Apache authenticate all paths (incl. root "/") execept one-CodePudding

I try to restrict access to a certain virtual host for all paths (including test.tonnerklaps.local). The only public accessible path should be "/webhook/bitbucket".

This is my host config:

<VirtualHost *:443>
  ServerName test.tonnerklaps.local
  DocumentRoot /srv/satisfy/public
  SSLCertificateFile /etc/ssl/certs/test.tonnerklaps.local.pem
  SSLCertificateKeyFile /etc/ssl/private/test.tonnerklaps.local-key.pem

  <Location "/">
    LogMessage "L root %{REQUEST_URI}"
    <RequireAll>
      AuthType Basic
      AuthName "Resticted Access"
      AuthBasicProvider file
      AuthUserFile "/var/www/passwd/passwords"
      Require user packagist
    </RequireAll>
  </Location>
  <Location "/webhook/bitbucket">
    LogMessage "L webhook %{REQUEST_URI}"
    Require all granted
  </Location>

</VirtualHost>

The problem is that i'm asked to authenticate on "/webhook/bitbucket" too. Interestingly it seems to have something to do with "/".

Because this is working as expected:

  <Location "/admin">
    LogMessage "L admin %{REQUEST_URI}"
    <RequireAll>
      AuthType Basic
      AuthName "Resticted Access"
      AuthBasicProvider file
      AuthUserFile "/var/www/passwd/passwords"
      Require user packagist
    </RequireAll>
  </Location>
  <Location "/admin/configuration">
    LogMessage "L admin.configuration %{REQUEST_URI}"
    Require all granted
  </Location>

But what really surprises me is that the following is also not working. Although the else path never gets logged i get the authentication prompt on "/webhook/bitbucket".

  <If "%{REQUEST_URI} == '/webhook/bitbucket'">
    LogMessage "If %{REQUEST_URI}"
    Require all granted
  </If>
  <Else>
    LogMessage "Else %{REQUEST_URI}"
    <RequireAll>
      AuthType Basic
      AuthName "Resticted Access"
      AuthBasicProvider file
      AuthUserFile "/var/www/passwd/passwords"
      Require user packagist
    </RequireAll>
  </Else>

Any ideas on this?

I try to run satisfy (composer create-project playbloom/satisfy) on Apache/2.4.54 (Ubuntu). I get the same behavior also with another php application (concreteCMS).

Update
I tested <Location> without the app (just created the folder structure and index.php files). This is working. Anyhow still no clue why it's not working in the app an also why the <If> is not working.

Update 2
This is the latest config i'm using.

  <Location "/webhook/bitbucket">
    AuthMerging Off
    LogMessage "L webhook %{REQUEST_URI}"
    AuthType None
    Require all granted
  </Location>
  <Location "/">
    LogMessage "L root %{REQUEST_URI}"
    AuthMerging Off
    AuthType Basic
    AuthName "Resticted Access"
    AuthBasicProvider file
    AuthUserFile "/var/www/passwd/passwords"
    Require user packagist
  </Location>

Update 3
There is this .htaccess-File inside satisfy/public Folder. It must have something to do with this, but i can't wrap my head around it yet.

<IfModule mod_rewrite.c>
    Options -MultiViews  Indexes
    
    RewriteEngine On

    # Determine the RewriteBase automatically and set it as environment variable.
    RewriteCond %{REQUEST_URI}::$1 ^(/. )/(.*)::\2$
    RewriteRule ^(.*) - [E=BASE:%1]

    # Set the HTTP_AUTHORIZATION header removed by apache as environment variable.
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect to URI without front controller to prevent duplicate content.
    # We only do this redirect on the initial rewrite to prevent endless redirect loops.
    RewriteCond %{ENV:REDIRECT_STATUS} ^$
    RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]

    # If the requested filename exists or should exist, simply serve it.
    RewriteCond %{REQUEST_FILENAME} -s [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d [OR]
    RewriteCond %{REQUEST_URI} =/favicon.ico [OR]
    RewriteCond %{REQUEST_URI} =/robots.txt
    RewriteRule .? - [L]

    # Rewrite all other queries to the front controller.
    RewriteRule .? %{ENV:BASE}/index.php [QSA,L]
</IfModule>

#Compress JSON files
<IfModule mod_headers.c>
    <IfModule mod_deflate.c>
        <IfModule mod_filter.c>
            SetOutputFilter DEFLATE
            AddOutputFilterByType DEFLATE application/json
        </IfModule>
    </IfModule>
</IfModule>

CodePudding user response：

There seems to be no solution to my problem, as the request gets checked before and after each rewrite (which makes perfect sense). So path "/webhook/bitbucket" gets rewritten to just index.php and after this rewrite it looks like there is no possibility to check what the original request was ($REQUEST_URI is no longer "/webhook/bitbucket"). At least this is the case on apache level. The app seems somehow to get the request uri all the same. Still not entirely sure how this part is working. If anyone could provide more information about this, i'd be happy to hear it.

I ended up disabling .htaccess and merge it with my vh config. So i can prevent the webhook path to be rewritten and can allow unrestricted access only to this path. I then call it like index.php/webhook/bitbucket. this is also update save as long as there are no relevant changes to the .htaccess.

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName packagist.lemonbrain.ch
    DocumentRoot /var/www/html/satisfy/public
    SSLEngine on

    <Directory "/var/www/html/satisfy/public">
        AuthType Basic
        AuthName "Resticted Access"
        AuthBasicProvider file
        AuthUserFile "/var/www/passwd/passwords"

        <RequireAny>
          # only allow unauthenticated access to the bitbucket webhook
          Require expr "%{REQUEST_URI} == '/index.php/webhook/bitbucket'"
          Require user packagist
        </RequireAny>

        # disable .htaccess in satisfy/public
        AllowOverride None
        RewriteEngine On

        # do not rewrite the bitbucket webhook (leave index.php) for the require above to work
        RewriteCond %{REQUEST_URI} "=/index.php/webhook/bitbucket"
        RewriteRule .* - [END]

        #################################################################################
        # this is the content of the .htaccess in satify/public                         #
        # so if there is something not working after updating satisfy check and compare #
        #################################################################################
Options -MultiViews  Indexes
        # RewriteEngine On

        # Determine the RewriteBase automatically and set it as environment variable.
        RewriteCond %{REQUEST_URI}::$1 ^(/. )/(.*)::\2$
        RewriteRule ^(.*) - [E=BASE:%1]

        # Set the HTTP_AUTHORIZATION header removed by apache as environment variable.
        RewriteCond %{HTTP:Authorization} .
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

        # Redirect to URI without front controller to prevent duplicate content.
        # We only do this redirect on the initial rewrite to prevent endless redirect loops.
        RewriteCond %{ENV:REDIRECT_STATUS} ^$
        RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]

        # If the requested filename exists or should exist, simply serve it.
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d [OR]
        RewriteCond %{REQUEST_URI} =/favicon.ico [OR]
        RewriteCond %{REQUEST_URI} =/robots.txt
        RewriteRule .? - [L]

        # Rewrite all other queries to the front controller.
        RewriteRule .? %{ENV:BASE}/index.php [QSA,L]

        #Compress JSON files
        <IfModule mod_headers.c>
            <IfModule mod_deflate.c>
                <IfModule mod_filter.c>
                    SetOutputFilter DEFLATE
                    AddOutputFilterByType DEFLATE application/json
                </IfModule>
            </IfModule>
        </IfModule>
        ###########################
        # end of copied .htaccess #
        ###########################
    </Directory>
  </VirtualHost>