I'm having a problem with using Apache basic authentication. I have a single EC2 server sitting behind an AWS elastic load balancer and CloudFront. I run several domains on the machine. I use Apache basic authentication for access to certain areas, but all use the same htpassd and htgroups files. It's working fine for one domain, restricting access to a full subdomain, but for another domain, it's not working for restricting access to a location (or, it's working too well — I can't get access).
Environment: Apache 2.4.43 OpenSSL 1.0.2k-fips SVN 1.14.0 PHP 7.4.5
The failure mode is for an Apache location
defined in conf.d/subversion.conf:
<Location /repos>
DAV svn
SVNParentPath /var/svn/
SVNListParentPath On
LogLevel debug
Options All
AllowOverride All Options
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /mnt/data/etc/htpasswd
AuthGroupFile /mnt/data/etc/htgroups
Require group subversion
And the error file shows
[Mon Aug 17 00:04:47.658169 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of Require group subversion: denied (no authenticated user yet)
[Mon Aug 17 00:04:47.658511 2020] [authz_core:debug] [pid 30612] mod_authz_core.c(818): [client 10.0.200.51:11378] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Aug 17 00:04:54.816887 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of Require group subversion: denied (no authenticated user yet)
[Mon Aug 17 00:04:54.817233 2020] [authz_core:debug] [pid 30548] mod_authz_core.c(818): [client 10.0.200.51:11382] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
In the conf.d/vhost.conf file for www.myhost.com
, where I'm trying to reach www.myhost.com/repos
using the above config for SVN, I also have
<Directory />
Options All
#Allow from All
#Order Allow,Deny
Require all granted
AllowOverride All Options
...
I spent a long time running down various ratholes before I remember (and confirmed) I'm using the same auth mechanism for a different scenario on the same EC2 host and Apache instance. This works fine in vhost.conf:
ServerName dev.anotherdomain.com
<Directory />
Options All
#Allow from All
#Order Allow,Deny
AllowOverride All Options
# AuthType Digest
AuthType Basic
AuthName "DevAndTest"
AuthUserFile /mnt/data/etc/htpasswd
AuthGroupFile /mnt/data/etc/htgroups
Require group adifferentgroup
This seems to work fine, which has me a little flummoxed :(
It turned out that the issue was I needed to Whitelist
Authorization
headers in the Cloudfront distribution. The subdomain case in the original question worked because it wasn't sitting behind Cloudfront.