Conditional HTTP Basic Auth in Apache 2.4

Conditional HTTP Basic Auth in Apache 2.4

One of our internally used application uses HTTP Basic auth to authenticate a user against our LDAP instance. In a recent attempt I had the need to expose one endpoint publicly without the need of an authentication. I tried several solutions but each of them did not work for my specific use case. At first I tried several Location directives but that did not work as expected. I also tried the LocationMatch directive which also did not work. By accident I came across a blog post stating that Apache 2.4 supports if/else style syntax and that seemed to work fine for me.

<VirtualHost *:80>
    DocumentRoot /srv/app/web/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /srv/app/web/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    <Location />
        <If "%{THE_REQUEST} =~ m#^POST /my/trigger#i">
            # No authentication needed
            Require all granted
        </If>
        <Else>
            # authnz_ldap logic here...
        </Else>
    </Location>
</VirtualHost>


The if tag supports different expressions to evaluate data. You can use binary operators, different functions or regular expressions. In the example above I used a regex because the trigger url for my specific use case can contain different parameters. The expressions syntax also supports variables like REQUEST_URI or PATH_INFO. Due to some rewrite logic neither of those contained the requested url. Thus I had to use the THE_REQUEST variable. On the plus side this also gave me the chance to check for the HTTP method involved, making it possible to expose the url just for POST requests.



Tags: ,

Eintrag von Stephan Hochdörfer am 01.02.2017

comments powered by Disqus