I have an apache server where authentication is required, but there are some calls that need to be allowed for all.
On off these calls is based on a query string for example:
/foo/api.php?Token=123&Task=DoStuff&Result=json
I taught that with a LocationMatch that this would have workd so i worked out this configuration:
<LocationMatch ^/foo/api.php\?.*(Task=DoStuff).*>
Order Allow,Deny
Allow from All
</LocationMatch>
But this doesn't let me pass the authentication (meaning i get a 401).
If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.
Anyone has any idea how to configure this to check the Task parameter in the querystring?
For authentication we are using kerberos, this is forced on the whole site
This is our conf for kerb
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory /var/www/html>
Options FollowSymLinks
AllowOverride All
AuthType Kerberos
Require valid-user
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms FOO.LOCAL
KrbServiceName HTTP/server.foo.local@foo.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
Satisfy Any
Order deny,allow
Deny from all
Allow from 192.168.72.90
Allow from 192.168.72.91
Allow from 192.168.72.94
Allow from 192.168.72.95
Allow from 127.0.0.1
</Directory>
As you can read here:
The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch>
Apache directives allow us to apply authentication/authorization to
specific patterns of resources with a high degree of specificity, but
do not give us that control down to the query-string level.
Therefore, you have to use mod_rewrite to achieve you goal.
For example:
RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]
<LocationMatch ^/foo/api.php>
Order allow,deny
Allow from env=no_auth_required
AuthType Basic
AuthName "Login Required"
AuthUserFile /var/www/foo/.htpasswd
require valid-user
Satisfy Any
</LocationMatch>
UPDATE
You've stated that:
If I just filter ^/foo/api.php I get passed the authentication, but
this isn't strict enough.
Then, try adding the following rows to your configuration:
RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]
<LocationMatch ^/foo/api.php>
Order allow,deny
Allow from env=no_auth_required
</LocationMatch>
There's an easier way to do this without the rewrite.
You can use LocationMatch to match upto the QUERY_STRING, and then use an If block to match the contents of QUERY_STRING. i.e., something like this:
<LocationMatch "^/foo/api.php">
<If "%{QUERY_STRING} =~ /.*Task=DoStuff.*/" >
Order Allow,Deny
Allow from All
</If>
</LocationMatch>
we can't use <If %{QUERY_STRING} /a=b/>, is not supported by < apache 2.4
RewriteEngine On
RewriteCond %{QUERY_STRING} test=ok
RewriteRule ^/ - [E=checkParamTest:1]
<LocationMatch "^/">
Order allow,deny
Allow from env=checkParamTest
Satisfy any
</LocationMatch>
<Location />
AuthType openid-connect
Require valid-user
...
</Location>
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 太酷不给撩 的文章《Apache permissions based on querystring》','https://www.manongdao.com/article-177798.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}