Apache2 with basic auth: exclude one location from auth (weird behaviour)

apache-2.2authenticationhttp-basic-authentication

I have basic auth set for Directory / and want to exclude Location /assets/upload, but it just won't work, I have tried several options and tutorials.

This Location directive clears the Directory auth config and disables basic auth for the whole website:

<Directory "/">
    AuthType Basic
    AuthName "Staging"
    AuthUserFile /var/.../.htpasswd
    AuthGroupFile /dev/null
    Require valid-user
</Directory>

<Location "/">
    Order deny,allow
    Allow from all
    Satisfy any
</Location>

However, I just want /assets/upload to be without basic auth, but if I change the 1st parameter of Location to /assets/upload, the whole page, including /assets/upload is protected by basic auth…

<Location "/assets/upload">
    Order deny,allow
    Allow from all
    Satisfy any
</Location>

What could be wrong here?

Version: Apache/2.2.16 (Debian)

Best Answer

I'm afraid you seem to have misunderstood a few Apache concepts here. The argument in a <Directory> block is a full file system path, not one relative to the server root. You should never really change the <Directory /> block from the default. You do not need to change it for your configuration to work.

The argument to a <Location> block is relative to the server root. So you just need two of these blocks to achieve what you wish.

<Location "/assets/upload">
    Order deny,allow
    Allow from all
    Satisfy any
</Location>

<Location "/">
    AuthType Basic
    AuthName "Staging"
    AuthUserFile /var/.../.htpasswd
    AuthGroupFile /dev/null
    Require valid-user
</Location>

You should have a single <Directory /> block in the global/server context (i.e. not inside any vhost) and it should be something like this.

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Tomcat – Basic auth Apache with Tomcat

It made me suspicious that I got a 401 error from the tomcat application. it seems, that apache fowarded the authorization request, though it shouldn't. I had to remove the "Authorization" parameter from the request header.

To do this. I enabled mod_headers and added RequestHeader unset "Authorization" just before the ProxyPass directives.

So my config looks like the following now:

<VirtualHost *:80>

        ProxyRequests           Off
        ProxyPreserveHost       On

        RequestHeader unset "Authorization"       

        <Location "/tickets/rest/">
                  Satisfy Any
                  Order allow,deny
                  Allow from all
        </Location>

        <Location />
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/apache2/.htpasswd
                Require user myuser
        </Location>

        ProxyPass                /tickets       http://localhost:8081/tickets
        ProxyPassReverse         /tickets       http://localhost:8081/tickets

</VirtualHost>

EDIT:

Jira uses its own REST-API for the gadgets, so I had to define a Location-Tag for /tickets/rest path.

removed proxy-tag
added Location-Tag for the jira-rest API

Got ideas to solve the problem from:

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Tomcat – Basic auth Apache with Tomcat

Related Topic