Security – Apache whitelist a single location, but require basic auth for everything else

apache-2.2http-authenticationSecurity

I'm sure this is simple, but Google is not my friend this morning.

The goal is:

/public… is openly accessible

everything else (including /) requires basic auth.

This is a WSGI app, with a single WSGI script (it's a django site, if that matters..)

I have this:

<Location /public>
  Order deny,allow
  Allow from all
</Location>
<Directory />
  AuthType Basic
  AuthName "My Test Server"
  AuthUserFile /path/to/.htpasswd
  Require valid-user
</Directory>

With this configuration, basic auth works fine, but the Location directive is totally ignored. I'm not surprised, as according to this (see How the Sections are Merged), the Directory directive is processed first.

I'm sure I'm missing something, but since Directory applies to a filesystem location, and I really only have the one Directory at /, and it's a Location that I wish to allow access to, but Directory always overrides Location…

EDIT

I'm using Apache 2.2, which doesn't support AuthType None.

Best Answer

For Apache 2.2 (and probably others in the 2 series older than 2.3):

<Location /public>
  Satisfy any
  Allow from all
</Location>
<Location />
  AuthType Basic
  AuthName "My Test Server"
  AuthUserFile /path/to/.htpasswd
  Require valid-user
</Location>

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Ssl – Django running on Apache+WSGI and apache SSL proxying

My solution thanks to Graham:



<Location /dirname>
    SSLVerifyClient      none
    SSLOptions           +FakeBasicAuth
    SSLRequireSSL
    AuthName             "name Authentication"
    AuthType             Basic
    AuthUserFile         /etc/httpd/stuff.passwd
    require              valid-user

    RequestHeader set X-Url-Scheme https


</Location>

ProxyPass /dirname http://django.test/dirname
ProxyPassReverse /dirname http://django.test/dirname

On django.test I added this :

 SetEnvIf X-Url-Scheme https HTTPS=1

after

  WSGIScriptAlias /dirname /path_to_wsgi_script/django.wsgi

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Ssl – Django running on Apache+WSGI and apache SSL proxying

Related Topic