We are using the mod_auth_openid plugin to provide OpenID support for part of our site. It works pretty well, but we're running into one of those "Do this, except when" conditions, and I'm not sure where I'm missing.
There are a few URIs that we don't want this applied. On the surface, this is pretty straight forward.
<Directory "/opt/homeapp/web">
AuthType openid-connect
SetEnvIf Request_URI "^/(callbacks.php.*)$" allow
require claim hd:example.com
require env allow
require valid-user
</Directory>
This works fine for things that hit the callbacks.php
file, and any other actual-file.
Where my problem comes in, is attempting to match Symfony routes. If the incoming request is to /combobulator/newForm
, it seems like Request_URI
should be equal to /combobulator/newForm
. However, this is definitely not the case.
SetEnvIf Request_URI "^/combobulator/(.*)" allow
SetEnvIf Request_URI "combobulator/(.*)$" allow
SetEnvIf Request_URI "combobulator" allow
SetEnvIf Request_URI "(combobulator)" allow
All of those don't do the thing.
How do you match routes with SetEnvIf
, or is that even possible?
Doing some investigation into how the dataflow works, I've implemented a bit of a test harness to see what
Request_URI
is at this stage of execution.Then using a custom
LogFormat
statement using%{check_uri}e
in it, I've managed to show thatRequest_URI
at this stage for most routes isindex.php
.Which is to day, The SetEnvIf method used for files, will not work for routes. Some other method will need to be used.
This solved an issue for me with the wp-json api route
Require env REDIRECT_noauth
Exclusion of a protected sub-url does not work on Apache 2.4?