4

I have the following in my (Debian-style, split-file) config

<VirtualHost *>
ServerName www.example.org
DocumentRoot /var/www/example
CustomLog /var/log/apache2/example/access.log combined

<Directory /var/www/example/subdir/admin/>
   AllowOverride All
   AuthType Basic
   AuthName "admins only"
   AuthUserFile /etc/apache2/pass.txt
   Require valid-user
</Directory>

</VirtualHost>

And it's ignored, i.e. I can browse files in that directory, no login prompt. I've set LogLevel debug and I see

AH01628: authorization result: granted (no directives)

The log line is created by [authz_core:debug] so it seems to recognize the auth lines are there, just not that it needs to actually do some authorisation.

Even replacing valid-user with all denied has no effect.

I seem to have all the modules I need.

I tried adding a .htaccess in another directory and that logged "AuthType not allowed here".

I have AllowOverride All just about everywhere it's allowed.

Similar questions have not come up with a solution that works for me. Please tell me how to troubleshoot this and I'll be happy to try it and report back.

Improve this question
6
  • I wouldn't allow any htaccess stuff inside a protected directory (i.e. set AllowOverride None), the rest looks okay to me. Did you reload/restart your server? Commented Apr 18, 2021 at 20:13
  • Are you definitely accessing the directory through the expected vhost? (www.example.org in your example configuration snippet) Are you sure there isn't another vhost referencing the same directory tree but without access control? Commented Apr 18, 2021 at 21:57
  • Freddy, the AllowOverrides are temporary, will all be removed except where needed. Commented Apr 19, 2021 at 8:19
  • Roaima, there's a top-level vhost with "Require all granted" and one for the domain. This is meant to reduce access for this subfolder. Commented Apr 19, 2021 at 8:25
  • 1
    This vhost is ignored if the other vhost matches. Are you sure your content is served (and logged) from this vhost? Commented Apr 19, 2021 at 19:58

3 Answers 3

Reset to default
1

This is a common issue. The Apache documentation suggests using the <Location /> directive instead of <Directory />. The following example VirtualHost should provide you with functional Basic Authentication:

<VirtualHost *:80>
        ServerName      example.com

        DocumentRoot "/srv/www/htdocs/"

        <Location />
        AuthType        Basic
        AuthName        "Authorized Access Only"
        AuthUserFile    /etc/apache2/auth/htpass
        AuthGroupFile   /etc/apache2/auth/group
        Require         group myusers
        </Location>

        <Directory "/srv/www/htdocs/">
        Require all granted
        </Directory>
</VirtualHost>

The htpass file is generated using htpasswd -c /etc/apache2/auth/htpass myname, the group file (which is optional!), uses the following syntax (in respect to the virtual host example above):

myusers: myname myfriend mycolleague

The htpasswd as well as group files need to be readable by the user Apache runs as.

Improve this answer
14
  • Please remove the .htaccess file upon attempting this example, as the directives might collide. Commented Apr 19, 2021 at 0:12
  • Where is this a common issue? The context for AuthType Basic is a directory (<Directory>, <Location>, <Files>...) or .htaccess context. Commented Apr 19, 2021 at 0:39
  • 1
    The sheer amount of similar posts with the same issue make it a common issue. Apache makes it difficult to get exactly right. I am aware the context suggests both are possible, however from my humble knowledge Apache changed its behavior at some point. The example I provided was copied from a working production setup. Commented Apr 19, 2021 at 0:49
  • Thanks gecko. I'll try with Location later and report back. Please see my comment to roaima above - is the Requite valid-user correctly overriding the higher-level Require all granted? My htpasswd file is in the correct format and readable, though called pass.txt. I haven't used a group file but can do if it might help. Will probably try it. Commented Apr 19, 2021 at 8:30
  • 1
    roaima I didn't think about that - you mean edit my question with updates? I hope my provisional answer below addresses the issue. Commented Apr 22, 2021 at 8:36
1

This isn't a definitive answer but I can report how I fixed it.

All http requests were redirected to https, though I'm not clear where that was done. This meant that the vhosts for *:80 were ignored and the *:443 ones were the ones used. I moved the auth stuff to the *:443 vhost and preceded it with a "Require all denied" and it now requests the login. Here's the code as included in the vhost

<Directory /subdir/>
   Require all denied
</Directory>

<Location /subdir/>
   AllowOverride All
   AuthType Basic
   AuthName "admins only"
   AuthUserFile /etc/apache2/userpass.txt
   AuthGroupFile /etc/apache2/group
   Require group admins
</Location>

Anyone who can improve or simplify this, please do.

Improve this answer
2
  • You could use the <Directory> config of your question, no <Location> needed here. Any other directories should be already denied per your main apache.conf (<Directory /> Require all denied ...). I would still remove AllowOverride All. Commented Apr 20, 2021 at 20:31
  • Thank you Freddy, will do. Commented Apr 22, 2021 at 8:33
0

in a proxy virtualbox, you may include the authentication code in blocks.

<proxy *>
   AllowOverride All
   AuthType Basic
   AuthName "admins only"
   AuthUserFile /etc/apache2/userpass.txt
   AuthGroupFile /etc/apache2/group
   Require group admins
</proxy>

would still work.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.