6

I'm trying to expose a location through Apache. Normally, I have this block in my vhost that says

<Location /> AuthType Basic AuthUserFile /web/.htpasswd AuthName "Test Site" Require valid-user </Location>

This works just fine - everything served up requires a valid user. Now I want to expose a service that doesn't require authentication so I'm looking for a way to make all locations except for /services require authentication. I've been playing with LocationMatch, but I'm not entirely clear on what it's doing.

<LocationMatch ^/(?!services)[^.]*$> AuthType Basic ... </LocationMatch>

Allows /services and everything beneath it to skip the LocationMatch, but it has the side-effect of allowing example.com/.somefile to bypass the LocationMatch block.

Additionally, when I tried

<LocationMatch ^/(?!services)> AuthType Basic ... </LocationMatch>

everything (including /services) is matched by the LocationMatch.

I'd appreciate if someone could tell me what the [^.]* class does that the second test doesn't and how to expose only /services while keeping all other paths under authentication.

Improve this question

5 Answers 5

Reset to default
2

This page by Antonio Lorusso suggests the following to exclude folders from apache authentication:

<Location "/"> AuthType Basic AuthName "Restricted Files" AuthUserFile /var/www/clients/client12/web17/passwd AuthGroupFile /dev/null Require valid-user SetEnvIf Request_URI "^/(admin|skin|js|index)(.*)$" allow SetEnvIf Request_URI "^/favicon.ico$" allow Order allow,deny Allow from env=allow Satisfy Any </Location>

In this case URLs starting with /admin, /skin, /js or /index will be ignored by auth.

The key part of this section for you is:

SetEnvIf Request_URI "^/(admin|skin|js|index)(.*)$" allow

In your case the appropriate code would be:

SetEnvIf Request_URI "^/services(.*)$" allow

_

Improve this answer
1

Well, [^.] means "not a .", which is why /.somefile doesn't match. A possible reason why your last example doesn't work is because Perl-compatible regular expressions are only supported starting with Apache 2.0, so if you're on Apache 1.3 (you really should specify an Apache version in your question), that'd be it.

Improve this answer
1

Mantain the 

<Location /> AuthType Basic AuthUserFile /web/.htpasswd AuthName "Test Site" Require valid-user </Location>

and add a this new Location

<Location /services> Satisfy any Order deny,allow </Location>
Improve this answer
4
  • Does not work on apache 2.2 Commented Apr 7, 2017 at 7:53
  • Locations must be on that order: first /, second /services. If applied the other way around, /services would be ignored Commented Apr 7, 2017 at 10:21
  • I tried in the both orders... I was closed to abandon... And I found Commented Apr 11, 2017 at 13:23
  • This works for me on Apache 2.4, with the exception added after the password. Commented Aug 17, 2023 at 8:17
1

With apache 2.4, you can do something like this:

<Location /> <If "%{REQUEST_URI} =~ m#^/services/#"> Satisfy any Order deny,allow </If> <Else> AuthType Basic AuthUserFile /web/.htpasswd AuthName "Test Site" Require valid-user </Else> </Location>
Improve this answer
0

Tried many ways without success.
And finally this works on apache 2.2.

  • Two paths are unauthorized and others paths yes
  • I added rewriting from / to /ui in order to make it possible

Hère is LocationMatch directive use 

 <LocationMatch /(firstpath|secondpath).*> AuthType Basic AuthName "Restricted AREA " AuthUserFile /etc/apache2/security/password AuthGroupFile /etc/apache2/security/group Require group admin Order allow,deny Allow from 127.0.0.1 Allow from 10.0.0.0/24 Allow from env=allowclient Satisfy any </LocationMatch>
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.