0

I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer and CloudFront. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).

Environment: Apache 2.4.43 OpenSSL 1.0.2k-fips SVN 1.14.0 PHP 7.4.5

The failure mode is for an Apache location defined in conf.d/subversion.conf:

 <Location /repos> DAV svn SVNParentPath /var/svn/ SVNListParentPath On LogLevel debug Options All AllowOverride All Options AuthType Basic AuthName "Subversion Repository" AuthUserFile /mnt/data/etc/htpasswd AuthGroupFile /mnt/data/etc/htgroups Require group subversion

And the error file shows

[Mon Aug 17 00:04:47.658169 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of Require group subversion: denied (no authenticated user yet) [Mon Aug 17 00:04:47.658511 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Mon Aug 17 00:04:54.816887 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of Require group subversion: denied (no authenticated user yet) [Mon Aug 17 00:04:54.817233 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

In the conf.d/vhost.conf file for www.myhost.com, where I'm trying to reach www.myhost.com/repos using the above config for SVN, I also have

 <Directory /> Options All #Allow from All #Order Allow,Deny Require all granted AllowOverride All Options ...

I spent a long time running down various ratholes before I remember (and confirmed) I'm using the same auth mechanism for a different scenario on the same EC2 host and Apache instance. This works fine in vhost.conf:

 ServerName dev.anotherdomain.com <Directory /> Options All #Allow from All #Order Allow,Deny AllowOverride All Options # AuthType Digest AuthType Basic AuthName "DevAndTest" AuthUserFile /mnt/data/etc/htpasswd AuthGroupFile /mnt/data/etc/htgroups Require group adifferentgroup

This seems to work fine, which has me a little flummoxed :(

Improve this question

1 Answer 1

Reset to default
0

It turned out that the issue was I needed to Whitelist Authorization headers in the Cloudfront distribution. The subdomain case in the original question worked because it wasn't sitting behind Cloudfront.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.