Apache 2.4 with basic authentication and fail2ban apache-auth

apache-2.4fail2ban

It seems I have a conflict in my configuration on CentOS 7 server.

The issue appears between vhost configuration on apache 2.4 (httpd) with the basic authentication and fail2ban apache-auth banning feature.

I want two things :

1) An authentication for access to my each websites with basic authentication feature.

2) Ban IP with fail2ban from apache errorlog files.

My problem is :

If I have "Deny from all" in location tag inside of vhost configuration file so I have prompt for authentication but I have too lot of errors in apache errorlog file –> "AH01797: client denied by server configuration"
However, if I change "Deny from all" by "Require all granted", the issue dispears but the prompt authentication too obviously.

How can I have this two features together, without conflict?

I hope this is clear. Please ask for any additional information needed.

Best Answer

I hope this is clear.

Well not really. Either the issue is that fail2ban doesn't recognize AH01797: client denied but you want it'd happen (then see P.1), or vice versa it find that but you don't want that (then see P.2)

Normally fail2ban's apache-auth should detect this kind of failures. If it does not either your fail2ban version (or config file) are too old, or you've some different log (compare it with this or provide an example of your log).
If you want that fail2ban ignores this, just open /etc/fail2ban/filter.d/apache-auth.conf (make a backup) and remove the rule for this, for example for newest version it would be something like this:

- failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
+ failregex = ^client (?:used wrong authentication scheme)\b

Related Solutions

Apache – Understanding Apache’s ‘Require All Granted’

The access control configuration changed in 2.4, and old configurations aren't compatible without some changes. See here.

If your old config was Allow from all (no IP addresses blocked from accessing the service), then Require all granted is the new functional equivilent.

HTTP Basic Auth unless connecting from the office with Apache 2.4

Without the complete error message (I would expect the module and ip-address) it's a bit of a guess but you're mixing directives from two different modules in Apache 2.4 , the Require directive from mod-authz-core and the "legacy" directives Allow and Order from mod-access-compat, which might not stack very well.

You could try replacing the lines

Order allow,deny
Allow from 202.161.24.210 127 ::1

With the following

Require ip  202.161.24.210 127 ::1/128

With the already present Satisfy any that should meet your requirements.

Your third requirement:

Certain parts of demo site will need to make REST requests to itself...

Might not be accessing the server from the loop back address, as you would expect, but might be configured with the FQDN similar to http://api.example.com/rest? and originate from the server's public IP-address instead.

You could add the server's public ip-addresses but that is much more easily resolved from Apache 2.4 ; the local provider allows access to the server if any of the following conditions is true:

the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same

So instead of listing the loop back ip-addresses use:

Require valid-user
#  Office Gateway:
Require ip 202.161.24.210 
#  API access from this host:   
Require local            
#  Only one or more of the above needs to match:
Satisfy any

Best Answer

Related Solutions

Apache – Understanding Apache’s ‘Require All Granted’

HTTP Basic Auth unless connecting from the office with Apache 2.4

Related Topic