0

I have an Apache 2.4 VirtualHost whose access is restricted by a AuthType Basic:

<VirtualHost ...>
    DocumentRoot /var/www/www.example.com/public
    <Directory /var/www/www.example.com/public>
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://ldap.example.com/dc=example,dc=com?uid?sub"
        AuthLDAPBindDN "user"
        AuthLDAPBindPassword "secret"
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
    </Directory>
</VirtualHost>

Using a .htaccess file in /var/www/www.example.com/public I can unprotect images, and other assets with:

# Allow assets without HTTP Auth
<FilesMatch "\.(gif|jpe?g|png|css|js|ico)$">
    Satisfy Any
    Allow from all
</FilesMatch>

This setup works: access to site is restricted, direct link to assets is not restricted.

Now I would that some very specific images keep their access restriction: say any file named foobar-.*\.jpg.

I tried to add the following to my .htaccess file:

# But do not allow theses JPG images
<FilesMatch "foobar-.*\.jpg$">
    Require valid-user
    Order allow,deny
    Satisfy Any
</FilesMatch>

Which seems to work:

The /var/www/www.example.com/public/imgs/foo/foobar-baz.jpg file exists and is correctly displayed at http://www.example.com/imgs/foo/foobar-baz.jpg on browser where user is HTTP-logged-in (otherwise they get a 401 Unauthorized).

Using a cURL command:

curl --user foobar:secret -D - -o /dev/null -s http://www.example.com/imgs/foo/foobar-baz.jpg

I get the following errors in my Apache's error.log file:

[Fri Jun 24 13:36:41.989506 2016] [access_compat:error] [pid 26834] [client 1.2.3.4:35251] AH01797: client denied by server configuration: /var/www/www.example.com/public/imgs/foo/foobar-baz.jpg

access.log contains:

1.2.3.4 - foobar [24/Jun/2016:13:36:41 +0200] "GET /imgs/foo/foobar-baz.jpg HTTP/1.0" 200 24652 "-" "curl/7.35.0"

Because of deployment issue I would like to keep access configuration in .htaccess file.

CDuv
  • 2,098
  • 3
  • 22
  • 28
  • Are you sure that line in the error log is for a _successful_ request by a correctly authenticated client? I see no reason why it should log that line then; if however this was a request by a not authenticated client, then this is totally to be expected. – CBroe Jun 24 '16 at 11:46
  • 1
    I am positive it comes from (added curl and access.log example). However the Apache server is behing a Nginx 1.6 working as a reverse proxy (`proxy_pass http://....`). – CDuv Jun 27 '16 at 12:20

0 Answers0