Custom error page in Apache2 for 401 - apache

Here's the relevant part of the .htaccess file:
AuthUserFile /var/www/mywebsite/.htpasswd
AuthGroupFile /dev/null
AuthName protected
AuthType Basic
Require valid-user
ErrorDocument 400 /var/www/errors/index.html
ErrorDocument 401 /var/www/errors/index.html
ErrorDocument 403 /var/www/errors/index.html
ErrorDocument 404 /var/www/errors/index.html
ErrorDocument 500 /var/www/errors/index.html
Docuement root is set to /var/www/mywebsite/web, it's on of many vhosts. I can navigate to the index.html page.
All I'm seeing is the generic Apache 401 page, any thoughts.
EDIT: This is the error message in my browser:
Authorization Required
This server could not verify that you
are authorized to access the document
requested. Either you supplied the
wrong credentials (e.g., bad
password), or your browser doesn't
understand how to supply the
credentials required.
Additionally, a 401 Authorization
Required error was encountered while
trying to use an ErrorDocument to
handle the request. Apache/2.2.9
(Debian) PHP/5.2.6-1+lenny8 with
Suhosin-Patch Server at www.dirbe.com
Port 80

Make sure that /var/www/errors is readable by the apache user and include this in your apache configuration:
<Directory /var/www/errors>
Order allow,deny
Allow from all
</Directory>

ErrorDocument takes in a absolute URL path instead of a file path. So it should be:
ErrorDocument 404 /error/error.html
Assuming under your document root is a /error/error.html file.

This question (and answers and comments) helped me a bunch, thanks much!
I solved a slightly different way, and wanted to share. In this case, we needed to provide a custom 401 error document and the root path needed to be proxied to a backend app.
So, for example, http://example.com needed to serve content from http://internal-server:8080/. Also, http://example.com needed to be protected using Basic Auth with a custom 401 error document.
So, I created a directory named "error" in the DocumentRoot. Here's the relevant lines from the vhost:
ErrorDocument 401 /error/error401.html
# Grant access to html files under /error
<Location "/error">
Options -Indexes
Order Deny,Allow
Allow from all
</Location>
# restrict proxy using basic auth
<Proxy *>
Require valid-user
AuthType basic
AuthName "Basic Auth"
AuthUserFile /etc/apache2/.htpasswd
</Proxy>
# Proxy everything except for /error
ProxyRequests Off
ProxyPass /error !
ProxyPass / http://internal:8080/
ProxyPassReverse / http://internal:8080/

Related

Apache BasicAuth .htpasswd

Issue: My requirement is to implement BasicAuth to my website when I login. Now when load my website it is asking me the credentials and after successful login I can see the landing page of my website. When I do some operation on this landing page it is not moving head rather the same landing page is coming up.
Description:
Under <VirtualHost *:443> in file INBOUND.conf I've added below config. I already have routing http to https by config mentioned below. I've created credentials with htpasswd utility and placed at '/etc/apache2/.htpasswd'
<Location />
AuthType Basic
AuthName "Restricted: Contact Content Team"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
HTTP To HTTPS Routing:
ServerName xxx
ServerAlias xxx
ServerAdmin xxx
# For non-SSL access redirect to the SSL port
RewriteEngine On
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R]
Before asking the question over here, I had went through many articles but there's no luck.
I've now figured out that there's a cookie which gets created with
some value and is not getting passed to next page. Thus, the same
page is been reloading.
During the happy flow when I remove this BasicAuth, the cookie is getting passed over to next page.
So, can someone of you please help me here?
after investigation I figured out that the client ip was falling under "X-Forwarded-For" tag and not on host/client tag so I did the following and it started working for me.
Basically we need to figure out the incoming ip is falling under which tag and we need to whitelist that tag here
<Location />
SetEnvIF X-Forwarded-For "116.50.59.202" AllowIP
SetEnvIF X-Forwarded-For "127.0.0.1" AllowIP
SetEnvIF X-Forwarded-For "0.0.0.0" AllowIP
Require env AllowIP
</Location>

Apache - AliasMatch and htaccess authentication

I am trying to setup an simple aliasmatch for apache http(s) server. The aim is to allow to reach mydomain.com/myfiles/ with any url like mydomain.com/myfiles*/ without using url rewriting
I am using a .htaccess file to require an authentication.
My problem is : When I add the AliasMatch directive, the url is recognize but I receive the error 403 forbidden without receiving the authentication popup window asking for user/password for the basic url as well as for the aliases. What am I missing ?
I tried almost all syntax I could think about around this
AliasMatch "^/myfiles(.*)" "/myfiles/$1"
In the global conf as well as in the virtualhost conf.
my Directory directive
<Directory /xxx/xxx/xxxx/myfiles>
AllowOverride Authconfig
Require all denied
</Directory>
my .htaccess
AuthType Basic
AuthName "Password Required"
AuthUserFile "/xxxx/xxx/xxx"
Require valid-user
myfiles is a symlink and working fine when there is not the AliasMacth directive.
your AliasMatch syntax should be
AliasMatch "^/myfiles(.*)$" "/real/path/to/myfiles/$1"
with '$' and 'real-path'
please try

