On Thu, Jul 11, 2019 at 6:55 PM Graham Leggett <minf...@sharp.fm> wrote:
>
> Hi all,
>
> I am having an odd case where my reading of the docs and httpd itself aren’t
> matching and I’m stumped as to why.
>
> I have a config like this (unrelated directives chopped for clarity):
>
> SSLVerifyClient optional
> <Location /jira>
> <If "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} ==
> 'GENEROUS’">
> # cert + group member? you can come in
> require ldap-group xxx
> </If>
> <Else>
> # no cert, go away
> require all denied
> </Else>
> </Location>
> <LocationMatch
> ^\/jira\/servicedesk\/customer\/portal\/3\/(.+)\/unsubscribe(.*)>
> # cert or no cert, let them in
> require all granted
> </LocationMatch>
>
> When I try and use the following URL that should be matched by LocationMatch,
> the “require all denied” wins, which has me stumped.
>
> https://[server]/jira/servicedesk/customer/portal/3/ENQUIRY-5/unsubscribe
>
> What am I missing?
>
> Does the use of If affect this in some way?
Yes, definitely.
- the location* are processed in config order.
- if/else directives are added to the dirconf
- `require all granted `is merged into empty authz_core (or whatever)
module config
- ifwalk walks <if> sections
- either of the if/else `require` directives have to be merged into
the current authz_core dirconf
Maybe some always-true <if> would get the `require all granted` to be
merged in last when the locationmatch has it active.
--
Eric Covener
cove...@gmail.com
