HTTP Basic Auth unless connecting from the office with Apache 2.4

apache-2.4htpasswdhttp-basic-authentication

We wish to set up a website for demo purpose only that we can:

  1. Access from anywhere from the internet by entering a username and password via HTTP Basic Auth.
  2. For ease of use we wish to not having to go through HTTP Basic Auth from the office, where our office will be connecting from 202.161.24.210.
  3. Certain parts of demo site will need to make REST requests to itself, so we wish to whitelist 127.0.0.1 and ::1 too.

We seem to have achieve 2 and 3 but 1 doesn't work as well as we thought it is going to be, our users kept getting reprompt for HTTP Basic Auth username and password even though they are already authenticated and are going to different pages of the web site. We noticed from the logs they get the following error message when accessing certain assets:

[Tue Jun 09 10:50:03.442834 2015] [access_compat:error] [pid 5740:tid 140705259312896] [client 78.52.242.163:62774] AH01797: client denied by server configuration: /var/www/docroots/stage/lib/yui/build/moodle-core-checknet/assets/checknet.txt, referer: http://stage.example.org/mod/scorm/player.php

Here is our Apache vhost:

<VirtualHost *:80>
ServerName stage.example.org

DocumentRoot /var/www/docroots/stage
    <Directory /var/www/docroots/stage>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None

        # Only visible on Office network or anyone with a valid password.
        AuthType Basic
        AuthName "Authorisation Required"
        AuthUserFile "/var/www/htpasswd"
        Require valid-user
        Order allow,deny
        Allow from 202.161.24.210 127 ::1
        Satisfy any
    </Directory>
</VirtualHost>

We are running Apache 2.4.6 on CentOS 7. Are our configuration correct? It seems like our configuration does work for the top level files at /var/www/docroots/stage as well as other images, css, and javascript files under subdirectories that are directly under it, but could it be that it forgets the HTTP Auth after certain number of subdirectories? SELinux is in permissive mode.

Best Answer

Without the complete error message (I would expect the module and ip-address) it's a bit of a guess but you're mixing directives from two different modules in Apache 2.4 , the Require directive from mod-authz-core and the "legacy" directives Allow and Order from mod-access-compat, which might not stack very well.

You could try replacing the lines

Order allow,deny
Allow from 202.161.24.210 127 ::1

With the following 

Require ip  202.161.24.210 127 ::1/128

With the already present Satisfy any that should meet your requirements.

Your third requirement:

Certain parts of demo site will need to make REST requests to itself...

Might not be accessing the server from the loop back address, as you would expect, but might be configured with the FQDN similar to http://api.example.com/rest? and originate from the server's public IP-address instead.

You could add the server's public ip-addresses but that is much more easily resolved from Apache 2.4 ; the local provider allows access to the server if any of the following conditions is true:

  • the client address matches 127.0.0.0/8
  • the client address is ::1
  • both the client and the server address of the connection are the same

So instead of listing the loop back ip-addresses use:

Require valid-user
#  Office Gateway:
Require ip 202.161.24.210 
#  API access from this host:   
Require local            
#  Only one or more of the above needs to match:
Satisfy any
Related Topic