(RHEL 6.2, Apache 2.2.1)
I'm trying to get a LAMP site running behind basic auth to prevent general access (it's a testing environment for a site still in production) and I've hit a problem where the multiple file upload feature fails because it is not correctly handling the authentication; I can see in the Apache logs that the authentication is dropped for the POST
10.77.34.123 - testuser [14/Mar/2012:14:10:13 +1100] "GET /index.php/tools/required/files/import?ocID=&searchInstance=file1331694544 HTTP/1.1" 200 8558
10.77.34.123 - testuser [14/Mar/2012:14:10:13 +1100] "GET /concrete/js/swfupload/swfupload.js?_=1331694608575 HTTP/1.1" 200 36807
10.77.34.123 - testuser [14/Mar/2012:14:10:13 +1100] "GET /concrete/js/swfupload/swfupload.handlers.js?_=1331694608601 HTTP/1.1" 200 6443
10.77.34.123 - testuser [14/Mar/2012:14:10:13 +1100] "GET /concrete/js/swfupload/swfupload.fileprogress.js?_=1331694608621 HTTP/1.1" 200 7529
10.77.34.123 - testuser [14/Mar/2012:14:10:13 +1100] "GET /concrete/js/swfupload/swfupload.queue.js?_=1331694608636 HTTP/1.1" 200 3479
10.77.34.123 - testuser [14/Mar/2012:14:10:14 +1100] "GET /concrete/flash/swfupload/swfupload.swf?preventswfcaching=1331694608650 HTTP/1.1" 200 12419
10.77.34.123 - - [14/Mar/2012:14:10:20 +1100] "POST /index.php/tools/required/files/importers/multiple HTTP/1.1" 401 488
As a really quick fix I changed the Apache config to only require authentictaion for GET requests, not POST, but that is not desireable from a security standpoint. The current Apache directive is:
<Directory />
AuthName "Priceline Portal Dev"
AuthUserFile /home/dev_priceline/passwords
<Limit GET>
AuthType Basic
Require valid-user
</Limit>
</Directory>
Which requires basic auth to access to site (via GET) but allows the POSTs through.
What I want to do is change it so:
POST requests containing "multiple" in the URL do not require authentication
All other requests require basic auth.
Is there a way to do this using Apache directives? The multiple upload functionality is built into the CMS being used, and the basic auth will not be used in final production so I do not want to change the upload code itself.
Best Answer
Well, it's pretty ugly..
So, just allow for the auth rules to be ignored (assuming the host is allowed by
Allow
/Deny
rules) just forPOST
requests that end in/multiple
, as the one in your log does. How's that sound?