Apache 2.4 no auth config works in VirtualHost

I'm setting up a brand new server — I literally just spun up an AWS EC2 instance, did a fresh install of apache and mod_ssl, and have close to the simplest of configs. Apache appears to ignore any auth configuration (including LogLevel) in VirtualHost blocks.

This is with Apache 2.4.51 on amzn2.x86_64 Linux.

I started by redirecting HTTP to HTTPS, and then followed the basic instructions for Apache 2.4 Authentication and Authorization. That got me to the following virtual.conf:

<VirtualHost _default_:80>
        DocumentRoot /var/www/html
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
        LogLevel debug
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        <Directory "/var/www/html">
                AllowOverride All
                Options Indexes FollowSymLinks
                AuthType Basic
                AuthName "Restricted Files"
                # (Following line optional)
                AuthBasicProvider file
                AuthUserFile "/mount/local/apache/passwd/passwords"
                Require user someuser
        </Directory>
        DocumentRoot /var/www/html
</VirtualHost>

In general, the above seems to be working, with the exception of auth stuff. If I go to my IP address in a web browser, it correctly redirects to 443, it serves the certificates from the specified (non-standard) path, and I can see it logging debug level activity, at least for mod_ssl. However, it just serves this index.html from /var/www/html/ (NB: /var/www/html is a symlink).

I found this other question, which led me to look for any Require all granted directives.

# pwd
/etc/httpd/conf.d
# grep Require * 2>/dev/null
autoindex.conf:# Required modules: mod_authz_core, mod_authz_host,
autoindex.conf:    Require all granted
ssl.conf:#   With SSLRequire you can do per-directory access control based
ssl.conf:#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
ssl.conf:#   o StrictRequire:
ssl.conf:#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
ssl.conf:#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
userdir.conf:    Require method GET POST OPTIONS
virtual.conf:       Require user someuser
welcome.conf:    Require all granted

The one in autoindex.conf is inside of a <Directory "/usr/share/httpd/icons"> block, and the one in welcome.conf is in <Directory /usr/share/httpd/noindex>. I did find one in /etc/httpd/conf/http.conf:

# Further relax access to the default document root:
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Note, on this installation (via yum on Amazon Linux 2), the main config file is /etc/httpd/conf/http.conf. The last line of that file is IncludeOptional conf.d/*.conf. My main configuration I posted above is in /etc/httpd/conf.d/virtual.conf.

I tried commenting out that Require all granted and restarted the server, but no change. That's when I noticed that it doesn't appear to be doing anything at all. That previously mentioned question showed some entries in his log file. However, even though I have LogLevel debug, I'm not seeing anything related to authz_core in the log files, as he was. ¯_(ツ)_/¯

At this point, I tried a number of modifications inside of the <VirtualHost> block:

• I tried wrapping the lines AuthType basic through Require user someuser in a <RequireAll> block
• I tried adding Require all denied before the Require user
• I tried using a .htaccess file with the same configuration
• I tried changing the AllowOverride All to AllowOverride All AuthConfig and using a .htaccess file
• I tried extending the logging to LogLevel debug auth_basic:trace1 authz_core:trace1

In all cases, no change, and the configuration parses fine. The server just serves the page, and there's nothing in any of the log files.

However, if I make changes in the main conf/httpd.conf file inside of the <Directory "/var/www/html"> block, things work as expected:

• changing Require all granted to Require all denied (instead of commenting it out) blocks all access
• changing AllowOverride none to AllowOverride AuthConfig makes my .htaccess file with the same auth configuration as in the <VirtualHost> block work as expected — it solicits username and password
• turning up logging with LogLevel debug auth_basic:trace1 authz_core:trace1 gets me lots of logging

So, to summarize, even though my <VirtualHost> config is working in general (redirect, SSL, debug for everything except auth), it appears to silently ignore any auth configuration, including LogLevel.

In the short term, I've solved my problem by undoing all the changes I made in the main config file, so things don't get overridden during a software update, and put them in conf/00-override.conf:

<Directory "/var/www/html">
    AllowOverride All
    AuthType Basic
    AuthName "Restricted Files"
    # (Following line optional)
    AuthBasicProvider file
    AuthUserFile "/mount/local/apache/passwd/passwords"
    Require user someuser
</Directory>

However, it would be good to be able to configure authorization at the virtual-host level. Any ideas?