1

We wish to set up a website for demo purpose only that we can:

  1. Access from anywhere from the internet by entering a username and password via HTTP Basic Auth.
  2. For ease of use we wish to not having to go through HTTP Basic Auth from the office, where our office will be connecting from 202.161.24.210.
  3. Certain parts of demo site will need to make REST requests to itself, so we wish to whitelist 127.0.0.1 and ::1 too.

We seem to have achieve 2 and 3 but 1 doesn't work as well as we thought it is going to be, our users kept getting reprompt for HTTP Basic Auth username and password even though they are already authenticated and are going to different pages of the web site. We noticed from the logs they get the following error message when accessing certain assets:

[Tue Jun 09 10:50:03.442834 2015] [access_compat:error] [pid 5740:tid 140705259312896] [client 78.52.242.163:62774] AH01797: client denied by server configuration: /var/www/docroots/stage/lib/yui/build/moodle-core-checknet/assets/checknet.txt, referer: http://stage.example.org/mod/scorm/player.php

Here is our Apache vhost:

<VirtualHost *:80>
ServerName stage.example.org

DocumentRoot /var/www/docroots/stage
    <Directory /var/www/docroots/stage>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None

        # Only visible on Office network or anyone with a valid password.
        AuthType Basic
        AuthName "Authorisation Required"
        AuthUserFile "/var/www/htpasswd"
        Require valid-user
        Order allow,deny
        Allow from 202.161.24.210 127 ::1
        Satisfy any
    </Directory>
</VirtualHost>

We are running Apache 2.4.6 on CentOS 7. Are our configuration correct? It seems like our configuration does work for the top level files at /var/www/docroots/stage as well as other images, css, and javascript files under subdirectories that are directly under it, but could it be that it forgets the HTTP Auth after certain number of subdirectories? SELinux is in permissive mode.

Machoke
  • 115
  • 8

1 Answers1

2

Without the complete error message (I would expect the module and ip-address) it's a bit of a guess but you're mixing directives from two different modules in Apache 2.4 , the Require directive from mod-authz-core and the "legacy" directives Allow and Order from mod-access-compat, which might not stack very well.

You could try replacing the lines

Order allow,deny
Allow from 202.161.24.210 127 ::1

With the following 

Require ip  202.161.24.210 127 ::1/128

With the already present Satisfy any that should meet your requirements.

Your third requirement:

Certain parts of demo site will need to make REST requests to itself...

Might not be accessing the server from the loop back address, as you would expect, but might be configured with the FQDN similar to http://api.example.com/rest? and originate from the server's public IP-address instead.

You could add the server's public ip-addresses but that is much more easily resolved from Apache 2.4 ; the local provider allows access to the server if any of the following conditions is true:

  • the client address matches 127.0.0.0/8
  • the client address is ::1
  • both the client and the server address of the connection are the same

So instead of listing the loop back ip-addresses use:

Require valid-user
#  Office Gateway:
Require ip 202.161.24.210 
#  API access from this host:   
Require local            
#  Only one or more of the above needs to match:
Satisfy any
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • The full error message: `[Tue Jun 09 10:50:03.442834 2015] [access_compat:error] [pid 5740:tid 140705259312896] [client 78.52.242.163:62774] AH01797: client denied by server configuration: /var/www/docroots/stage/lib/yui/build/moodle-core-checknet/assets/checknet.txt, referer: http://stage.example.org/mod/scorm/player.php` I have updated the question too. I am assuming "access_compat:error" means it is an error from mod-access-compat? – Machoke Jun 09 '15 at 03:47
  • Thanks for the suggestion and the links, I had always been really confusing about 2.2 and 2.4, that link really clears it up! I admit I haven't read as much as I should and more or less just drive into using 2.4 though... – Machoke Jun 09 '15 at 03:49
  • 1
    If ip-address 78.52.242.163 is from your own server see the updated answer with `require local` – HBruijn Jun 09 '15 at 03:52
  • That's actually one of our remote worker and we do like them to go through HTTP Basic Auth, should be handled with `require valid-user`. We do use FQDN and we currently handle it by adding entries in `/etc/hosts` on stage server. Thanks for suggesting `require local`, it is a lot more cleaner and less error prone should we forget to add entries to `/etc/hosts`! – Machoke Jun 09 '15 at 04:14
  • 1
    One minor thing I would add is that it appears that all apache comments must start with a `#`, it can't be appended after a directive: `httpd -t AH00526: Syntax error on line 27 of /etc/httpd/conf.d/vhost.conf: ip address '#' appears to be invalid` I am pushing out this change tonight should be getting tested by our remote worker tomorrow. – Machoke Jun 09 '15 at 04:21