Basic Auth not supported in Location directive for rewritten url?

[data303]

I tried to activate auth basic for a virtualhost "Location" directive for virtual url, but it is not working. The same settings on a "Location" directive which points to a directory works fine. I am using lsws 5.2.8 on CentOS 7. No errors found in the apache error log. Browser cache deleted and re-startet, no luck.Any hints what I could try?

• domain.com/shop/test --> authentication dialogue pops up
  
• domain.com/shop/backend --> authentication dialogue does not appear

here the example settings of my virtualhost and the .htaccess file. I also tried with Location "/shop/backend/" (foreward slash at the end), but it did not help either.
I assume it has something to do with the combination of Location and that URL which it should protect get forwarded to a rewrite which is based in the .htaccess file.

# WORKING "/shop/test" is a directory
<Location "/shop/test">
   AuthType Basic
   AuthName "test1"
   AuthBasicProvider file
   AuthUserFile "/var/www/vhosts/system/domain.com/pd/.htpasswd"
   Require valid-user
</Location>

# NOT WORKING "shop/backend" is a virtual url which get rewritten to shopware.php (see .htaccess  file)
<Location "/shop/backend">
   AuthType Basic
   AuthName "test2"
   AuthBasicProvider file
   AuthUserFile "/var/www/vhosts/system/domain.com/pd/.htpasswd"
   Require valid-user
</Location>

this is the original .htaccess file provided by shopware which is located at the "/shop/" (/var/www/vhosts/domain.com/httpdocs/shop) directory of this vhost.

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteRule shopware.dll shopware.php
   RewriteRule files/documents/.* engine [NC,L]
   RewriteRule backend/media/(.*) media/$1 [NC,L]

   RewriteCond %{REQUEST_URI} !(\/(engine|files|templates|themes|web)\/) 
   RewriteCond %{REQUEST_URI} !(\/media\/(archive|banner|image|music|pdf|unknown|video)\/)
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule ^(.*)$ shopware.php [PT,L,QSA]

   # Fix missing authorization-header on fast_cgi installations
   RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
 </IfModule>

 

[mistwang]

According to Apache documentation, authentication related directive only available in directory and .htaccess.
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
Not allowed in <Location> context.

 

[data303]

This is not correct, please read the the definition of a "directory" context carefully.

https://httpd.apache.org/docs/2.4/mod/directive-dict.html#Context

directory
A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, <If>, and <Proxy> containers in the server configuration files, subject to the restrictions outlined in Configuration Sections.

For examples, please refer also to here from the official apache 2.4 docs
https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html

<Location "/secure">
   AuthType basic
   AuthName "private area"
   AuthBasicProvider  dbm
   AuthDBMType        SDBM
   AuthDBMUserFile    "/www/etc/dbmpasswd"
   Require            valid-user
</Location>

I see this still as a "compatibility issue" for LSWS and should be investigated. Please let us know when you think to add it on your roadmap.

 

[mistwang]

You are right, looks like our misunderstanding, it will be fixed in next release build.