All geek questions in one place

Combining Basic Authentication and LimitExcept in Apache 2.2 Virtual Host

I am trying to satisfy the following requirements (in Apache HTTPD 2.2):

  • If the HTTP method does not allow access except HEAD, POST, or GET, regardless of any of the following.
  • If the user is internal, allow access without basic authentication.
  • If the user is external, try basic authentication and allow if they have good credentials.

This is one of many things I tried, but none of my attempts met all three requirements:

<Directory /path/to/wwwroot> Options FollowSymLinks AllowOverride FileInfo # Basic Authentication AuthType Basic AuthName "Enter your site username and password." AuthUserFile /path/to/stage.passwords AuthGroupFile /path/to/stage.groups Require group stageusers # there more logic for this variable in the real virtual_host. # for this simplified example, manually set (using the following) # or unset (using !internal_user). SetEnv internal_user Order deny,allow Deny from all Allow from env=internal_user <LimitExcept HEAD POST GET> Deny from all </LimitExcept> Satisfy all </Directory>

I have read the documents on Satisfy, Limit, LimitExcept, Order and basic authentication, but it's hard for me to put them together.

What is a viable way to do this?

+5
source share
1 answer

AFAICT in Apache 2.2, you need to return to the Satisfy Any approach, and then process the method check with mod_rewrite. This is the best route because your method checks are completely independent.

In 2.4, Limit / LimitExcept is replaced / simplified by mod_allowmethods, but require can also directly test methods. It’s much easier.

The rewrite part is pretty simple:

 RewriteEngine ON RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ RewriteRule .* - [F]

But you need to make sure that it appears on every main vhost + server that can access the directory, unlike other directives.

Introducing everything together

 # Only allow expected HTTP methods. RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ RewriteRule .* - [F] <Directory /path/to/wwwroot> Options FollowSymLinks AllowOverride FileInfo Satisfy any # Basic Authentication AuthType Basic AuthName "Enter your site username and password." AuthUserFile /path/to/stage.passwords AuthGroupFile /path/to/stage.groups Require group stageusers # there more logic for this variable in the real virtual_host. # for this simplified example, manually set (using the following) # or unset (using !internal_user). SetEnv internal_user Order deny,allow Deny from all Allow from env=internal_user </Directory>
+3
source

Source: https://habr.com/ru/post/1236093/

More articles:


All Articles