On 12 Jul 2019, at 09:10, Ruediger Pluem <rpl...@apache.org> wrote: > Given Erics comments, what about: > > SSLVerifyClient optional > <Location /jira> > <If "%{REQUEST_URI} > =~'^\/jira\/servicedesk\/customer\/portal\/3\/(.+)\/unsubscribe(.*)'> > require all granted > </If > <ElseIf "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} == > 'GENEROUS’"> > # cert + group member? you can come in > require ldap-group xxx > </ElseIf> > <Else> > # no cert, go away > require all denied > </Else> > </Location>
The expression syntax for regexes isn’t that clear in the docs (the examples are too trivial to be useful), what eventually worked was this: <If "%{REQUEST_URI} =~ m#^\/jira\/servicedesk\/customer\/portal\/3\/(.+)\/unsubscribe(.*)#> require all granted </If> The next step is to attack the Directory/DirectoryMatch problem, and this one I’m also struggling to make work. Alias /storage /home/${HOST}/storage <Directory /home/${HOST}/storage> Dav on Options +Indexes SSLVerifyClient optional # first, handle cert auth or basic auth... <If "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} == 'GENEROUS'"> SSLUserName SSL_CLIENT_CERT_RFC4523_CEA AuthLDAPBindDN xxx AuthLDAPURL xxx AuthLDAPRemoteUserAttribute inetSubscriberAccountId </If> <Else> AuthBasicProvider ldap AuthType basic AuthName "Storage" AuthLDAPBindDN xxx AuthLDAPURL xxx </Else> # ...then apply authz <If "%{REQUEST_FILENAME} =~ m#^/home/${HOST}/storage/atlassian/jira-home#> require ldap-group xxx </If> <ElseIf "%{REQUEST_FILENAME} =~ m#^/home/${HOST}/storage/home/(?<USER>[^/]+)#> <RequireAll> require valid-user require expr %{env:MATCH_USER} == %{REMOTE_USER} </RequireAll> </ElseIf> <Else> require valid-user </Else> </Directory> Getting rid of DirectoryMatch above and consolidating everything into one directory and a series of If/Else sections, we have the config above. The first If/Else declares that users must be grabbed from the cert if present, or basic auth if absent. The second set of If/ElseIf/Else says that if you’re part of the ldap-group you can see the jira stuff (this works), if your username you logged in as matches the directory path you can come in (this doesn't work), and the third part says otherwise if you are a valid-user you can see everything else (this works). Most specifically, when you try and access /home/${HOST}/storage/home/, which should not match the regex, for some reason it does match the regex and the config applies (and fails). Then, if you try access /home/${HOST}/storage/home/minf...@sharp.fm/ which definitely matches the regex, the request fails as follows: [Fri Jul 12 15:17:27.304567 2019] [authz_core:debug] [pid 172949:tid 140637026383616] mod_authz_core.c(820): [client x] AH01626: authorization result of Require valid-user : granted [Fri Jul 12 15:17:27.304573 2019] [authz_core:debug] [pid 172949:tid 140637026383616] mod_authz_core.c(820): [client x] AH01626: authorization result of Require expr %{env:MATCH_USER} == %{REMOTE_USER}: denied (no authenticated user yet) What’s confusing me is that “require valid-user” works, but then directly afterwards the expression fails saying the user that one line before has been authenticated now isn’t authenticated, and that’s not making sense. Regards, Graham —
smime.p7s
Description: S/MIME cryptographic signature