Apache 2.4 .htaccess Require statements ignored

I'm trying to restrict per-client subdirectories of an application containing static reports using .htaccess files programatically generated with a list of users for each customer, but while I can demonstrate that the .htaccess file is being parsed (500 ISE if it contains garbage, AllowOverride is working) none of the more restrictive Require statements are overriding the Require valid-user in the higher-level Location directive.

eg. /etc/httpd/conf.d/app.conf

<VirtualHost *:80>
ServerName app

RewriteEngine on
RewriteRule ^/cgi-bin\/api\/(\w+)$ /var/www/cgi-bin/App.cgi?mode=json&request=$1 [QSA,H=cgi-script]

<Directory "/var/www/cgi-bin/">
  Options ExecCGI
</Directory>
<Directory "/var/www/cgi-bin/api/reports/">
  AllowOverride FileInfo AuthConfig
  Options +Indexes +FollowSymLinks -ExecCGI
  IndexOptions +NameWidth=*
  SetHandler default-handler
  LogLevel trace8
</Directory>


<Location /cgi-bin/>
  AuthType Basic
  AuthName "App Server"
  AuthUserFile /etc/httpd/conf.d/app.passwd
  require valid-user
</Location>
<Location /cgi-bin/api/>
  AuthType Basic
  AuthName "App API"
  AuthUserFile /etc/httpd/conf.d/app-api.passwd
  Require valid-user
  LogLevel trace8
</Location>
</VirtualHost>

/var/www/cgi-bin/api/reports/customer1/.htaccess

Require user CUSTOMER1

I have LogLevel trace8 on for the reports directory and I see

AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
AH01626: authorization result of Require valid-user : granted,
AH01626: authorization result of <RequireAny>: granted
Response sent with status 200

nothing I put in the .htaccess file seems to be referenced, wrapping Require statements in RequireAll doesn't do anything, setting Require all denied doesn't do anything, Apache is not treating the .htaccess directives as more specific than the Location directive in the config at a (higher, lefter) part of the URI.

edited: Tried adding FileInfo with no effect. Updated the example to be more complete. Settings Location /cgi-bin/api/reports/customer1 Require user CUSTOMER1 works just fine in the config, I was just trying to avoid requiring a webserver reload every time the jobs run and rebuild the .htaccess AuthZ files as some of the jobs run every minute and I didn't want to take the effort of building a more complete tool, that can reload httpd only when there are material AuthZ changes, since in theory .htaccess should be capable of making apache check for AuthZ changes on every access without privileged reloads.

mtinberg

Posted 2019-09-06T19:49:06.070

Reputation: 71

Please make your question more precise: Which file contains which part of your configuration? And where are those files stored? – dirdi – 2019-09-11T20:11:36.460

Try using "AllowOverride FileInfo AuthConfig". If this works then the problem is a documentation bug. – harrymc – 2019-09-13T13:22:53.643

I updated the example config with more detail from my test app and tried adding FileInfo without success – mtinberg – 2019-09-17T16:30:50.900

Thanks for clarification! I edited my answer accordingly. – dirdi – 2019-09-18T01:43:13.093

Answers

Answer After Initial Question

<Directory> and <Location> directives are not allowed within .htaccess files (see Context section).

Just place a separate .htaccess file within the /foo/bar/reports/ folder containing the Auth* and Require directives. Make sure that the path to your .htpasswd file is valid (absolute paths should be preferred).

If it still does not work check that the AllowOverride directive was set correctly (i.e. within a <Directory> directive) within the virtual host / server config (.conf file within the /etc/apache2/ folder).

Answer After Question's 1st Edit

A .htaccess file is the equivalent of a <Directory> directive inside a .conf file. At the moment you are mixing <Directory> and <Location> directives for authentication. Would you please remove the <Location> directives from your .conf file and replace your <Directory> directions with the following, while letting the .htaccess files untouched:

<Directory "/var/www/cgi-bin/">
  Options ExecCGI
  AuthType Basic
  AuthName "App Server"
  AuthUserFile /etc/httpd/conf.d/app.passwd
  require valid-user
</Directory>
<Directory "/var/www/cgi-bin/api/">
  AuthType Basic
  AuthName "App API"
  AuthUserFile /etc/httpd/conf.d/app-api.passwd
  Require valid-user
  LogLevel trace8
</Directory>
<Directory "/var/www/cgi-bin/api/reports/">
  AllowOverride FileInfo AuthConfig
  Options +Indexes +FollowSymLinks -ExecCGI
  IndexOptions +NameWidth=*
  SetHandler default-handler
  LogLevel trace8
</Directory>

Until you edited your question, I assumed that the <Location> directives were placed inside a .htaccess file and would point to virtual folders instead of actual filesystem locations. However, the manual explicitly states:

It is important to never use <Location> when trying to restrict access to objects in the filesystem. This is because many different webspace locations (URLs) could map to the same filesystem location, allowing your restrictions to be circumvented.

dirdi

Posted 2019-09-06T19:49:06.070

Reputation: 1 860

Thanks for the response, I am not putting <Directory> or <Location> directives in the .htaccess file, just a Requires line, also tried defining the AuthType and AuthUserFile in the .htaccess without effect, AllowOverride is set because without it the .htaccess file isn't evaluated, and I can confirm it is being read because it will fail if the file is not syntactically correct. – mtinberg – 2019-09-11T18:45:29.573

Your AllowOverride directive is lacking.

In spite of what the documentation for the Require Directive says, the command should be:

AllowOverride FileInfo AuthConfig

harrymc

Posted 2019-09-06T19:49:06.070

Reputation: 306 093

Thanks for the reponse, I tried that and it didn't work. I updated my example config to hopefully be more complete and clear – mtinberg – 2019-09-17T16:30:13.523

The messages might be misleading. In this post they were issued by auth_mysql_module. Even if this is not your case, try to disable all possible modules to minimize interference. In another post the solution was to merge everything in one .htaccess file.

– harrymc – 2019-09-17T16:47:03.960