I try to restrict access to a certain virtual host for all paths (including test.tonnerklaps.local). The only public accessible path should be "/webhook/bitbucket".
This is my host config:
<VirtualHost *:443>
ServerName test.tonnerklaps.local
DocumentRoot /srv/satisfy/public
SSLCertificateFile /etc/ssl/certs/test.tonnerklaps.local.pem
SSLCertificateKeyFile /etc/ssl/private/test.tonnerklaps.local-key.pem
<Location "/">
LogMessage "L root %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Location>
<Location "/webhook/bitbucket">
LogMessage "L webhook %{REQUEST_URI}"
Require all granted
</Location>
</VirtualHost>
The problem is that i'm asked to authenticate on "/webhook/bitbucket" too. Interestingly it seems to have something to do with "/".
Because this is working as expected:
<Location "/admin">
LogMessage "L admin %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Location>
<Location "/admin/configuration">
LogMessage "L admin.configuration %{REQUEST_URI}"
Require all granted
</Location>
But what really surprises me is that the following is also not working. Although the else path never gets logged i get the authentication prompt on "/webhook/bitbucket".
<If "%{REQUEST_URI} == '/webhook/bitbucket'">
LogMessage "If %{REQUEST_URI}"
Require all granted
</If>
<Else>
LogMessage "Else %{REQUEST_URI}"
<RequireAll>
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</RequireAll>
</Else>
Any ideas on this?
I try to run satisfy (composer create-project playbloom/satisfy
) on Apache/2.4.54 (Ubuntu). I get the same behavior also with another php application (concreteCMS).
Update
I tested <Location>
without the app (just created the folder structure and index.php files). This is working. Anyhow still no clue why it's not working in the app an also why the <If>
is not working.
Update 2
This is the latest config i'm using.
<Location "/webhook/bitbucket">
AuthMerging Off
LogMessage "L webhook %{REQUEST_URI}"
AuthType None
Require all granted
</Location>
<Location "/">
LogMessage "L root %{REQUEST_URI}"
AuthMerging Off
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user packagist
</Location>
Update 3
There is this .htaccess-File inside satisfy/public Folder. It must have something to do with this, but i can't wrap my head around it yet.
<IfModule mod_rewrite.c>
Options -MultiViews Indexes
RewriteEngine On
# Determine the RewriteBase automatically and set it as environment variable.
RewriteCond %{REQUEST_URI}::$1 ^(/. )/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Set the HTTP_AUTHORIZATION header removed by apache as environment variable.
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect to URI without front controller to prevent duplicate content.
# We only do this redirect on the initial rewrite to prevent endless redirect loops.
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
# If the requested filename exists or should exist, simply serve it.
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_URI} =/favicon.ico [OR]
RewriteCond %{REQUEST_URI} =/robots.txt
RewriteRule .? - [L]
# Rewrite all other queries to the front controller.
RewriteRule .? %{ENV:BASE}/index.php [QSA,L]
</IfModule>
#Compress JSON files
<IfModule mod_headers.c>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE application/json
</IfModule>
</IfModule>
</IfModule>
CodePudding user response:
There seems to be no solution to my problem, as the request gets checked before and after each rewrite (which makes perfect sense). So path "/webhook/bitbucket" gets rewritten to just index.php and after this rewrite it looks like there is no possibility to check what the original request was ($REQUEST_URI is no longer "/webhook/bitbucket"). At least this is the case on apache level. The app seems somehow to get the request uri all the same. Still not entirely sure how this part is working. If anyone could provide more information about this, i'd be happy to hear it.
I ended up disabling .htaccess and merge it with my vh config. So i can prevent the webhook path to be rewritten and can allow unrestricted access only to this path. I then call it like index.php/webhook/bitbucket
. this is also update save as long as there are no relevant changes to the .htaccess.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName packagist.lemonbrain.ch
DocumentRoot /var/www/html/satisfy/public
SSLEngine on
<Directory "/var/www/html/satisfy/public">
AuthType Basic
AuthName "Resticted Access"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
<RequireAny>
# only allow unauthenticated access to the bitbucket webhook
Require expr "%{REQUEST_URI} == '/index.php/webhook/bitbucket'"
Require user packagist
</RequireAny>
# disable .htaccess in satisfy/public
AllowOverride None
RewriteEngine On
# do not rewrite the bitbucket webhook (leave index.php) for the require above to work
RewriteCond %{REQUEST_URI} "=/index.php/webhook/bitbucket"
RewriteRule .* - [END]
#################################################################################
# this is the content of the .htaccess in satify/public #
# so if there is something not working after updating satisfy check and compare #
#################################################################################
Options -MultiViews Indexes
# RewriteEngine On
# Determine the RewriteBase automatically and set it as environment variable.
RewriteCond %{REQUEST_URI}::$1 ^(/. )/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Set the HTTP_AUTHORIZATION header removed by apache as environment variable.
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect to URI without front controller to prevent duplicate content.
# We only do this redirect on the initial rewrite to prevent endless redirect loops.
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
# If the requested filename exists or should exist, simply serve it.
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_URI} =/favicon.ico [OR]
RewriteCond %{REQUEST_URI} =/robots.txt
RewriteRule .? - [L]
# Rewrite all other queries to the front controller.
RewriteRule .? %{ENV:BASE}/index.php [QSA,L]
#Compress JSON files
<IfModule mod_headers.c>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE application/json
</IfModule>
</IfModule>
</IfModule>
###########################
# end of copied .htaccess #
###########################
</Directory>
</VirtualHost>