We wish to set up a website for demo purpose only that we can:
- Access from anywhere from the internet by entering a username and password via HTTP Basic Auth.
- For ease of use we wish to not having to go through HTTP Basic Auth from the office, where our office will be connecting from 202.161.24.210.
- Certain parts of demo site will need to make REST requests to itself, so we wish to whitelist 127.0.0.1 and ::1 too.
We seem to have achieve 2 and 3 but 1 doesn't work as well as we thought it is going to be, our users kept getting reprompt for HTTP Basic Auth username and password even though they are already authenticated and are going to different pages of the web site. We noticed from the logs they get the following error message when accessing certain assets:
[Tue Jun 09 10:50:03.442834 2015] [access_compat:error] [pid 5740:tid 140705259312896] [client 78.52.242.163:62774] AH01797: client denied by server configuration: /var/www/docroots/stage/lib/yui/build/moodle-core-checknet/assets/checknet.txt, referer: http://stage.example.org/mod/scorm/player.php
Here is our Apache vhost:
<VirtualHost *:80>
ServerName stage.example.org
DocumentRoot /var/www/docroots/stage
<Directory /var/www/docroots/stage>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
# Only visible on Office network or anyone with a valid password.
AuthType Basic
AuthName "Authorisation Required"
AuthUserFile "/var/www/htpasswd"
Require valid-user
Order allow,deny
Allow from 202.161.24.210 127 ::1
Satisfy any
</Directory>
</VirtualHost>
We are running Apache 2.4.6 on CentOS 7. Are our configuration correct? It seems like our configuration does work for the top level files at /var/www/docroots/stage
as well as other images, css, and javascript files under subdirectories that are directly under it, but could it be that it forgets the HTTP Auth after certain number of subdirectories? SELinux is in permissive mode.
Best Answer
Without the complete error message (I would expect the module and ip-address) it's a bit of a guess but you're mixing directives from two different modules in Apache 2.4 , the
Require
directive from mod-authz-core and the "legacy" directivesAllow
andOrder
from mod-access-compat, which might not stack very well.You could try replacing the lines
With the following
With the already present
Satisfy any
that should meet your requirements.Your third requirement:
Might not be accessing the server from the loop back address, as you would expect, but might be configured with the FQDN similar to
http://api.example.com/rest?
and originate from the server's public IP-address instead.You could add the server's public ip-addresses but that is much more easily resolved from Apache 2.4 ; the local provider allows access to the server if any of the following conditions is true:
So instead of listing the loop back ip-addresses use: