[users@httpd] Fwd: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure

[Thomas Smith]

Apologies, I sent the wrong config. Here is the WORKING config (except for the 
location restriction of 127.0.0.1 for the REST directory).

Any help with this would be appreciated! :-)

> <VirtualHost *:80>
>        ServerName sub.domain.tld
> 
>        RewriteEngine On
>        #RewriteLog /var/log/httpd/modrewrite_log
>        #RewriteLogLevel 9
> 
>        RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
>        RewriteCond %{SERVER_PORT}  80
>        RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1
> </VirtualHost>
> 
> Listen 4431
> <VirtualHost *:4431>
>        ServerName sub.domain.tld
> 
>        SSLEngine On
>        SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
>        SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
>        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> 
>        AddDefaultCharset UTF-8
> 
>        FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
> -idle-timeout 300
> 
>        Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
>        ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
> 
>        DocumentRoot /opt/rt4/share/html
>        <Directory /opt/rt4>
>                AuthType Basic
>                AuthName "Request Tracker Login"
> 
>                AuthLDAPEnabled on
>                AuthLDAPAuthoritative on
> 
>                AuthLDAPUrl
> "ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))"
>                AuthLDAPBindDN
> "CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local"
>                AuthLDAPBindPassword **********
> 
>                Require valid-user
>        </Directory>
>        <Location />
>                Order deny,allow
>                Deny from all
>                SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
>                Allow from env=allow
>                Satisfy Any
>                Options +ExecCGI
>                AddHandler fastcgi-script fcgi
>        </Location>
> </VirtualHost>

Sent from my iPad

Begin forwarded message:

> From: Thomas Smith <theitsm...@gmail.com>
> Date: October 5, 2011 2:44:42 PM PDT
> To: users@httpd.apache.org
> Subject: Configuration issue allowing unauthenticated access from 127.0.0.1 
> to a single directory within a password-protected directory structure
> 

> Hi,
> 
> I'm configuring the Request Tracker to use Apache authentication. I've
> had RT running for quite a few years, but (up to this point) only
> using its internal database for authentication.
> 
> Software:
> * CentOS 4.8
> * Apache 2.0.63
> * RT 4.0.2
> * mod_fastcgi 2.4.6
> 
> I created a Directory directive for /opt/rt4 that enables the LDAP
> authentication. This works really well but breaks their mail-gateway
> functionality (because this script is unable to perform
> authenticatation). I used a SetEnvIf parameter to exclude the two
> directories from authentication and it worked well (only the REST
> directory is required for the mail-gateway to work, though). However,
> the RT developers recommend restricting access to mail-gateway to
> 127.0.0.1 as it's used to inject tickets, via email, into RT's
> database--I haven't been able to get this to work. I've tried a number
> of combinations of Directory, Files, and Location directives without
> any success. Here's a sanitized version of my Apache config for this
> virtual host (a working configuration without the above mentioned
> 127.0.0.1 restriction):
> 
> 
> <VirtualHost *:80>
>        ServerName sub.domain.tld
> 
>        RewriteEngine On
>        #RewriteLog /var/log/httpd/modrewrite_log
>        #RewriteLogLevel 9
> 
>        RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
>        RewriteCond %{SERVER_PORT}  80
>        RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1
> </VirtualHost>
> 
> Listen 4431
> <VirtualHost *:4431>
>        ServerName sub.domain.tld
> 
>        SSLEngine On
>        SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
>        SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
>        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> 
>        AddDefaultCharset UTF-8
> 
>        FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
> -idle-timeout 300
> 
>        Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
>        ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
> 
>        DocumentRoot /opt/rt4/share/html
>        <Directory /opt/rt4>
>                AuthType Basic
>                AuthName "Request Tracker Login"
> 
>                AuthLDAPEnabled on
>                AuthLDAPAuthoritative on
> 
>                AuthLDAPUrl
> "ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))"
>                AuthLDAPBindDN
> "CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local"
>                AuthLDAPBindPassword **********
> 
>                Require valid-user
> 
>                # Allow anyone access to the "/NoAuth" location.
>                SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
>                Order deny,allow
>                Allow from env=allow
>                Satisfy Any
>        </Directory>
>        <Directory /opt/rt4/share/html>
>                Order deny,allow
>                Deny from all
> 
>                Options +ExecCGI
>                AddHandler fastcgi-script fcgi
>        </Directory>
> </VirtualHost>
> 
> Can someone help me get my desired configuration to work? I've been
> playing around with it for hours and haven't had any success.