https://bz.apache.org/bugzilla/show_bug.cgi?id=68602
Bug ID: 68602
Summary: mod_auth config file breaking htaccess basic auth
Product: Apache httpd-2
Version: 2.4.37
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_auth
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Issue
-
When enabling a Require rule to manage bot access / whitelists, via a config
file in /etc/httpd/conf.d/block.conf, basic auth via a .htaccess is no longer
honoured.
This same method detailed below was previously used on apache 2.2, using 'Deny
from env=BlockBot', 'Allow from env=Whitelist' without issue. It appears that
this functionality may have become broken in the switch to the new 2.4 auth
format.
To replicate
-
Install httpd
using basic default vhost provided by base config, with allowoverride enabled
for .htaccess use:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Create test file and confirm working:
echo test > /var/www/html/index.html
:~$ curl http://x.x.x.x/index.html
test
# Created htaccess w/ basic auth:
AuthType Basic
AuthName "Protected dir"
AuthUserFile "/var/www/html/.passwd"
Require valid-user
# Pass file w/ test:testtest
test:{SHA}Uau5Y2B43vv4iNhFenx2+FyPEUw=
# Confirm prompts for auth:
:~$ curl http://x.x.x.x/index.html -I
HTTP/1.1 401 Unauthorized
:~$ curl http://x.x.x.x/index.html -u test:testtest
test
#Add Block, which blocks based on a 'badbot' env variable, or allows via use of
env variable 'whitelist' - which customers use to allow otherwise blocked bots
through. Full use-case slightly more complex, but simplified for demo
purposes:
# cat /etc/httpd/conf.d/block.conf
<Location />
<RequireAny>
<RequireAll>
Require env Whitelist
</RequireAll>
<RequireAll>
Require all granted
Require not env BlockBot
</RequireAll>
</RequireAny>
</Location>
# restart apache and test:
:~$ curl http://x.x.x.x/index.html
test
# Removing the config file resolves the issue and reinstates the basic auth.
Notes
-
I am unclear if this is an issue with how I have implemented this, or if I've
come across a bug - however no permutation I have tried has resolved this
issue. If it is an implementation issue, could you please let me know how I
should be handling the access control in a scenario where I want to block a
given env var across all vhosts, with a whitelist set via .htaccess at a
customer level as shown above.
Thank you for your time.
Regards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
