Apache Reverse Proxy: Limit POST / PUT but allow unatuthenticated GET / HEAD

Question

I am running a Docker Registry behind an Apache Reverse Proxy that provides:

• SSL Termination
• Basic Auth for GET / HEAD
• Basic Auth for POST / PUT / PATCH / DELETE

based on the reference example for Authenticate proxy with Apache by Docker.

I would like to remove the Authentication requirement for GET & HEAD, and allow unauthenticated users to read / pull from the registry. However, I'm unable to.

<Location /v2>
  Order deny,allow
  Allow from all
  AuthName "Registry Authentication"
  AuthType basic
  AuthUserFile "/usr/local/apache2/conf/httpd.htpasswd"
  AuthGroupFile "/usr/local/apache2/conf/httpd.groups"

  # Read access to authentified users
  <Limit GET HEAD>
    Require valid-user
  </Limit>

  # Write access to docker-deployer only
  <Limit POST PUT DELETE PATCH>
    Require group pusher
  </Limit>

</Location>

I tried to:

• remove the <Limit GET HEAD> section;
• add Require all granted instead of Require valid-user;
• replace with LimitExcept;
• replace with RequireAny as per the Apache documentation.

but I have not been able to figure out the correct syntax. If unauthenticated GET works, POST causes: unauthorized: authentication required

I would like to:

• restrict pushing to the registry (POST/PUT/PATCH) to authenticated users & groups;
• but allow unauthenticated pulling (GET/HEAD).

Answer 1

Have you tried to move the auth directives to the Require block?

<Location /v2>
    Order deny,allow
    Allow from all

    # Read access to authentified users
    <Limit GET HEAD>
        Require all granted
    </Limit>

    # Write access to docker-deployer only
    <Limit POST PUT DELETE PATCH>
        AuthName "Registry Authentication"
        AuthType basic
        AuthUserFile "/usr/local/apache2/conf/httpd.htpasswd"
        AuthGroupFile "/usr/local/apache2/conf/httpd.groups"
        Require group pusher
    </Limit>

</Location>

I didn't test, just to give you an idea.