Password protect directories when accessed from external IPs using Apache - apache

Currently have password protection on my main and sub directories, however I'd like to make it only required when connecting from an outside IP address and password free when connecting from the local subnet.
Currently /etc/apache2/sites-available/default looks like this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
<Location /dir1>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/dir1/ http://10.1.2.2/dir1
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir1"
</Location>
<Location /dir2>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/ http://10.1.2.2/dir2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir2"
</Location>
</VirtualHost>
I've had a loot at Apache's documentation on auth but can't make sense of how I'd then implement the password protection in with that.

A bit of searching brought this up http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html
Basically changed this:
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
to this:
<Location />
Order deny,allow
Deny from all
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www"
Allow from 10.1.2.0/24
Satisfy Any
</Location>
Tested and it's all running smoothly.

Related

Apache LDAP Authentication only for some virtualhosts

I have a webserver running Apache 2.4.6 under CentOS 7 in which I have several web resources. I want to apply LDAP authentication only to some of them, so I am trying to do it by creating a single virtualhost for every resource and configure the LDAP authentication only to the resources I want.
This is my attempt:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
This is the relevant information of my current httpd.conf file:
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
IncludeOptional conf.d/*.conf
But it always asks for authentication for both test1 and test2 and for test2 I am not even able to load the content after logged in (test1 loads fine).
Finally achieved by using Alias directive, so:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
Alias /test1 /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
Alias /test2 /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Exclude specific cakephp controller from http basic auth

I'm trying to exclude a path (URI) from being blocked by basic http auth.
The path is /rest (http://example.com/rest) and represents a controller of a cakephp 3 application. It is NOT a real file, but rather a path rewritten by a rewite-condition and handeled by index.php in the webroot dir.
Here's the rewrite rules:
/var/www/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
/var/www/webroot/.htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
I'm running apache 2.4 and tried different configurations:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
Require expr %{REQUEST_URI} =~ m#/rest/.*#
Require expr %{REQUEST_URI} =~ m#/index.php/rest/.*#
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...adapted from https://stackoverflow.com/a/33655232/1285585
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Allow from all
Satisfy any
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
... from https://serverfault.com/a/475845/229877
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location "/rest">
Require all granted
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</Virtualhost>
... from https://www.apachelounge.com/viewtopic.php?p=30200
...
<Location "/">
SetEnvIf Request_URI ^/rest noauth=1
SetEnvIf Request_URI /rest noauth=1
SetEnvIf Request_URI ^/index.php/rest noauth=1
SetEnvIf Request_URI /index.php/rest noauth=1
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
</Location>
... from https://stackoverflow.com/a/8979889/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Location ~ "/(rest|index.php/rest)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
... from https://stackoverflow.com/a/13296294/1285585
<Location "/">
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
</Location>
<Files "index.php/rest">
Satisfy Any
Allow from all
</Files>
<Files "rest">
Satisfy Any
Allow from all
</Files>
... from HTTP Basic Auth Exclude Single File
However, none of them seem to work. I always get error 401 using wget or an auth request from a browser.
The problem seems to be, that the path /rest passes the condition but then is rewritten to index.php, which is under control of basic auth (and has to be).
Any clues?
Finally figured it out when I stumbelled upon this answer ( https://stackoverflow.com/a/14010456/1285585 ) to a related question.
Here is my solution:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/webroot
<Directory /var/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<Location "/">
# Default to Basic Auth protection for any stie
AuthType Basic
AuthName "Keawe Development"
AuthUserFile /host/.htpasswd
Require valid-user
# If the request goes to a rest page: bypass basic auth
SetEnvIf Request_URI ^/rest/ noauth=1
Allow from env=REDIRECT_noauth
Allow from env=noauth
Order Deny,Allow
Satisfy any
Deny from all
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

