Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protected Directories Access Control Bypassed When Using Proxy #967

Open
KrisKnez opened this issue Nov 22, 2024 · 3 comments
Open

Protected Directories Access Control Bypassed When Using Proxy #967

KrisKnez opened this issue Nov 22, 2024 · 3 comments

Comments

@KrisKnez
Copy link

KrisKnez commented Nov 22, 2024
edited
Loading

Description

When enabling "Protected Directories," an .htaccess file is automatically created in the specified directory. The file typically contains the following rules:

AuthUserFile "/home/krisknez/domains/app.example.com/public_html/.htpasswd"
AuthType Basic
AuthName "Entire website"
require valid-user
<Files .htpasswd>
    deny from all
</Files>

The credentials for authorized users are stored in the .htpasswd file. This setup works as intended until a proxy is configured for the website. When the proxy settings are added to the virtual host (vhost) file, the .htaccess rules are bypassed and no longer enforced.

Steps to Reproduce

  • Create a Entire website directory protection via Web Configuration -> Protected Directories.
  • Proxy the website using Web Configuration -> Edit Proxy Website
  • Observe that basic-auth password protection is no longer being applied to the website.

Expected Behavior

Access control should be enforced regardless of whether a proxy is configured for the website.

Actual Behavior

The .htaccess file is bypassed, allowing unrestricted access to the protected directory.
@jcameron
Copy link
Collaborator

I'm not sure if we can fix this unfortunately, as in Apache the .htaccess file only applies to access to content in that directory.

@KrisKnez
Copy link
Author

KrisKnez commented Nov 23, 2024
edited
Loading

I'm not sure if we can fix this unfortunately, as in Apache the .htaccess file only applies to access to content in that directory.

This issue can be addressed by transferring the directives from the .htaccess file into the virtual host (vhost) configuration file.

For instance, consider a .htaccess file located in the root directory with the following content:

AuthUserFile "/home/krisknez/domains/app.example.com/public_html/.htpasswd"
AuthType Basic
AuthName "Entire website"
require valid-user
<Files .htpasswd>
    deny from all
</Files>

These directives can be migrated into the vhost configuration as shown below:

...
# Password Protect While Proxying
<Location "/">
    AuthUserFile "/home/krisknez/public_html/.htpasswd"
    AuthType Basic
    AuthName "Entire website"
    require valid-user
</Location>
<Files .htpasswd>
    deny from all
</Files>
...

What do you think about this?

@jcameron
Copy link
Collaborator

Yes, that would work. However, it requires giving the domain owner permissions to edit the global Apache config, whereas the .htaccess files can be safely owned by the Unix users who own each domain.

@pixel-paul pixel-paul mentioned this issue Nov 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcameron @KrisKnez