1

I read this answer to a similar question asked some time ago, and it made good sense and matched the Apache 2.4 documentation. But I had the following experience, which seems to contradict that answer and the documentation. Consider the following directives:

<Directory "/opt/lampp/htdocs/foo">
    AuthName "foo user"
    AuthType Basic
    Authuserfile /opt/lampp/passwds/foo.users
</Directory>
<VirtualHost *:80>
    ServerName   foo.example.com
    DocumentRoot "/opt/lampp/htdocs/foo/public"
    ErrorLog     "logs/foo.error_log"
    <Location />
        Require valid-user
    </Location>
    <Location /wp/feed>
        Require all granted
    </Location>
    CustomLog    "logs/foo.access_log" combined
</VirtualHost>

The intent, clearly, is to protect all urls with http basic authentication, except for urls below /wp/feed. But after reloading apache, I got prompted for credentials when going to /wp/feed. That url matches both of the Location paths, so apache should have processed Require valid-user followed by Require all granted, and I should not have been prompted. Just for "fun", I tried switching the order of the location blocks, but still got prompted. The only thing I could find that worked as I intended was to remove the location block for "/" entirely. To me, that also was unexpected behavior because in that case there were no Require valid-user directives at all that should have been applied to urls not matching /wp/feed. And yet they were applied, since I got prompted for all urls that did not match /wp/feed.

Can anyone explain this? Am I just missing the boat in understanding the answer and documentation?

I had no problem specifying this behavior with nginx directives, where the longest prefix match generally wins. If what I got really is the expected behavior, how can I get what I want with apache?

sootsnoot
  • 395
  • 1
  • 4
  • 12
  • Are there by any chance `.htaccess` files that are locally overriding the config set from your main Apache configuration ? – Bob Jan 20 '20 at 22:10
  • Good question, but I think not. There are two .htaccess files in existence. One is at /wp/.htaccess which is the standard one for WordPress sites with custom permalinks that use mod_rewrite to force references to non-existent files to wp/index.php. And the other at /,htaccess that similarly uses mod-rewrite to force references to the root to go to /wp. No directives related to authentication or authorization at all. – sootsnoot Jan 22 '20 at 00:53
  • If there are references to non-existing files in the html code of your `/wp/feed` or to files (css , .js , images) in a higher directory that will also result in an authentication pop up – Bob Jan 22 '20 at 07:22
  • Good observation. But the thing is that removing the block entirely gives exactly what I want: no popups for /wp/feed, but popups for every other location. I'm surprised that I would get prompted to authenticate at all with no Require valid-user directives anywhere in the configuration. Can you explain that? – sootsnoot Jan 22 '20 at 18:21
  • 1
    Now I'm really confused. Checking the [documentation](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require) once more, it says the allowed context for Require directives is "directory, .htaccess". VirtualHost is not included. But is only allowed in contexts "server config, virtual host". And yet many examples show Require being used in Location blocks, and clearly the use in my Location block for /wp/feed does work. This is crazy! – sootsnoot Jan 22 '20 at 18:54
  • Were you ever able to come to a resolution on this? I am seeing a very similar problem and not sure how to make it work the right way. Specifically: requests for /folder/ need to belong to users group and requests to /folder/admin/ need to belong to admins group. – Joe Aug 06 '20 at 19:51
  • @Joe I'm sorry, no, I never figured this out. I was already using nginx to serve static files and as a reverse proxy to an apache server for everything else, so I just put the access controls in the nginx configuration where they worked sensibly, and stopped playing with it. – sootsnoot Aug 07 '20 at 01:38

0 Answers0