apache-2.4 – Disabling Apache Basic Authentication for OPTIONS Requests

.htaccessapache-2.4authenticationhttp-basic-authentication

I have Apache basic authentication enabled on a test server and it works great:

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials – https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

How do I disable authentication for requests coming in with the OPTIONS method?

(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )

Best Answer

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%{REQUEST_METHOD} != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

Related Solutions

Respond to HTTP OPTIONS with basic auth

Is the draconian approach of just denying the OPTIONS verb in IIS globally a possibility? You could install URLScan and put OPTIONS in the [DenyVerbs] configuration.

Nginx – Enable basic auth sitewide and disabling it for subpages

How about two files?

includes/proxy.conf would be:

proxy_pass http://appserver-1;
proxy_redirect              off;
proxy_set_header            Host $host;
proxy_set_header            X-Real-IP $remote_addr;
proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

And your current conf file:

upstream appserver-1 {
    server unix:/var/www/example.com/app/tmp/gunicorn.sock fail_timeout=0;
}
server {
    listen  80;
    server_name  example.com;

    location / {
        auth_basic                  "Restricted";
        auth_basic_user_file        /path/to/htpasswd;
        include includes/proxy.conf;
    }

    location /api/ {
        auth_basic          off;
        include includes/proxy.conf;
    }
}

Best Answer

Related Solutions

Respond to HTTP OPTIONS with basic auth

Nginx – Enable basic auth sitewide and disabling it for subpages

Related Topic