Apache HTTP Server Location directive - exclude url

I've an Apache HTTP server that is used as a proxy (over https) for JBoss-deployed webapp. I've the following entry in a conf file:
<Location "/app">
ProxyPass http://localhost:8080/app
ProxyPassReverse http://localhost:8080/app
AuthType Basic
AuthName "Private Documentation Repository"
AuthUserFile <path-to-file>
Require valid-user
</Location>
As You can see, a valid user is required to access /app.
The question is: how to write a directive that will exclude one particular file from JBoss webapp, so that access to this file won't require a valid user e.g.:
<Location "/app/some-file.xyz">
ProxyPass http://localhost:8080/app/some-file.xyz
ProxyPassReverse http://localhost:8080/app/some-file.xyz
</Location>
I mean: when user requests anything (app/) but /app/some-file.xyz he/she will be prompted for the password, otherwise Apache will enable the user to download some-file.xyz. Any help would be greatly appreciated.
<Location "/app/*.xyz">
allow from all
satisfy any
ProxyPass http://localhost:8080/app/*.xyz
ProxyPassReverse http://localhost:8080/app/*.xyz
</Location>

getting "authentication required" when requesting / instead of /index.php

On my server I have the following .htaccess file:
DirectoryIndex index.php
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Require valid-user
<Files index.php>
Satisfy any
Allow from *
</Files>
If I request the URL "IP-ADDRESS/index.php", everything works fine, I get the index.php displayed without an authentication prompt. However as soon as I request "IP-ADDRESS/" the browser asks me for my credentials.
Why is this the case? What am I missing?
Try replacing the block to use mod_setenvif to check the request URI instead of using <Files>. The mod_auth* modules has precedence over mod_dir so the mapping from / to /index.php doesn't happen until after the auth takes place. Mod_setenvif will occur before the auth. Try:
SetEnvIf Request_URI "^/$" allow=yes
SetEnvIf Request_URI "^/index.php$" allow=yes
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Order Deny,Allow
Satisfy any
Deny from All
Require valid-user
Allow from env=allow
If the requested URI is exactly / or /index.php, the variable allow gets set. The stuff after the Auth lines say to deny everything except a valid user or if the variable allow has been set.

Use HTTP Auth only if accessing a specific domain

I've got several sites: example.com, example1.com, and example2.com. All of them point to my server's /public_html folder, which is my Apache root folder.
What do I need to add to my .htaccess file to use http authentication only if the user is coming from example2.com? example.com and example1.com should NOT use authentication.
I know I need something like
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
But I only want to require a password if the user is visiting example2.com.
Edit
Using an approach suggested in an answer, I have the following in my .htaccess file:
SetEnvIfNoCase Host ^(.*)$ testauth
<IfDefine testauth>
RewriteRule ^(.*)$ index2.php?q=$1 [L,QSA]
</IfDefine>
I know that the mod_setenvif.c module is enabled (I verified with an <IfModule> block), but it would appear that "testauth" is never getting defined, because my test to verify (redirecting to index2.php) is not executing (whereas it was getting executed in my <IfModule> block). Any ideas why?
How about something along the lines of this in the htaccess file in the document root:
# set the "require_auth" var if Host ends with "example2.com"
SetEnvIfNoCase Host example2\.com$ require_auth=true
# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This will make it so authentication is not required unless the host ends with example2.com (e.g. www.example2.com, dev.example2.com, etc). The expression can be tweaked if needed. Any other host will cause the require_auth var not to get set so authentication is not required. If this needs to be the other way around, the last line could be changed to: Allow from env=require_auth, removing the !.
Apache 2.4 offers a semantic alternative with the If directive:
<If "req('Host') == 'example2.com'">
AuthUserFile /path/to/htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
</If>
<Else>
Require all granted
</Else>
Here is one recommendation:
Create a file called common.conf and save in an accessible location
In this file place the Apache configuration common to all sites (hosts).
The remove the current single VirtualHost entry an replace with VirtualHost entries as follows:
# These are the password protected hosts
<VirtualHost *:80>
ServerName example.com
ServerAlias example1.com
Include /path-to-common-configuration/common.conf
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</VirtualHost>
# These are hosts not requiring authentication
<VirtualHost *:80>
ServerName example2.com
ServerAlias example3.com
Include /path-to-common-configuration/common.conf
</VirtualHost>
I wonder if DanH would be helped by an approach that allows access per IP address?
Something like
SetEnvIf Remote_Addr 1\.2\.3\.4 AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.ok\.com AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.also\.ok\.com AllowMeIn
and then in your Drupal "container"
Order Allow,Deny
Allow from env=AllowMeIn
should do the trick.
Any host that is "live" should be configured to "AllowMeIn", or else you have to come from a known IP address (ie you and other developers).
You shouldn't be putting per-vhost configuration into .htaccess. Instead, put the config block in the VirtualHost block in the proper config file in /etc/apache/sites-enabled/*.