0

I have a lighttpd server that I want to serve some files from. Unfortunately the server is currently set up to require password authentication and I want these files to be available publicly.

How can I make it so that files in a particular subdirectory do not require a password?

As a further complication, most of the stuff in the config file was set up by other admins so I'm trying to be very careful to not break any existing security settings.

# config stuff that I am hesitant to change
ssl.engine = "enable" 
ssl.pemfile = "/etc/lighttpd/ssl/foo.pem"
ssl.ca-file = "/etc/pki/tls/certs/foo.cert"

auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.passwd"
auth.debug = 2

$HTTP["url"] !~ "^(/portal/.*|/js/.*|/css/.*|/icons/.*|/favicon\.ico)" {
  auth.require = (
    "/" =>(
      "method" => "digest",
      "realm" => "Authorized users only",
      "require" => "valid-user"
    )
  )
}

$HTTP["url"] =~ "^/portal" {
  auth.require = (
    "/portal" => (
      "method" => "digest",
      "realm" => "portal users",
      "require" => "valid-user"
    )
  )
  url.redirect = ( "" => "/portal/")
}

$HTTP["remoteip"] !~ "1.2.3.4|5.6.7.8" {
    url.access-deny = ( "" )
}

# new directory that I want to make public
$HTTP["url"] =~ "^/public($|/)" {
    dir-listing.activate = "enable"
}

I tried adding /public/* to the regexp for the first $HTTP["url"] !~ block, but that didn't work. I also tried disabling ssl.engine inside the block that matches /public($|/), but that didn't work either.

Max
  • 103
  • 1
  • 4
  • Note the exclamation mark in the first if-clause: `$HTTP["url"] !~`. You are activating auth for every location except these, and then again explicitly for `/portal` (leading / missing here). – sebix Apr 02 '15 at 07:45
  • So wouldn't adding `/public/*` to the regexp fix it? I tried that it and it made no difference. – Max Apr 02 '15 at 14:08

2 Answers2

2

This setup works for me great for me, as already said in the comments:

server.modules += ( "mod_auth" )
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/passwd"

$HTTP["url"] !~ "^(/portal/.*|/js/.*|/css/.*|/icons/.*|/favicon\.ico|/public/.*)" {
  auth.require = (
    "/" =>(
      "method" => "digest",
      "realm" => "Authorized users only",
      "require" => "valid-user"
    )
  )
}
sebix
  • 4,175
  • 2
  • 25
  • 45
1

Turns out you can disable it selectively with just an empty list:

auth.require = ()

For OP's example:

# new directory that I want to make public
$HTTP["url"] =~ "^/public($|/)" {
    dir-listing.activate = "enable"
    auth.require = ()
}

Putting this block last in the file ensures it overrides all other direvtives, which may or not be what you want depending on your setup. I have a case with multiple virtual hosts with differing auth schemes, but I wanted to bypass all of that for /.well-known/acme-challenge/ to enable certbot --webroot to work for getting Let's Encrypt certs. For my example:

##### Let's Encrypt

$HTTP["url"] =~ "^/.well-known/acme-challenge/" {
  server.document-root = "/var/www/"
  auth.require = ()
}
TheSchwa
  • 123
  • 4