Exclude specific cakephp controller from http basic auth

Question

I'm trying to exclude a path (URI) from being blocked by basic http auth. The path is /rest (http://example.com/rest) and represents a controller of a cakephp 3 application. It is NOT a real file, but rather a path rewritten by a rewite-condition and handeled by index.php in the webroot dir.

Here's the rewrite rules:

/var/www/.htaccess:

<IfModule mod_rewrite.c>
     RewriteEngine on
     RewriteRule    ^$    webroot/    [L]
     RewriteRule    (.*) webroot/$1    [L]
</IfModule>

/var/www/webroot/.htaccess:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^ index.php [L]
</IfModule>

I'm running apache 2.4 and tried different configurations:

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/webroot
<Directory /var/www>
   Options FollowSymLinks
   AllowOverride All
</Directory>
<Location "/">
           AuthType Basic
           AuthName "Keawe Development"
           AuthUserFile /host/.htpasswd
           Require valid-user
           Require expr %{REQUEST_URI} =~ m#/rest/.*#
           Require expr %{REQUEST_URI} =~ m#/index.php/rest/.*#
</Location>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

...adapted from https://stackoverflow.com/a/33655232/1285585

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/webroot
<Directory /var/www>
   Options FollowSymLinks
   AllowOverride All
</Directory>
<Location "/">
           AuthType Basic
           AuthName "Keawe Development"
           AuthUserFile /host/.htpasswd
           Require valid-user
</Location>
<Location "/rest">
   Allow from all
   Satisfy any
</Location>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

... from https://serverfault.com/a/475845/229877

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/webroot
<Directory /var/www>
  Options FollowSymLinks
  AllowOverride All
 </Directory>
 <Location "/">
   AuthType Basic
   AuthName "Keawe Development"
   AuthUserFile /host/.htpasswd
   Require valid-user
 </Location>
 <Location "/rest">
   Require all granted
 </Location>
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
 </Virtualhost>

... from https://www.apachelounge.com/viewtopic.php?p=30200

...
 <Location "/">
           SetEnvIf Request_URI ^/rest noauth=1
           SetEnvIf Request_URI /rest noauth=1
           SetEnvIf Request_URI ^/index.php/rest noauth=1
           SetEnvIf Request_URI /index.php/rest noauth=1

           AuthType Basic
           AuthName "Keawe Development"
           AuthUserFile /host/.htpasswd
           Order Deny,Allow
           Satisfy any
           Deny from all
           Require valid-user
           Allow from env=noauth
 </Location>

... from https://stackoverflow.com/a/8979889/1285585

 <Location "/">
   AuthType Basic
   AuthName "Keawe Development"
   AuthUserFile /host/.htpasswd
   Require valid-user
 </Location>
 <Location ~ "/(rest|index.php/rest)">
   Satisfy Any
   Allow from all
   AuthType None
   Require all granted
 </Location>

... from https://stackoverflow.com/a/13296294/1285585

<Location "/">
  AuthType Basic
  AuthName "Keawe Development"
  AuthUserFile /host/.htpasswd
  Require valid-user
</Location> 
<Files "index.php/rest">
   Satisfy Any
   Allow from all
</Files>
<Files "rest">
   Satisfy Any
   Allow from all
</Files>

... from HTTP Basic Auth Exclude Single File

However, none of them seem to work. I always get error 401 using wget or an auth request from a browser.

The problem seems to be, that the path /rest passes the condition but then is rewritten to index.php, which is under control of basic auth (and has to be).

Any clues?

score 17 · Accepted Answer · edited May 23 '17 at 12:32

17

Finally figured it out when I stumbelled upon this answer ( https://stackoverflow.com/a/14010456/1285585 ) to a related question.

Here is my solution:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/webroot
  <Directory /var/www>
    Options FollowSymLinks
    AllowOverride All
 </Directory>

 <Location "/">
    # Default to Basic Auth protection for any stie
    AuthType Basic
    AuthName "Keawe Development"
    AuthUserFile /host/.htpasswd
    Require valid-user

    # If the request goes to a rest page: bypass basic auth
    SetEnvIf Request_URI ^/rest/ noauth=1
    Allow from env=REDIRECT_noauth
    Allow from env=noauth

    Order Deny,Allow
    Satisfy any
    Deny from all
  </Location>

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

edited May 23 '17 at 12:32

Community

1
1

answered Dec 11 '16 at 23:56

Stephan Richter

1,139
11
31

What does `REDIRECT_noauth` signify? – Shoan Dec 21 '16 at 06:25
If a redirect occurs, the SetEnvIf rule will be applied twice: once before and once after the redirect. The noauth environment variable will be set, if the Request_URI matches the given token `^/rest/` after the redirect, whilst the REDIRECT_noaut is set, if the Request_URI matches PRIOR to the redirect. – Stephan Richter Dec 21 '16 at 14:38

Exclude specific cakephp controller from http basic auth

1 Answers1

Linked