mod_authz_basic and CloudFront (was: mod_authz basic Directory vs. Location with vhosts)

Question

I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer and CloudFront. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).

Environment: Apache 2.4.43 OpenSSL 1.0.2k-fips SVN 1.14.0 PHP 7.4.5

The failure mode is for an Apache location defined in conf.d/subversion.conf:

   <Location /repos>
   DAV svn
   SVNParentPath /var/svn/
   SVNListParentPath On
   LogLevel debug
  Options All
  AllowOverride All Options

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /mnt/data/etc/htpasswd
  AuthGroupFile /mnt/data/etc/htgroups
  Require group subversion

And the error file shows

[Mon Aug 17 00:04:47.658169 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of Require group subversion: denied (no authenticated user yet)
[Mon Aug 17 00:04:47.658511 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Aug 17 00:04:54.816887 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of Require group subversion: denied (no authenticated user yet)
[Mon Aug 17 00:04:54.817233 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

In the conf.d/vhost.conf file for www.myhost.com, where I'm trying to reach www.myhost.com/repos using the above config for SVN, I also have

    <Directory />
            Options All
            #Allow from All
            #Order Allow,Deny
            Require all granted
            AllowOverride All Options
            ...

I spent a long time running down various ratholes before I remember (and confirmed) I'm using the same auth mechanism for a different scenario on the same EC2 host and Apache instance. This works fine in vhost.conf:

    ServerName dev.anotherdomain.com
    <Directory />
            Options All
            #Allow from All
            #Order Allow,Deny
            AllowOverride All Options

            # AuthType Digest
            AuthType Basic
            AuthName "DevAndTest"
            AuthUserFile /mnt/data/etc/htpasswd
            AuthGroupFile /mnt/data/etc/htgroups
            Require group adifferentgroup

This seems to work fine, which has me a little flummoxed :(

Answer 1

It turned out that the issue was I needed to Whitelist Authorization headers in the Cloudfront distribution. The subdomain case in the original question worked because it wasn't sitting behind Cloudfront.