apache virtualhost conf file and authorizations

Here is my conf file:
<VirtualHost *:80>
ServerAdmin r0dy#r0dy.net
ServerName mtc.r0dy.net
ServerAlias www.mtc.r0dy.net
DocumentRoot /var/www/mtc
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/mtc>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/mtc/bo>
AuthName "Restricted Area: BackOffice"
AuthType Basic
AuthUserFile /var/www/mtc/bo/.htpasswd
# AuthGroupFile /dev/null
require valid-user
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
When i comment out the <Directory /var/www/mtc/bo> part, it doesnt ask for credentials.
When i uncomment it, if i browse to this directory, it asks for credentials and it works fine.
My problem is that is asks for credentials even if i don't go to the /bo/ directory, i just browse to http://mtc.r0dy.net/ and i'm blocked.
Any idea on what i did wrong ?
In case anyone has the same problem, i solved it by adding Allow directives in my directories :
<Directory />
Options FollowSymLinks
#AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/mtc>
Options Indexes FollowSymLinks MultiViews
#AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/mtc/bo>
Order allow,deny
Allow from all
AuthName "Restricted Area: BackOffice"
AuthType Basic
AuthUserFile /var/www/mtc/bo/.htpasswd
# AuthGroupFile /dev/null
require valid-user
</Directory>
I don't understand why it works with the allow directives and behaves strangely without, but it works fine now. If anyone has the explaination you're welcome.

Multiple Trac sites on one domain using Apache2

How do I get one domain to serve up multiple sites under Apache2. What I would like is something like this:
trac.mysite.net/project1
trac.mysite.net/project2
What I have working now, is this:
project1.mysite.net/
project2.mysite.net/
using two separate virtual hosts, which works great. However, every time I create a new project, I have to update the DNS.
What I would like is to have one virtual host configuration that points to a different directory for each project.
What I have tried is creating a 'trac' virtual host with different sections for each site. According to the error log, it tries to access the directory, but gets an access denied.
[Sun Sep 14 16:50:59.022354 2014] [autoindex:error] [pid 9811] [client 10.1.1.112:58207] AH01276: Cannot serve directory /usr/share/trac/projects/project1/htdocs/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
I tried removing indexes with Options -Indexes but that didn't get rid of the error above.
Here is my virtual host configuration:
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /usr/share/trac/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /chrome/common /usr/share/trac/htdocs/common
Alias /chrome/site /usr/share/trac/htdocs/site
<Directory /usr/share/trac/htdocs/>
Order allow,deny
allow from all
</Directory>
WSGIScriptAlias / /usr/share/trac/cgi-bin/trac.wsgi
# project1 ###############################################################
Alias /project1 /usr/share/trac/projects/project1/htdocs
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
Alias /project2 /usr/share/trac/projects/project2/htdocs
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
I know this is possible, I'm just not sure how. Any suggestions would be appreciated.
Ah. I figured out what I was doing wrong. I was using an Alias for each project directory. The Alias was overriding the WSGIScriptAlias. And it was this WSGIScriptAlias that was necessary for everything to work. It allows urls with /projectX/ in them to be an alias for the trac.wsgi script.
My new vhost config is given below. I cleaned it up a bit by removing the directives for the trac vhost and only left the DocumentRoot.
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
# project1 ###############################################################
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
Thanks for listening.

Setting up httpd authentication for a particular page

I had a script install this all for me but I am trying to configure it to how I like.
The issue is it does it at the root of the web directory I want it to a particular folder in the directory...how would I go about this...
This is what I have now
ServerName localhost
<VirtualHost *:80>
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent/
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/httpd/rutorrent.pem
ServerAdmin admin#rutorrent
ServerName localhost
DocumentRoot /var/rutorrent
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location />
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require valid-user
Order allow,deny
Allow from all
</Location>
<Location ~ "^/rutorrent/(conf|share)">
Order deny,allow
Deny from all
</Location>
<Location ~ "/\\.svn">
Order deny,allow
Deny from all
</Location>
<Location "/RPC00001">
AuthType Basic
AuthName "My ruTorrent web site"
AuthUserFile "/etc/httpd/rutorrent_passwd"
Require user torrent
</Location>
</VirtualHost>
#SCGIMount /RPC00001 127.0.0.1:23876
I want to make it so it asks for a password in /var/rutorrent/passwordarea
I also wouldn't mind having a separate password and username for /var/rutorrent so if someone could share how to do that as well I'd greatly appreciate it.
Thanks