Using negation in LocationMatch directive

Question

Our site is running on apache and is secured using client certificates. So far there was only one certificate that would provide access to the whole site. Now, we have a requirement to expose jira to a new group of users who should not be able to access anything else but jira. I created a separate certificate for that group and planning to distinguish them by using SSLRequire and Location/LocationMatch combination.

So the criteria is:

Users with old certificate can access complete site
Users with new certificate can only access /jira URL pattern

I tried few combination but not able to get the negation for LocationMatch work. Any help would be appreciated.

The httpd.conf file, looks like this:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/myca.crt

<Location /jira> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} in {"AllUsers", "JiraUsers"}
</Location> 

<LocationMatch /!(jira)> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} eq "AllUsers"
</LocationMatch>

score 13 · Answer 1 · edited Apr 05 '15 at 23:30

13

Negative regexes are not supported in apache 2.2

See https://issues.apache.org/bugzilla/show_bug.cgi?id=10932

I don't know if it has been fixed in the last apache version.

As a workaround, use :

<LocationMatch "/[^s][^t][^a][^t][^i][^c]">
</LocationMatch>

or

<LocationMatch "^/(?!static)">
</LocationMatch>

edited Apr 05 '15 at 23:30

Quinn Comendant

9,686
2
32
35

answered Aug 24 '10 at 18:53

Marc MAURICE

141
1
3

3

/[^s][^t][^a][^t][^i][^c]/ will only match locations that are 6 characters long. – Edward Anderson Nov 08 '11 at 18:55

score 4 · Answer 2 · answered Mar 20 '18 at 16:56

This could be a handy one to have, make invisible all hidden file/directory (protect .git, .htaccess, etc...) and still allow access to /.well-known/ Can be fitted in any apache 2.4 virtualhost or directly in apache2.conf

As I needed this and couldn't find a ready made solution, here it is. Hope it helps.

<LocationMatch "^/(?!\.well-known/)">
    RedirectMatch 404 ^(.*/)?\.
</LocationMatch>

score 4 · Answer 3 · answered Nov 15 '11 at 01:23

try this one : (thanks Milos for the tip)

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/myca.crt

<Location /jira> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} in {"AllUsers", "JiraUsers"}
</Location> 

<LocationMatch "^/(?!jira)"> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} eq "AllUsers"
</LocationMatch>

score 2 · Answer 4 · answered Oct 27 '09 at 02:37

2

Apache2 uses pcre supporting perl5 RE syntax and this is possible using negative look-ahead as described on http://perldoc.perl.org/perlre.html#Extended-Patterns.

answered Oct 27 '09 at 02:37

Milos Jakubicek

29
4

score 1 · Answer 5 · answered Jan 12 '09 at 20:10

It was a matter of getting the regex right. The LocationMatch directive with the following regex worked fine.

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/myca.crt

<Location /jira> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} in {"AllUsers", "JiraUsers"}
</Location> 

<LocationMatch ^/[a-ik-zA-IK-Z]> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} eq "AllUsers"
</LocationMatch>

Using negation in LocationMatch directive

5 Answers5