6

I'm trying to expose a location through Apache. Normally, I have this block in my vhost that says

<Location />
    AuthType Basic
    AuthUserFile /web/.htpasswd
    AuthName "Test Site"
    Require valid-user
</Location>

This works just fine - everything served up requires a valid user. Now I want to expose a service that doesn't require authentication so I'm looking for a way to make all locations except for /services require authentication. I've been playing with LocationMatch, but I'm not entirely clear on what it's doing.

<LocationMatch ^/(?!services)[^.]*$>
AuthType Basic
...
</LocationMatch>

Allows /services and everything beneath it to skip the LocationMatch, but it has the side-effect of allowing example.com/.somefile to bypass the LocationMatch block.

Additionally, when I tried

<LocationMatch ^/(?!services)>
AuthType Basic
...
</LocationMatch>

everything (including /services) is matched by the LocationMatch.

I'd appreciate if someone could tell me what the [^.]* class does that the second test doesn't and how to expose only /services while keeping all other paths under authentication.

Jeff
  • 61
  • 1
  • 1
  • 2

5 Answers5

2

This page by Antonio Lorusso suggests the following to exclude folders from apache authentication:

<Location "/">
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/clients/client12/web17/passwd
AuthGroupFile /dev/null
Require valid-user
SetEnvIf Request_URI "^/(admin|skin|js|index)(.*)$" allow
SetEnvIf Request_URI "^/favicon.ico$" allow
Order allow,deny
Allow from env=allow
Satisfy Any
</Location>

In this case URLs starting with /admin, /skin, /js or /index will be ignored by auth.

The key part of this section for you is:

SetEnvIf Request_URI "^/(admin|skin|js|index)(.*)$" allow

In your case the appropriate code would be:

SetEnvIf Request_URI "^/services(.*)$" allow

_

Julian Mehnle
  • 3
  • 2
kevinjones
  • 21
  • 1
1

Well, [^.] means "not a .", which is why /.somefile doesn't match. A possible reason why your last example doesn't work is because Perl-compatible regular expressions are only supported starting with Apache 2.0, so if you're on Apache 1.3 (you really should specify an Apache version in your question), that'd be it.

womble
  • 96,255
  • 29
  • 175
  • 230
1

Mantain the 

<Location />
  AuthType Basic 
  AuthUserFile /web/.htpasswd
  AuthName "Test Site"
  Require valid-user
</Location>

and add a this new Location

<Location /services>
  Satisfy any
  Order deny,allow
</Location>
NuTTyX
  • 1,168
  • 5
  • 10
1

With apache 2.4, you can do something like this:

<Location />
    <If "%{REQUEST_URI} =~ m#^/services/#">
        Satisfy any
        Order deny,allow
    </If>
    <Else>
        AuthType Basic
        AuthUserFile /web/.htpasswd
        AuthName "Test Site"
        Require valid-user
    </Else>
</Location>
Greg
  • 1,423
  • 2
  • 13
  • 13
0

Tried many ways without success.
And finally this works on apache 2.2.

  • Two paths are unauthorized and others paths yes
  • I added rewriting from / to /ui in order to make it possible

Hère is LocationMatch directive use 

  <LocationMatch /(firstpath|secondpath).*>
            AuthType Basic
            AuthName "Restricted AREA "
            AuthUserFile /etc/apache2/security/password
            AuthGroupFile /etc/apache2/security/group
            Require group admin
            Order allow,deny
            Allow from 127.0.0.1
            Allow from 10.0.0.0/24
            Allow from env=allowclient

            Satisfy any
    </LocationMatch>
Damien C
  • 162
  • 1
  • 2
  • 13