I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer and CloudFront. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).
updating with a critical piece of information which became obvious when I found the answer — CloudFront was in the way
mod_authz_basic and CloudFront (was: mod_authz basic Directory vs. Location with vhosts)
mod_authz basic Directory vs. Location with vhosts
I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).
mod_authz_basic and CloudFront (was: mod_authz basic Directory vs. Location with vhosts)
I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer and CloudFront. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).
mod_authz basic Directory vs. Location with vhosts
I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).
Environment: Apache 2.4.43 OpenSSL 1.0.2k-fips SVN 1.14.0 PHP 7.4.5
The failure mode is for an Apache location defined in conf.d/subversion.conf:
<Location /repos> DAV svn SVNParentPath /var/svn/ SVNListParentPath On LogLevel debug Options All AllowOverride All Options AuthType Basic AuthName "Subversion Repository" AuthUserFile /mnt/data/etc/htpasswd AuthGroupFile /mnt/data/etc/htgroups Require group subversion And the error file shows
[Mon Aug 17 00:04:47.658169 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of Require group subversion: denied (no authenticated user yet) [Mon Aug 17 00:04:47.658511 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Mon Aug 17 00:04:54.816887 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of Require group subversion: denied (no authenticated user yet) [Mon Aug 17 00:04:54.817233 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) In the conf.d/vhost.conf file for www.myhost.com, where I'm trying to reach www.myhost.com/repos using the above config for SVN, I also have
<Directory /> Options All #Allow from All #Order Allow,Deny Require all granted AllowOverride All Options ... I spent a long time running down various ratholes before I remember (and confirmed) I'm using the same auth mechanism for a different scenario on the same EC2 host and Apache instance. This works fine in vhost.conf:
ServerName dev.anotherdomain.com <Directory /> Options All #Allow from All #Order Allow,Deny AllowOverride All Options # AuthType Digest AuthType Basic AuthName "DevAndTest" AuthUserFile /mnt/data/etc/htpasswd AuthGroupFile /mnt/data/etc/htgroups Require group adifferentgroup This seems to work fine, which has me a little flummoxed :(