-05-29 16:59:35 ERROR 404: Not Found.
Here is the Basic Auth configuration. It is the .htaccess directory in the document root.
SetEnvIf HOST "^www.domain.com$" allowProduction
SetEnvIF X-Forwarded-For "123\.123\.123\.123" allowEmployee
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /location/of/passwords/.htpasswd
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=allowProduction
Allow from env=allowEmployee
I modified the log format to display X-Forwarded-For since Apache sits behind a load balancer.
123.123.123.123 test.domain.com - - [29/May/2014:16:54:48 -0400] "GET /.js HTTP/1.0" 401 497 "-" "Wget/1.12 (linux-gnu)"
123.123.123.123 test.domain.com - - [29/May/2014:16:59:35 -0400] "GET /x.js HTTP/1.0" 404 287 "-" "Wget/1.12 (linux-gnu)"
I even tried adding some rule based on the request URI. I tried a few variations with and without the leading '/'. None of them worked.
SetEnvIf Request_URI "^/\..*$" allowJunk
And then added the following.
Allow from env=allowJunk
We do have a rewrite rule to forbid requests that have a leading '.' but that is a 403 and not a 401. A 403 is acceptable since the browser can ignore it. A 401 requires a user to enter the user name and password.
RewriteRule "(^|/)\." - [F]
An example of a forbidden request.
$ wget https://test.domain.com/x/.js
HTTP request sent, awaiting response... 403 Forbidden
2014-05-29 17:04:18 ERROR 403: Forbidden.
The simple solution would be to not request any leading '.' URLs but we are using someone else's framework and we get these requests on some browser. Rewriting the framework for a small percentage of our customers is not desirable. Prompting them for a password is even less desirable.
Any suggestions?
Thanks,
Wes.
Related
I have an Apache config that uses legacy access rules and CGI error documents.
ErrorDocument 403 /perl/dispay.pl?page=error403
SetEnvIf User-Agent "SomeOldUserAgent" badUA
Deny from env=badUA
The blocking of the user agent works fine, but unfortunately the Deny rule also covers the generating of the error page.
I would like to exclude the error page from the blocking to provide a dynamic error message.
I have tried to allow by REDIRECT_STATUS, but this doesn't work.
SetEnvIf REDIRECT_STATUS 403 errorPage
Allow from env=errorPage
Any ideas ?
Need somebody to push me in the right direction.
We're using apache http server (http1) reverse-proxy to send a request to another http server (http2). The challenge is http2 is not expected to send an HTML page in the response back to http1.
The http2 log does show the request coming in. However, the http1 log results in HTTP 502 error:
Internal error (specific information not available): [client ] AH01102: error reading status line from remote server localhost:9001
[proxy:error] [client ] AH00898: Error reading from remote server returned by /app/myContext/LogMessage
Here's http2 log which returns HTTP status 200:
"GET /app/myContext/LogMessage HTTP/1.1" 200 -
Please note that those requests that result in an HTML page work fine.
What would you think should be an approach here? Maybe using reverse proxy is not a good choice for this type of request?
We have httpd.conf on http1 set up this way:
ProxyPass "/app/myContext/"
http://localhost:9001/app/myContext/"
ProxyPassReverse "/app/myContext/"
http://localhost:9001/app/myContext/"
Disable ErrorLog on http1 altogether:
ErrorLog /dev/null
Have you tried to have http1 ignore using mod_log_config? According to the example the format string might be:
CustomLog expr=%{REQUEST_STATUS} -eq 502 && %{REQUEST_URI} =~ /app\/myContext/ ...
Or the LogFormat string might work too:
LogFormat %!502...
(h/t to Avoid logging of certain missing files into the Apache2 error log)
Is your problem that http1 is emitting 502 to the requestor? In that case, maybe use an <If> and a custom ErrorDocument?
<If %{REQUEST_URI} =~ /app\/myContext/>ErrorDocument 502 'OK'</If>
Went with the following solution: In http2 re-route the LogMessage call to fetch a blank html page:
1. Create blankfile.html in the /htdocs directory.
2. In httpd.conf add this line:
RewriteRule ^.(app/myContext/LogMessage). /blankfile.html [L]
This works for us since the whole purpose of LogMessage is to log the request in http2 access_log.
Just'd like to thank you #cowbert for working so deligently with me on this!
I have a web application running on Apache2 (2.4)
and i am redirecting the homepage and entire website (/*) to another url, kind of auth and then returns back to the homepage
So in my apache2 location directive
...
<Location "/">
AuthType AuthAgent
Require valid-user
Satisfy any
</Location>
...
So know ELB is failing health check because the homepage is being used as endpoint for health check.
How do i do it so that ELB passes healthcehck when the redirection happens. Redirection is 302
I just want ELB to say pass on 302 or however i can make the healthcheck pass
Thanks
Classic ELB will only consider a 200 response as a success. Everything else is a health check failure (including a 302).
Source: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html (see under "Ping Path")
You have 2 options:
Option 1: Switch to use an Application Load Balancer instead. By doing this, you can configure it to accept 302 as a health check success.
Option 2: Add a non-redirect URL to your web server specifically for the health check. So you would have something like /healthcheck.html return a 200 success and everything else return a redirect 302.
Here is what i did to solve the issue PERFECTLY!
i added regex to the location directive so that it redirects all except some URL i dont want to redirect
...
<Location ~ "^((?!/status).)*$">
AuthType AuthAgent
Require valid-user
Satisfy any
</Location>
...
so it redirects everything except /status/
I set up my .htaccess file so that only certain IP ranges can access the /admin portion of my site, as asked in this question: Deny access to URI
That works... in testing. When I tried this on my live, https enabled, site something strange happened:
When I GET the /admin page, I receive a 403 Forbidden status code but I also get the body as if nothing happened.
How is that possible, and how do I fix it?
Here's the eventual .htaccess:
SetEnvIf Request_URI ^(?!/admin) not_admin_uri
Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 366.241.93.
allow from env=not_admin_uri
Also: if I remove the last allow rule it actually does block the request (though it then, of course, blocks all reguest)
The document for the 403 status code (which was 403.shtml) did not exist, in which case Apache apparently just executes the request.
I have set up an Apache server to use mod_auth_kerb. It authenticates users via Kerberos and the Negotiate protocol, allowing them entry to the site if they hold a valid Kerberos ticket. It works in that it properly authenticates users. There is a problem however: HTTP 401 response codes clutter the Apache log file. They're from the same IP address each time, so I know that a client attempts to access the page, receives a 401, then tries again and gets an HTTP 200 OK back on the second try. It looks like the user is unidentified in the first attempt, but identified properly in the second attempt.
1.2.3.4 - - [07/Jan/2014:12:29:16 -0500] "GET /my_url/ HTTP/1.1" 401 1005
1.2.3.4 - user#REALM.EXAMPLE.COM [07/Jan/2014:12:29:16 -0500] "GET /my_url/ HTTP/1.1" 200 1724
How can I find out what is causing these 401 unauthorized responses? I can't record it over Wireshark because the connection is encrypted with HTTPS and TLS. Chrome's Developer Tools is only showing HTTP 200 OK responses, but I know that 401s are being generated from the Apache server logs. Any thoughts?
This is how HTTP Authentication works.
There is nothing you can do about it.