You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2016/07/18 18:10:12 UTC
[users@httpd] Location location location
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I have a long-standing configuration for a private server where all
users must authenticate against our LDAP server. Something like this:
<Location "/">
AuthType Basic
Require ldap-group mygroup
</Location>
I'm trying to use certbot to get a TLS certificate for this domain
from Let's Encrypt, and I'm having trouble getting LE access to the
server: I keep getting "401 Authentication Required" responses.
I changed the configuration to the following:
<Location "/.well-known/">
Order allow,deny
Allow from all
Require all granted
</Location>
<Location "/">
AuthType Basic
Require ldap-group mygroup
</Location>
And restarted. My LDAP stuff still works, but I can't access the
"/.well-known/" URL space without authenticating.
I don't have any other authentication-related items in this VirtualHost.
I believe by putting the exception-Location first in the configuration
file, I should be able to trump the general configuration affecting
the "/" URL-space, right?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXjRuEAAoJEBzwKT+lPKRYDZYQAJcvDQ+hmK36CEBA9jdDnBwY
p1SG/6dhB/dA6aUrn2O8BLKBnyQKZKeNvm4M4U0tDyxpgvbjivsvW38ZpQjfyi4s
BnJJtaBB1NRVC+/NGGy2iry47cRTRXjibY+CCpL6zKp4R1G0DcustjA8xS6k3PRd
7GTaViUJaHQ53tDT2lJRHhhG6QGunyUtzUBvF4+LaM2rGW0AOk7UrHreNeMibfNc
1k7LDlM6Y2m7k9GoKGy1sN0mpFIzC64xEsEunGN6Qk8OzCdUeOJShCm/T7Ka3rvE
uZp5LT5foqXLxJ56HiBqNyHo44s0KHuu5LX9CiPLInwyWNFKE2gxcTbKfyfZG5L6
ZBZbGYCqoptTO9nNDxa1uJ87UwfLseEf5YcbP+GAORmrllfi6o8dLgm1umN/KETK
auRqyrCFy+yTc6j24SRdqAB9p25RVm5FFsrRZcyIOlUos4hPnYhl5PZOs04qik0a
6LXbTTFvc8zBLSDUbZS0rSN/czvfc6R1kovvBZ9RfE6q4asg/ftAelTOF3Gef/TQ
JEE4zuBOTP/M1V6wXdjKMx0CZ4yL9GTJFHz5jMFEWXSwgzTuazAgN0q1PE2pk+94
sI/eDMJ1U3DnT8R/1ueYcPkEJF6yH7+z/HmOubx9/gSBZyWlGYUEu3CMxhqh0xIh
k96615lXGbZ1c3qCY9tG
=1Zj1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Location location location
Posted by Vincent Veyron <vv...@wanadoo.fr>.
On Mon, 18 Jul 2016 14:28:32 -0400
Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> Hmm... it seems I'm running Apache 2.2.22 with whatever Debian has
> back-ported to it (I assumed it was 2.4, since we have that deployed
> nearly everywhere these days). Does that change the incantation I need
> to replace the "Require" directive in the .well-known Location?
I would say so, I had to add 'Require all granted' to my configuration files when I upgraded from 2.2 to 2.4
(can't check though, as I don't have 2.2 on hand any more)
--
Bien à vous, Vincent Veyron
https://marica.fr/
Gestion des sinistres assurances, des dossiers contentieux et des contrats pour le service juridique
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Location location location
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Eric,
On 7/18/16 2:12 PM, Eric Covener wrote:
> On Mon, Jul 18, 2016 at 2:10 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> I believe by putting the exception-Location first in the
>> configuration file, I should be able to trump the general
>> configuration affecting the "/" URL-space, right?
>
>
> Matching location sections get merged together in the order they
> appear. Meaning the 2nd is applied on top of the 1st.
>
> For authorization, the default is to replace. Meaning your
> override should be 2nd.
>
> You might have some addl complexity by using the compat module for
> Order here. I would avoid it!
I tried:
<Location "/">
Require ldap-group
</Location>
<Location "/.well-known/">
Require all granted
</Location>
... and I'm still getting 401 responses. :(
(In fact I tried it before posting, 'cause I didn't want to make an
idiot of myself for not trying an obvious alternative!).
Hmm... it seems I'm running Apache 2.2.22 with whatever Debian has
back-ported to it (I assumed it was 2.4, since we have that deployed
nearly everywhere these days). Does that change the incantation I need
to replace the "Require" directive in the .well-known Location?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXjR/QAAoJEBzwKT+lPKRYaeUP/RF6emHi2DgT97xRDp7xoXb3
fNU+PrluzhjIGuqnYCGnpvcQ18fVa75R6qLITyH/hCquJKCNR9qZ+I3AQr//HH5O
FWVHcZxS0is1yxugG6Dl+hghIAPKfCd7gbPDoJnirGQoxQwTFnvdPcOyYUK16X1N
KerTDq0LGJTASWGFxO/eifvrtcHy84aCjQSQtfqBboJpoOBzf57cZVEW4hU0e0jl
vghsxSjyo7hWhCRQI3zyj34nnKjznVHOObNM9DKQXTBcHrR+L3UFx5nhHN6GwrdP
KbNCngPWYLHd0Vh2+WR7URzQ2ehO89jEvd9y0RwZbeBnU8DFLEAoWZJEFo0/kfTf
ZEdvtkC9OEeEHldSIwNri68QSKoDGoYuGVtlT2kaPbCoqcpYq5xYoME/GHl067DX
7vARHZtUjOvFVAZxGxRdI2LWe/Nh1ZaErG8f1OlWTCv7vnr11vOFfdQi8zYydW/l
L//4SqZ4ZJxgBTp4qMaLQArRtio03sA7YTIM0h/m8qdL7F2beSn8IE6PmDEVrwak
Pm6P3Z9asp/hGtlrLw9V/+mIjH8vQD9IonJh+ewM3ea7xI3/qNGHcx6Q1Llhd6I+
mPWGrBMyftrINPKdspdoRFvWWH3up5d3tmFbA5dGDoRPqjg51SSkioFjfkIuJGx6
B2h41PDPlLYcY8sP7xyV
=O9+B
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Location location location
Posted by Eric Covener <co...@gmail.com>.
On Mon, Jul 18, 2016 at 2:10 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> I believe by putting the exception-Location first in the configuration
> file, I should be able to trump the general configuration affecting
> the "/" URL-space, right?
Matching location sections get merged together in the order they
appear. Meaning the 2nd is applied on top of the 1st.
For authorization, the default is to replace. Meaning your override
should be 2nd.
You might have some addl complexity by using the compat module for
Order here. I would avoid it!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org