Apache access control not behaving as expected

.htaccess apache-2.4
5,558

I am granted access to the page and its contents are visible. This is not what I expect. However, the configuration contains Require all granted so it is expected that access to the page and its contents is granted.

Explanation

Require all

The all provider mimics the functionality that was previously provided by the 
'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments
which are 'granted' or 'denied'. The following examples will grant or deny access to all
requests.

Require all granted

Require all denied

How to solve the issue

You could use mod_authn_core

Creating Authentication Provider Aliases

Extended authentication providers can be created within the configuration file and assigned
an alias name. The alias providers can then be referenced through the directives 
AuthBasicProvider or AuthDigestProvider in the same way as a base authentication provider. 
Besides the ability to create and alias an extended provider, it also allows the same 
extended authentication provider to be reference by multiple locations.

Examples

This example checks for passwords in two different text files.
Checking multiple text password files

# Check here first
<AuthnProviderAlias file file1>
    AuthUserFile "/www/conf/passwords1"
</AuthnProviderAlias>

# Then check here
<AuthnProviderAlias file file2>   
    AuthUserFile "/www/conf/passwords2"
</AuthnProviderAlias>

<Directory "/var/web/pages/secure">
    AuthBasicProvider file1 file2

    AuthType Basic
    AuthName "Protected Area"
    Require valid-user
</Directory>
Share:
5,558

Related videos on Youtube

dave
Author by

dave

Updated on September 18, 2022

Comments

  • dave
    dave almost 2 years

    I have a static HTML website that being served by Apache 2.4 using SSI. I have been using basic authentication to control access to a subset of files and it has stopped behaving as expected. Essentially all I want to do is require a username / password for some parts of the website. I've included what I think is the relevant configuration with some names changed to protect privacy.

    /etc/apache2/sites-enabled/example.conf

    <VirtualHost *:80>
    ServerName site.example.com:80
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/site
    <Directory /var/www/site/>
        Options Includes Indexes FollowSymLinks MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog /var/log/apache2/error.log
</VirtualHost>

    /var/www/site/.htaccess

    AuthType        Basic
AuthName        "Site Access Control"
AuthBasicProvider   file
AuthUserFile   /var/www/site/passwords

    /var/www/site/dir1/dir2/protected-dir/.htaccess

    require valid-user

    As I understand it, I have configured the site directory for my virtual host. At the top level directory I have configured basic authentication. In those directories where I wish to control access I require a valid user. The .htaccess files should combine accordingly.

    When I browse to:

     site.example.com/dir1/dir2/protected-dir

    I am granted access to the page and its contents are visible. This is not what I expect. In the Apache2 error log, I get the following:

    [Sat Jul 04 11:03:12.073970 2015] [deflate:debug] [pid 19576] mod_deflate.c(855): [client 192.168.50.242:63254] AH01384: Zlib: Compressed 3036 to 656 : URL /dir1/dir2/protected-dir/index.shtml, referer: http://site.example.com/dir1/dir2/
[Sat Jul 04 11:03:12.095014 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://site.example.com/dir1/dir2/protected-dir/
[Sat Jul 04 11:03:12.095044 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://site.example.com/dir1/dir2/protected-dir/
[Sat Jul 04 11:03:12.095721 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of Require valid-user : granted, referer: http://site.example.com/dir1/dir2/protected-dir/
[Sat Jul 04 11:03:12.095741 2015] [authz_core:debug] [pid 19576] mod_authz_core.c(802): [client 192.168.50.242:63254] AH01626: authorization result of <RequireAny>: granted, referer: http://site.example.com/dir1/dir2/protected-dir/
[Sat Jul 04 11:03:12.095994 2015] [deflate:debug] [pid 19576] mod_deflate.c(855): [client 192.168.50.242:63254] AH01384: Zlib: Compressed 1397 to 481 : URL /dir1/dir2/protected-dir/style.css, referer: http://site.example.com/dir1/dir2/protected-dir/

    Can you determine what is wrong with my configuration?

  • dave
    dave almost 9 years
    Thanks for responding. Unfortunately I'm not following. I see that I have Require all granted for the site as a whole. But I thought the Require valid-user in the protected directory would trigger basic authentication for the protected directory. Is that not the case?
  • dave
    dave almost 9 years
    Thanks this worked. It seems the key is having the Auth definition and the Require valid-user in the one .htaccess file in the directory. Perhaps the way .htaccess files combine changed from Apache V2.2 to V2.4? I've updated the question with the exact answer I used.
  • 030
    030 almost 9 years
    @dave You could also extend this answer by clicking the edit button and move the answer paragraph from the question to the answer as questions should not contain answers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Redirect IP to domain using SSL
Apache says it can't read htaccess file when accessing files under specific folder
Apache ignoring .htaccess
How can I access an environment variable set by a rewrite rule in an expression?
Redirect permanent vs RedirectMatch, which is better to enforce SSL security in Apache?
Request exceeded the limit of 10 internal redirects due to probable configuration error, Use 'LimitInternalRecursion' to increase the limit
Changing session.save_path in php.ini not working
apache 2.4, mod_proxy_fcgi not honouring .htaccess, work around needed
Apache 2.4 with PHP-FPM .htaccess redirection
Require all denied has no effect. Require all allowed, works