We wish to set up a website for demo purpose only that we can:
- Access from anywhere from the internet by entering a username and password via HTTP Basic Auth.
- For ease of use we wish to not having to go through HTTP Basic Auth from the office, where our office will be connecting from 202.161.24.210.
- Certain parts of demo site will need to make REST requests to itself, so we wish to whitelist 127.0.0.1 and ::1 too.
We seem to have achieve 2 and 3 but 1 doesn't work as well as we thought it is going to be, our users kept getting reprompt for HTTP Basic Auth username and password even though they are already authenticated and are going to different pages of the web site. We noticed from the logs they get the following error message when accessing certain assets:
[Tue Jun 09 10:50:03.442834 2015] [access_compat:error] [pid 5740:tid 140705259312896] [client 78.52.242.163:62774] AH01797: client denied by server configuration: /var/www/docroots/stage/lib/yui/build/moodle-core-checknet/assets/checknet.txt, referer: http://stage.example.org/mod/scorm/player.php
Here is our Apache vhost:
<VirtualHost *:80>
ServerName stage.example.org
DocumentRoot /var/www/docroots/stage
<Directory /var/www/docroots/stage>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
# Only visible on Office network or anyone with a valid password.
AuthType Basic
AuthName "Authorisation Required"
AuthUserFile "/var/www/htpasswd"
Require valid-user
Order allow,deny
Allow from 202.161.24.210 127 ::1
Satisfy any
</Directory>
</VirtualHost>
We are running Apache 2.4.6 on CentOS 7. Are our configuration correct? It seems like our configuration does work for the top level files at /var/www/docroots/stage
as well as other images, css, and javascript files under subdirectories that are directly under it, but could it be that it forgets the HTTP Auth after certain number of subdirectories? SELinux is in permissive mode.