apache2.4

Acces Control only works inside <Location> directive, Apache/2.4.6 (CentOS)


There's a server with several instances of Apache running. One instance needs access from anywhere, but only for authorized users. Instance is started up by a systemctl script with the -f option pointing to a config file in /opt/.

Config includes directives from another file in the same folder under /opt/. The relevant part of the included directives looks like the following at the present moment:

"

[...]

  <Location "/subfolder">
      <RequireAll>
        Require all granted
        Require valid-user
      </RequireAll>
   LimitRequestBody <someNumber>
  </Location>

[...]

  DavLockDB /somepath/webdav/DavLock

  Alias /subfolder /mainfolder/subfolder
  <Directory /mainfolder/subfolder>
      Dav on
      AuthType Basic
      AuthName "Restricted Files"
      AuthUserFile /somepath/webdav/.htpasswd
      <RequireAll>
        Require all granted
        Require valid-user
      </RequireAll>
      AllowOverride All
      SSLRequireSSL
      Options FollowSymLinks Indexes
  </Directory>

[...]

"

This works so far, it only permits access to folder if you enter your username and password.

Problem is, if I comment out the <Location directive to comply with security recommendations, then access is flat-out denied. There is no way to enter a username and a password, and if I supply them on the command line, they are ignored, while they previously worked with the <Location block intact.

The <RequireAll> block inside the <Directory> directive is completely ineffectual. In fact, if I comment it out there, it changes nothing whatsoever in the behaviour of the httpd instance. It works only when it is placed inside the <Location block. The rest of the <Directory> block on the other hand seems to be working.

Does someone have any tips as to what I may be missing here? Thanks in advance!


Solution

  • H/T to Apache Basic Auth not working in .htaccess or Directory blocks; works fine in Location blocks

    The problem was that the configuration file the Apache instance is started up with included one of the system-wide configs in /etc/ with a default location block inside, similar to the following:

    <Location />
      Require all denied
      [...]
    </Location>
    

    When I commented out the line Require all denied from here, the access control directives in the <Directory> block started to work as expected.

    The explanation of the above is that, unlike "normal" <Location> directives, which "operate completely outside the filesystem", <Location /> refers to the entire server (see the Apache documentation: https://httpd.apache.org/docs/2.4/mod/core.html#location ), so it means pretty much the same as <Directory /> (at least when it comes to its scope), except that it can only be overridden by another <Location> directive.