0

I have a static HTML website that being served by Apache 2.4 using SSI. I have been using basic authentication to control access to a subset of files and it has stopped behaving as expected. Essentially all I want to do is require a username / password for some parts of the website. I've included what I think is the relevant configuration with some names changed to protect privacy.

/etc/apache2/sites-enabled/example.conf

<VirtualHost *:80> ServerName site.example.com:80 ServerAdmin webmaster@localhost DocumentRoot /var/www/site <Directory /var/www/site/> Options Includes Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> ErrorLog /var/log/apache2/error.log </VirtualHost>

/var/www/site/.htaccess

AuthType Basic AuthName "Site Access Control" AuthBasicProvider file AuthUserFile /var/www/site/passwords

/var/www/site/dir1/dir2/protected-dir/.htaccess

require valid-user

As I understand it, I have configured the site directory for my virtual host. At the top level directory I have configured basic authentication. In those directories where I wish to control access I require a valid user. The .htaccess files should combine accordingly.

When I browse to:

 site.example.com/dir1/dir2/protected-dir

I am granted access to the page and its contents are visible. This is not what I expect. In the Apache2 error log, I get the following:

[Sat Jul 04 11:03:12.073970 2015] [deflate:debug] [pid 19576] mod_deflate.c(855): [client 192.168.50.242:63254] AH01384: Zlib: Compressed 3036 to 656 : URL /dir1/dir2/protected-dir/index.shtml, referer: http://site.example.com/dir1/dir2/ [Sat Jul 04 11:03:12.095014 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://site.example.com/dir1/dir2/protected-dir/ [Sat Jul 04 11:03:12.095044 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://site.example.com/dir1/dir2/protected-dir/ [Sat Jul 04 11:03:12.095721 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of Require valid-user : granted, referer: http://site.example.com/dir1/dir2/protected-dir/ [Sat Jul 04 11:03:12.095741 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of <RequireAny>: granted, referer: http://site.example.com/dir1/dir2/protected-dir/ [Sat Jul 04 11:03:12.095994 2015] [deflate:debug] [pid 19576] mod_deflate.c(855): [client 192.168.50.242:63254] AH01384: Zlib: Compressed 1397 to 481 : URL /dir1/dir2/protected-dir/style.css, referer: http://site.example.com/dir1/dir2/protected-dir/

Can you determine what is wrong with my configuration?

Improve this question

2 Answers 2

Reset to default
1

I am granted access to the page and its contents are visible. This is not what I expect. However, the configuration contains Require all granted so it is expected that access to the page and its contents is granted.

Explanation

Require all

The all provider mimics the functionality that was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests. Require all granted Require all denied

How to solve the issue

You could use mod_authn_core

Creating Authentication Provider Aliases

Extended authentication providers can be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the directives AuthBasicProvider or AuthDigestProvider in the same way as a base authentication provider. Besides the ability to create and alias an extended provider, it also allows the same extended authentication provider to be reference by multiple locations. Examples This example checks for passwords in two different text files. Checking multiple text password files # Check here first <AuthnProviderAlias file file1> AuthUserFile "/www/conf/passwords1" </AuthnProviderAlias> # Then check here <AuthnProviderAlias file file2> AuthUserFile "/www/conf/passwords2" </AuthnProviderAlias> <Directory "/var/web/pages/secure"> AuthBasicProvider file1 file2 AuthType Basic AuthName "Protected Area" Require valid-user </Directory>
Improve this answer
4
  • Thanks for responding. Unfortunately I'm not following. I see that I have Require all granted for the site as a whole. But I thought the Require valid-user in the protected directory would trigger basic authentication for the protected directory. Is that not the case? Commented Jul 4, 2015 at 7:35
  • @dave Answer has been updated. Please try it and if it does not work update the question. Commented Jul 4, 2015 at 18:58
  • Thanks this worked. It seems the key is having the Auth definition and the Require valid-user in the one .htaccess file in the directory. Perhaps the way .htaccess files combine changed from Apache V2.2 to V2.4? I've updated the question with the exact answer I used. Commented Jul 5, 2015 at 2:11
  • @dave You could also extend this answer by clicking the edit button and move the answer paragraph from the question to the answer as questions should not contain answers. Commented Jul 5, 2015 at 10:56
0

Based on the other answer I found combining the two .htaccess files into one and placing that in the directories I wished to protect did the trick. Here's the final file:

AuthType Basic AuthName "Site Access Control" AuthBasicProvider file AuthUserFile /var/www/site/passwords require valid-user
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.