forbid cgi invocation by direct url, but allow via a RewriteRule

Question

I want to allow anonymous client execute a script via a special URL, but not directly. Everything else should require auth.

<Directory "/srv/http">
    Require all granted
</Directory>

<Directory "/srv/http/html">
    RewriteRule ^hello/dostuff/(.*)$ /cgi-bin/hello.sh?anon=1&x=$1 [B]
</Directory>

# require auth for everything with one exception below
<Location />
    AuthType Basic
    AuthName intranet
    AuthUserFile "conf/passwd"
    Require user test
</Location>

# allow anonymous access inside /hello/
<Location /hello/>
    Require all granted
</Location>

/hello/foobar gives me 404 as expected, but /hello/dostuff/foobar asks for password. It seems the <Location /> check is performed twice: before and after rewriting:

access_log:

192.168.65.1 - - [22/Oct/2015:12:49:04 +0300] "GET /hello/dostuff/foobar HTTP/1.1" 401 381

error_log:

[Thu Oct 22 12:49:04 2015] AH01626: authorization result of Require all granted: granted URI:/hello/dostuff/foobar
[Thu Oct 22 12:49:04 2015] AH01626: authorization result of <RequireAny>: granted URI:/hello/dostuff/foobar
[Thu Oct 22 12:49:04 2015] AH01626: authorization result of Require user test: denied (no authenticated user yet) URI:/cgi-bin/hello.sh
[Thu Oct 22 12:49:04 2015] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) URI:/cgi-bin/hello.sh

Full conf:

ServerRoot "/etc/httpd"
Listen 80
LoadModule cgi_module modules/mod_cgi.so
LoadModule alias_module modules/mod_alias.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule rewrite_module modules/mod_rewrite.so

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule mpm_event_module modules/mod_mpm_event.so

User http
Group http

DocumentRoot "/srv/http/html"

RewriteEngine On

<Directory />
    AllowOverride none
    Require all denied
</Directory>

<Directory "/srv/http">
    Require all granted
</Directory>

<Directory "/srv/http/html">
    RewriteRule ^hello/dostuff/(.*)$ /cgi-bin/hello.sh?anon=1&x=$1 [B]
</Directory>

<Files ".ht*">
    Require all denied
</Files>
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "/var/log/httpd/access_log" common
</IfModule>

SetEnvIf Request_URI "(^.*$)" RURI=$1

ErrorLog "/var/log/httpd/error_log"
LogLevel debug
#ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M URI:%{RURI}e"
ErrorLogFormat "[%t] %M URI:%{RURI}e"

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<Directory "/srv/http/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

# require auth for everything with one exception below
<Location />
    AuthType Basic
    AuthName intranet
    AuthUserFile "conf/passwd"
    Require user test
</Location>

# allow anonymous access inside /hello/
<Location /hello/>
    Require all granted
</Location>

score 0 · Answer 1 · answered Oct 21 '15 at 18:26

Enable LogLevel debug for your httpd. In the resulting log entries you may find ie. that using old syntax access rules (like Allow from ..., Satisfy ...) gives unexpected results, especially when mixed with new style (<RequireAny>, <RequireAll>, etc.). Using httpd 2.4 you should go with the new syntax only to avoid this kind of problems.

Other than that, I believe you want to match ^/hello/dostuff/... - pay attention to the leading slash that is missing in your configuration.

edited question according to your advices – basin Oct 22 '15 at 09:55 — basin, Oct 22 '15 at 09:55

score 0 · Answer 2 · answered Oct 22 '15 at 13:32

Set a variable let_me_in in RewriteRule and grant access not only when user authed, but also when this variable is set:

<Directory "/srv/http/html">
    RewriteRule ^hello/dostuff/(.*)$ /cgi-bin/hello.sh?anon=1&x=$1 [B,E=let_me_in]
</Directory>

<Location />
    AuthType Basic
    AuthName intranet
    AuthUserFile "conf/passwd"
    Require user test
    Require env REDIRECT_let_me_in
</Location>

forbid cgi invocation by direct url, but allow via a RewriteRule

2 Answers2