lundi 2 février 2015

Apache Location Authorizations Allow Unauthorized Access


I am running Apache/2.2.22.


I cannot figure out how to properly enforce Apache authentication requirements.


My site has two areas:



  1. Access always requires password authentication (/restricted and /cgi-bin/restricted)

  2. Access can be allowed based on having a local IP address (/local and /cgi-bin/local)


However, I get these behaviors:



  • Access to /restricted/index.html correctly requires authentication

  • Access /cgi-bin/restricted/ correctly requires authentication

  • Access to /cgi-bin/restricted/target.cgi requires NO authentication


All of this testing does occur from the IP addresses allowed to access /local and /cgi-bin/local, so it is possible that this allowance is bleeding over somehow, but it certainly isn't supposed to.


The relevant sections of my VirtualHost configuration are: (Note that I am currently using <Location />s in the cgi-bin section, I previously had all of the requirements inside of the relevant <Directory />s but pulled it out based on other recommendations I found; it had no effect.)



DocumentRoot /var/www

    # HTML section
    <Directory /var/www/restricted>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            AuthType Basic
            AuthName "Restricted"
            AuthBasicProvider file
            AuthUserFile /etc/apache2/passwords
            Require user username
    </Directory>

    <Directory "/var/www/local/">
            Options Indexes FollowSymLinks
            Order allow,deny
            Allow from 192.168.1.0/24
            Allow from 192.168.0.0/24
    </Directory>

    # CGI section
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    <Directory "/usr/lib/cgi-bin/resricted">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    </Directory>

    <Location "/usr/lib/cgi-bin/restricted">
            AuthType Basic
            AuthName "Restricted"
            AuthBasicProvider file
            AuthUserFile /etc/apache2/passwords
            Order allow,deny
            Require user username
    </Location>

    <Directory "/usr/lib/cgi-bin/local">
            AllowOverride None
            Options +ExecCGI +SymLinksIfOwnerMatch -MultiViews
    </Directory>

    <Location "/usr/lib/cgi-bin/local">
            Order allow,deny
            Allow from 192.168.1.0/24
            Allow from 192.168.0.0/24
    </Location>


Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)