DEVHIDE
Login Or Sign up

Apache 2.2 Allow from env=_variable_

2.6k Views Asked by At

I have an Apache 2.2 set up with LDAP Authorization, which is working fantastically as expected, and have also made it so that I can bypass Authentication when accessing it locally.

Allow from localIP hostnameA hostnameB, etc...

If I curl from the server, I don't get any Auth Required. So all good and working as expected.

What I need now is to make one particular URL to also bypass authorisation.

I have tried all the usual solution of using SetEnvIf;

SetEnvIf Request_URI "^/calendar/export" bypassauth=true`
Allow from env=bypassauth IP_ADDRESS HOSTNAME_A HOSTNAME_B

But this is just not working!!

  1. Local access is still unrestricted, but remotely it is not (no change there)
  2. If I dump out my server environment variables on that URL's script, I can see my bypassauth variable is being passed.

I just cannot for the life of me figure out why the Allow from env=bypassauth part is not working, while it still obeys the additional directive parameters.

I also tried another suggestion, using the Location directive;

<Location /calendar/export>
  Satisfy Any
  Allow from all
  AuthType None

  SetEnv WTF 123
</Location>

Again, I can see my new environmental variable (WTF) appear on this URL (when I dumped the server envs in the script), so I know that the SetEnv and SetEnvIf directives are working.

Is there anything I'm missing (any Apache2.2 quirks?), as all the solutions I've seen so far just are not working. It's as if my Allow from changes are having no effect after restarting Apache. I'm starting to feel my sanity slip.

Is there also a particular order when writing the directives for Satisfy Any, Order allow, deny and the Auth* directives, which might be effecting this?

apache apache2.2 setenvif
Original Q&A
1

There are 1 best solutions below

0
On

Finally managed to figure it out!! :)

Seems my url was being processed by mod_rewrite (my environmental variable being prefixed by REWRITE_ should have rung alarm bells), which according to this post https://stackoverflow.com/a/23094842/4800587, the mod_rewrite is performed AFTER our SetEnvIf and Allow directives.

Anyway, long story short; I used the rewritten/final URL and the Location section to bypass authentication using the Allow any directive. So I changed...

<Location "/calendar/export">
  Allow from all
</Location>

to..

<Location "/calendar/index.php/export">
  Allow from all
</Location>

which is the final URL (after rewrite), and now works.

Related Questions in APACHE

Related Questions in APACHE2.2

Related Questions in SETENVIF

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.