How to exclude a file in a folder from basic auth (regex help)

apache-2.2regex

I have a folder on my site which contains admin files and I've added basic auth following a little unwanted attention. This works fine however a couple of the admin functions won't work through basic auth as they handle file uploads and so I want to exclude these files from the auth. It shouldn't have any security implications as any rogue user wouldn't be able to access the pages that could create a session to use these functions.

I am using the following basic code to exclude a file:

<FilesMatch "(index.php\/myadminfolder\/myurl\/myaction/someotherstuff?)$">
Satisfy Any
Order allow,deny
Allow from all
Deny from none
</FilesMatch>

The URL exclusion is not working.

The URL to exclude is in the form:

index.php/directory/subdirectory/action/uniqueid/blah

What is the correct URL string to add to FilesMatch to exclude any files that start with the pattern of index.php/directory/subdirectory/action – regardless of what comes after action?

Thanks

Simon

Best Answer

I suppose the file index.php/directory/subdirectory/action/uniqueid/blah does not really exist. There is probably only an index.php file to which you append /directory/subdirectory/action/uniqueid/blah as PATH_INFO.

Try using Location/LocationMatch instead of Files/FilesMatch.

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Security – How to use basic auth for single file in otherwise forbidden Apache directory

Try this:

<Directory /var/www/html/admin>
  <Files allowed.php>
    AuthType basic
    AuthName "private area"
    AuthUserFile /home/webroot/.htusers
    Require user admin1
  </Files>
  order allow,deny
  deny from all
  satisfy any
</Directory>

Files nested inside a Directory will only apply therein so your code block is more logically organized, and I think using the 'Satisfy any' will allow them to be merged as planned. I'm not sure if it's actually required so try it with and without the satisfy line...

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Security – How to use basic auth for single file in otherwise forbidden Apache directory

Related Topic