Apache location directive exception

apache-2.2authentication

I am trying to authenticate users for all URLs except for a regular expression:

https://www.example.com/****anything**** should request authentication
https://www.example.com/exams/****anything**** should NOT request authentication

This is my config today but it is not working:

<LocationMatch "^/exams">
    Order allow,deny
    Allow from all
</LocationMatch>

<Location "/">
    Order allow,deny
    Allow from all

    AuthType Basic
    AuthName "PLEASE,AUTHENTICATE"
    AuthBasicProvider ldap-employees
    Require valid-user
</Location>

It asks authentication for every URL

Best Answer

I think you can accomplish this if you have mod_authz_host and mod_rewrite. Basically set an environment variable if the URL matches /exams and look for that and if it's set allow access. See the example below. In this example you would not have the additional <Location> tag.

SetEnvIf Request_URI "^/exams.*" accessgranted=1

<Location "/">
    Order deny,allow
    Satisfy any
    Deny from all
    Allow from env=accessgranted
    AuthType Basic
    AuthName "PLEASE,AUTHENTICATE"
    AuthBasicProvider ldap-employees
    Require valid-user
</Location>

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Windows – Apache httpd with LDAP error in CentOS

It turns out that SELinux was blocking Apache's connection to LDAP. Running the command:

grep -m 1 httpd /var/log/audit/audit.log | audit2why

I was able to find out that Apache was trying to connect to a port that SELinux didn't recognize. After following suggestions from this site and the CentOS/SELinux documentation I was able to reach a solution. My troubles were caused by the use of non-standard LDAP port (as recommended by OpenDS). By adding these ports to SELinux under "ldap_port_t" I was able to resolve the issue. As root (or "sudo") run the below commands replacing the port numbers with your own LDAP/LDAPS port numbers.

semanage port -a -t ldap_port_t -p tcp 1389
semanage port -a -t ldap_port_t -p tcp 8636
semanage port -a -t ldap_port_t -p udp 1389
semanage port -a -t ldap_port_t -p upd 8636

I hope this helps someone in the future from banging their head against the wall as much as I did.

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Windows – Apache httpd with LDAP error in CentOS

Related Topic