I'm trying to allow unauthenticated access to certain scripts within a Nagios installation. Although the question is not specifically about Nagios nor the CGI handling that's also illustrated below.
Essentially, I want to require authentication for anything in a specific directory:
http://example.com/nagios/cgi-bin/....
except for 2 specific paths:
http://example.com/nagios/cgi-bin/avail.cgi....
http://example.com/nagios/cgi-bin/trends.cgi....
Currently I've got Apache set up to require authentication for all access to http://example.com/nagios/cgi-bin
ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
I'd prefer not to replicate the scripts in a different directory as this is packaged software and I want to minimise the support effort – I'm not sure what URLs within the package use canonical paths.
edit:
Could I use a FilesMatch instead of the Direcory block? If so, are the Apache regexes PCRE or POSIX based?
Edit 3:
Using
<FilesMatch "/(cgi-bin\/)(?!trends.cgi)(?!avail.cgi)/">
removes authentication from all URLs in the dir 🙁
I've also tried replicating the avail.cgi and trends.cgi scripts in a different directory. That appears to work – but the forms are not populated with any data from my Nagios config! It appears that there is an additional layer of authentication built into the Nagios code. This would also defeat the 'Require any / allow from ip' approach. 🙁
While the revised behaviour in MSIE may be correct wrt rfc 2396 its causing me horrible headaches!
Best Answer
Did you try to create a new folder with a symbolic link to your "open" cgi?