Apache Friends Support Forum

[Snoopy87]

Hi,

I have a clean Windows and XAMPP installation. I'm using openHAB. Because openHAB doesn't support Authentication and SSL, I'm using Apache to handle this.

After many hours of work I got everything working exception one thing...

What I want:

1.) localhost, IP/Hostname of Server or my dyndns domain should redirect to openHAB Web UI with SSL and Basic Auth -> That's working!
2.) https://ip/test/ instead should open C:\xampp\htdocs\test\index.php without Basic Auth and only from a specific IP -> That's NOT working!

My httpdc-vhosts.conf:

Code: Select all

<VirtualHost *:80>   
   Alias /.well-known/acme-challenge/ C:/xampp/htdocs/.well-known/acme-challenge/
    <Directory "C:/xampp/htdocs/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
   ProxyPreserveHost On
   ServerName XXX.XXX.XXX

    # Cross-Origin Resource Sharing
    Header add 'Access-Control-Allow-Origin' '*'
    Header add 'Access-Control-Allow_Credentials' 'true'
    Header add 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'
    Header add 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH'

   ProxyTimeout 3600
    RequestHeader unset Authorization
    RequestHeader set X-Forwarded-Proto "https" env=HTTPS
   Header add Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure" 
     
    Alias /test C:/xampp/htdocs/test
   
    <Directory C:/xampp/htdocs/test/>
        Options Indexes
        AllowOverride AuthConfig Limit
        Order deny,allow
        Deny from all
        Allow from x.x.x.x 
    </Directory> 

    ProxyPass /test !
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
   
    <Location />       
        Require expr %{REQUEST_URI} =~ m#^/test/.*#
        Header add Authorization ""           
        Order allow,deny
        Allow from all
        AuthType Basic
        AuthName  "Username and Password Required"
        AuthUserFile C:\xampp\apache\conf\extra\.htpasswd
        Require valid-user
    </Location>
   
    SSLCertificateFile C:\Certbot\live\xxxxxxx\cert.pem
    SSLCertificateKeyFile C:\Certbot\live\xxxxxxx\privkey.pem
    SSLCertificateChainFile C:\Certbot\live\xxxxxxx\chain.pem
</VirtualHost>


I tried so many things. I tried Allow,Deny, I tried require ip, I tried it with .htaccess file. No matter what I do, https://server/test/ is always available for ANY ip, instead of only the specified ip.

Any ideas?

[Nobbie]

Code: Select all

AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"

<RequireAny>
    Require ip 1.2.3.4
    Require valid-user
</RequireAny>

Should do it.

P.S.: In case i did not get it right, you can also define an ALIAS for test (different to DocumentRoot), and put the Authorization and Require valid-user into <Directory> for DocumentRoot, but not in test. Instead Require Ip x,x,x,x in test.

[Snoopy87]

Thanks, but this still not works.

If found out, if I remove this:

Code: Select all

<Location />       
        Require expr %{REQUEST_URI} =~ m#^/statechanger*#
        Header add Authorization ""           
        AuthType Basic
        AuthName  "Username and Password Required"
        AuthUserFile C:\xampp\apache\conf\extra\.htpasswd
        Require valid-user
    </Location>


Everything is working fine (require ip, deny, .htaccess, etc.), except that Basic Auth is then missing for openHAB. So that's why this Location Node is neccessary, but I don't understand why allo from, deny from, require ip and .htaccess is ignored for "/test/" and why it is working when the Location Node is removed.

[Nobbie]

In case i did not get it right, you can also define an ALIAS for test (different to DocumentRoot), and put the Authorization and Require valid-user into <Directory> for DocumentRoot, but not in test. Instead Require Ip x,x,x,x in test

And DO NOT put the Alias Test folder as a subfolder to DocumentRoot. For example, simply use "ALIAS test c:/xampp/test" or similar.

[Snoopy87]

I'm using openHAB, which comes with it's own webserver running on Port 8080. openHAB doesn't support authentication and doesn't support SSL.

That's why I'm using Apache and ProxyPass.

openHAB is running on http://localhost:8080

What I want is:

Opening https://mydomain.com/ to have access to the openHAB Web UI (localhost:8080) with SSL and Basic Auth. This should not be restricted to specific IPs.

This is working with the VirtualHost config I posted in the first post.

Now I want to have a PHP script, which should be called by https://mydomain.com/test/.
I don't want to have Basic Auth for this script. But I only want to have access to this script from a specific IP.

[Nobbie]

I would use TWO VirtualHosts instead of one.

1) openhab.mydomain.com for openHAB
2) mydomain.com for your olocal PHP scripts

or mydomain.com for openHAB and maybe test.mydomain.com for your PHP scripts.

Thats far easier to configure, Otherwise you have to try with LocationMatch and newest PCRE syntax (since Apache 2,2);

Code: Select all

<VirtualHost *:443>
        ServerName mydomain.com

        SSL Engine on
         .... certificate stuff here

        AuthType Basic
        AuthName  "Username and Password Required"
        AuthUserFile C:\xampp\apache\conf\extra\.htpasswd

        DocumentRoot "c;/xampp/htdocs"
        <Directory "c:/xampp/htdocs">
        ..... your Options etc.
        </Directory>

        <LocationMatch "/test">
                Require Ip x.x.x.x
       </LocationMatch>

        <LocationMatch "^(?!/test)/[^/]*">
                Require valid-user
               
                ProxyPreserveHost On
                ProxyPass / http;//localhost:8080/
                ProxyPassReverse / http;//localhost:8080/         
        </LocationMatch>
</VirtualHost>

[Nobbie]

Just found out that since Apache 2.4 the super powerfully new syntax of if / else etc. is applied. You can evaluate lots of vairables like REQUEST_URI and place your configuration there:

Code: Select all

    <If "%{REQUEST_URI} =~ "^/test/">
        Require ip x.x.x.x
    </If>
    <Else>
        AuthType Basic
        AuthUserFile/web/.htpasswd
        AuthName "Test Site"
        Require valid-user

       ... and her the ProxyPass etc.
    </Else>

See https://httpd.apache.org/docs/2.4/expr.html

[Snoopy87]

I have only a dyndns domain, so no possibility for different subdomains or domains, but your hint with IF / ELSE was awesome! No it is working! Thank you so much!

[Nobbie]

I do also have a dyndns Domain and i have plenty of subdomains. That is not a problem at all.

But if you are happy with the current solution, you may keep it. I only wonder, what are you doing if (for example) openHAB offers scripts in a test folder?!